On this page本页内容
The Federal Information Processing Standard (FIPS) is a U.S. government computer security standard used to certify software modules and libraries that encrypt and decrypt data securely. 联邦信息处理标准(FIPS)是美国的。用于认证安全加密和解密数据的软件模块和库的政府计算机安全标准。You can configure MongoDB to run with a FIPS 140-2 certified library for OpenSSL. Configure FIPS to run by default or as needed from the command line.您可以将MongoDB配置为使用经FIPS 140-2认证的OpenSSL库运行。将FIPS配置为默认运行或根据需要从命令行运行。
A full description of FIPS and TLS/SSL is beyond the scope of this document. 对FIPS和TLS/SSL的完整描述超出了本文档的范围。This tutorial assumes prior knowledge of FIPS and TLS/SSL.本教程假定您已经了解FIPS和TLS/SSL。
FIPS is property of the encryption system and not the access control system. FIPS是加密系统的财产,而不是访问控制系统的财产。However, if your environment requires FIPS compliant encryption and access control, you must ensure that the access control system uses only FIPS-compliant encryption.但是,如果您的环境需要符合FIPS的加密和访问控制,则必须确保访问控制系统仅使用符合FIPS要求的加密。
MongoDB's FIPS support covers the way that MongoDB uses SSL/TLS libraries for network encryption, SCRAM authentication, and x.509 authentication. MongoDB的FIPS支持涵盖了MongoDB使用SSL/TLS库进行网络加密、SCRAM身份验证和x.509身份验证的方式。If you use Kerberos or LDAP authentication, you must ensure that these external mechanisms are FIPS-compliant.如果使用Kerberos或LDAP身份验证,则必须确保这些外部机制符合FIPS。
Starting in version 4.0, MongoDB disables support for TLS 1.0 encryption on systems where TLS 1.1+ is available. 从4.0版开始,MongoDB在提供TLS 1.1+的系统上禁用TLS 1.0加密支持。For more details, see Disable TLS 1.0.有关更多详细信息,请参阅禁用TLS 1.0。
FIPS mode is only available with MongoDB Enterprise edition. FIPS模式仅适用于MongoDB Enterprise版本。See Install MongoDB Enterprise to download and install MongoDB Enterprise.请参阅安装MongoDB Enterprise以下载和安装MongoDB-Enterprise。
FIPS mode is supported on the following platforms:以下平台支持FIPS模式:
| Platform | TLS/SSL library |
|---|---|
| Linux | OpenSSL |
| Windows | Secure Channel (SChannel) |
| macOS | Secure Transport |
Select the tab below for your platform:为您的平台选择以下选项卡:
Your Linux system must have an OpenSSL library configured with the FIPS 140-2 module in order to support FIPS mode for MongoDB.为了支持MongoDB的FIPS模式,您的Linux系统必须具有配置了FIPS 140-2模块的OpenSSL库。
Verify that your OpenSSL software includes FIPS support by running the following command:通过运行以下命令验证OpenSSL软件是否包含FIPS支持:
openssl version
For Red Hat Enterprise Linux 6.x (RHEL 6.x) or its derivatives such as CentOS 6.x, the OpenSSL toolkit must be at least version 对于Red Hat Enterprise Linux 6x(RHEL 6x)或其衍生物,如CentOS 6x,OpenSSL工具包必须至少为openssl-1.0.1e-16.el6_5 to use FIPS mode. OpenSSL-1.0.1e-16.el6_5版本才能使用FIPS模式。To upgrade the OpenSSL library on these platforms, run the following command:要在这些平台上升级OpenSSL库,请运行以下命令:
sudo yum update openssl
Some versions of Linux periodically execute a process to prelink dynamic libraries with pre-assigned addresses. 某些版本的Linux会定期执行一个进程,用预先分配的地址预先链接动态库。This process modifies the OpenSSL libraries, specifically 此过程修改OpenSSL库,特别是libcrypto. libcrypto。The OpenSSL FIPS mode will subsequently fail the signature check performed upon startup to ensure OpenSSL FIPS模式随后将使启动时执行的签名检查失败,以确保编译后libcrypto has not been modified since compilation.libcrypto未被修改。
To configure the Linux prelink process to not prelink 要将Linux预链接进程配置为不预链接libcrypto, run the following command:libcrypto,请运行以下命令:
sudo bash -c "echo '-b /usr/lib64/libcrypto.so.*' >>/etc/prelink.conf.d/openssl-prelink.conf"Once you have configured your Linux system to support FIPS-compliant operation, follow the steps below to configure your 将Linux系统配置为支持FIPS兼容操作后,请按照以下步骤配置mongod or mongos instance to operate in FIPS mode.mongod或mongos实例以在FIPS模式下运行。
See Configure 有关配置部署以使用TLS/SSL的详细信息,请参阅为TLS/SSL配置mongod and mongos for TLS/SSL for details about configuring your deployment to use TLS/SSL. mongod和mongos。Ensure that your certificate is FIPS-compliant.确保您的证书符合FIPS。
Perform these steps after you Configure 在为TLS/SSL配置mongod and mongos for TLS/SSL.mongod和mongos之后执行这些步骤。
To configure your 要将mongod or mongos instance to use FIPS mode, shut down the instance and update the configuration file with the net.tls.FIPSMode setting:mongod或mongos实例配置为使用FIPS模式,请关闭该实例并使用net.tls.FIPSMode设置更新配置文件:
In MongoDB 4.2+:
net: tls: FIPSMode: true
Although still available, the 尽管net.ssl.FIPSMode is deprecated as of MongoDB 4.2.net.ssl.FIPSMode仍然可用,但从MongoDB 4.2开始,它已被弃用。
In MongoDB 4.0 and earlier versions:在MongoDB 4.0及更早版本中:
net: ssl: FIPSMode: true
Check the server log file for a message that FIPS is active:检查服务器日志文件以获取FIPS处于活动状态的消息:
FIPS 140-2 mode activated
Microsoft provides the following resource on configuring FIPS mode for Windows 10 and Windows Server 2016 or later:Microsoft提供了以下有关为Windows 10和Windows Server 2016或更高版本配置FIPS模式的资源:
➤ FIPS 140-2 Validation on Windows
Once you have configured your Windows system to support FIPS-compliant operation, follow the steps below to configure your mongod or mongos instance to operate in FIPS mode.
