Configure MongoDB for FIPS
Overview
The Federal Information Processing Standard (FIPS) is a U.S. government computer security standard used to certify software modules and libraries that encrypt and decrypt data securely. You can configure MongoDB to run with a FIPS 140-2 certified library for OpenSSL. Configure FIPS to run by default or as needed from the command line.
A full description of FIPS and TLS/SSL is beyond the scope of this document. This tutorial assumes prior knowledge of FIPS and TLS/SSL.
Important
MongoDB and FIPS
FIPS is property of the encryption system and not the access control system. However, if your environment requires FIPS compliant encryption and access control, you must ensure that the access control system uses only FIPS-compliant encryption.
MongoDB's FIPS support covers the way that MongoDB uses SSL/TLS libraries for network encryption, SCRAM authentication, and x.509 authentication. If you use Kerberos or LDAP authentication, you must ensure that these external mechanisms are FIPS-compliant.
Note
MongoDB disables support for TLS 1.0 encryption on systems where TLS 1.1+ is available. For more details, see Disable TLS 1.0.
Platform Support
FIPS mode is only available with MongoDB Enterprise edition. See Install MongoDB Enterprise to download and install MongoDB Enterprise.
FIPS mode is supported on the following platforms:
| Platform | TLS/SSL library |
|---|---|
| Linux | OpenSSL |
| Windows | Secure Channel (SChannel) |
| macOS | Secure Transport |
OpenSSL3 Support
Starting in MongoDB 6.0.7, FIPS mode supports OpenSSL3 for the following operating systems:
-
Ubuntu 22.04
-
RHEL 9
-
Amazon Linux 2023
Configuring FIPS
Select the tab below for your platform:
Additional Considerations
SCRAM SHA and FIPS Mode
Starting in MongoDB 5.1, instances running in FIPS mode have the SCRAM-SHA-1 authentication mechanism disabled by default. You can enable the SCRAM-SHA-1 authentication mechanism with the setParameter.authenticationMechanisms command.
This change will not affect drivers which target MongoDB setFeatureCompatibilityVersion 4.0+.
If you use SCRAM-SHA-1:
-
md5 is necessary but is not used for cryptographic purposes, and
-
if you use FIPS mode, then instead of SCRAM-SHA-1 use:
Database Tools and FIPS Mode
Starting in MongoDB 4.2, the following programs no longer support the --sslFIPSMode option:
mongod, mongos, and FIPS Mode
If you configure mongod and mongos to use FIPS mode, mongod and mongos use FIPS-compliant connections.
MongoDB Shell and FIPS Mode
The default MongoDB Shell distribution:
-
Contains OpenSSL 1.1.
-
Uses FIPS-compliant connections to
mongodandmongosif you configuremongodandmongosto use FIPS mode.
MongoDB also provides a MongoDB Shell distribution that can use:
-
OpenSSL 1.1 and OpenSSL 3 installed on your server.
-
--tlsFIPSModeoption, which enables themongoshFIPS mode.
Tip
See also:
-
To download MongoDB Shell distributions that contain OpenSSL 1.1 and OpenSSL 3, go to the MongoDB Download Center.