See Configure 有关配置部署以使用TLS/SSL的详细信息,请参阅为TLS/SSL配置mongod and mongos for TLS/SSL for details about configuring your deployment to use TLS/SSL. mongod和mongos。Ensure that your certificate is FIPS-compliant.确保您的证书符合FIPS。
Perform these steps after you Configure 在为TLS/SSL配置mongod and mongos for TLS/SSL.mongod和mongos之后执行这些步骤。
To configure your mongod or mongos instance to use FIPS mode, shut down the instance and update the configuration file with the net.tls.FIPSMode setting:
In MongoDB 4.2+:
net: tls: FIPSMode: true
Although still available, the net.ssl.FIPSMode is deprecated as of MongoDB 4.2.
In MongoDB 4.0 and earlier versions:在MongoDB 4.0及更早版本中:
net: ssl: FIPSMode: true
Check the server log file for a message that FIPS is active:检查服务器日志文件以获取FIPS处于活动状态的消息:
FIPS 140-2 mode activated
Supported versions of macOS are FIPS-compliant by default. Check the documentation for your version of macOS to verify its compliance status. 默认情况下,支持的macOS版本与FIPS兼容。检查您的macOS版本的文档,以验证其符合性状态。For example, Apple provides the following resource for macOS 10.14:例如,Apple为macOS 10.14提供了以下资源:
➤ Apple FIPS Cryptographic Modules for 10.14
On compliant versions of macOS, follow the steps below to configure your mongod or mongos instance to operate in FIPS mode.
See Configure mongod and mongos for TLS/SSL for details about configuring your deployment to use TLS/SSL. Ensure that your certificate is FIPS-compliant.
Perform these steps after you Configure mongod and mongos for TLS/SSL.
To configure your mongod or mongos instance to use FIPS mode, shut down the instance and update the configuration file with the net.tls.FIPSMode setting:
In MongoDB 4.2+:
net: tls: FIPSMode: true
Although still available, the net.ssl.FIPSMode is deprecated as of MongoDB 4.2.
In MongoDB 4.0 and earlier versions:
net: ssl: FIPSMode: true
Check the server log file for a message that FIPS is active:检查服务器日志文件以获取FIPS处于活动状态的消息:
FIPS 140-2 mode activated
Starting in MongoDB 5.1, instances running in FIPS mode have the SCRAM-SHA-1 authentication mechanism disabled by default. 从MongoDB 5.1开始,在FIPS模式下运行的实例默认禁用SCRAM-SHA-1身份验证机制。You can enable the SCRAM-SHA-1 authentication mechanism with the setParameter.authenticationMechanisms command.您可以使用setParameter.authenticationMechanisms命令启用SCRAM-SHA-1身份验证机制。
This change will not affect drivers which target MongoDB 此更改不会影响以setFeatureCompatibilityVersion 4.0+.setFeatureCompatibilityVersion 4.0+为目标的驱动程序。
Starting in version 4.2, MongoDB removes the 从4.2版开始,MongoDB删除以下程序的--sslFIPSMode option for the following programs:--sslFIPSMode选项:
The programs will use FIPS compliant connections to 如果mongod/mongos if the mongod/mongos instances are configured to use FIPS mode.mongod/mongos实例配置为使用FIPS模式,则程序将使用与mongod/mongos兼容的FIPS连接。
If you use SCRAM-SHA-1:如果使用SCRAM-SHA-1:
if you use FIPS mode, then instead of SCRAM-SHA-1 use:如果使用FIPS模式,则使用以下方式代替SCRAM-SHA-1: