diff --git a/source/includes/steps-fips-config.yaml b/source/includes/steps-fips-config.yaml new file mode 100644 index 00000000000..6c7133d8cf5 --- /dev/null +++ b/source/includes/steps-fips-config.yaml @@ -0,0 +1,27 @@ +title: + text: Change configuration file. + character: "`" +stepnum: 1 +pre: | + To configure your :program:`mongod` or :program:`mongos` instance to use + FIPS mode, shut down the instance and update the configuration file with + the following setting: +ref: "change-config-file" +action: + language: yaml + code: | + net: + ssl: + FIPSMode: true +--- +title: + text: "Start :program:`mongod` or :program:`mongos` instance with configuration file." + character: "`" +stepnum: 2 +ref: "start-service-config-file" +pre: "For example, run this command to start the :program:`mongod` instance with its configuration file:" +action: + language: javascript + code: | + mongod --config /etc/mongodb.conf +... \ No newline at end of file diff --git a/source/tutorial/configure-fips.txt b/source/tutorial/configure-fips.txt new file mode 100644 index 00000000000..a3828191e35 --- /dev/null +++ b/source/tutorial/configure-fips.txt @@ -0,0 +1,71 @@ +========================== +Configure MongoDB for FIPS +========================== + +.. default-domain:: mongodb + +.. versionadded:: 2.6 + +Overview +-------- + +The Federal Information Processing Standard (FIPS) is a U.S. government +computer security standard used to certify software modules and libraries +that encrypt and decrypt data securely. You can configure MongoDB to run +with a FIPS 140-2 certified library for OpenSSL. Configure FIPS to run by +default or as needed from the command line. + +Prerequisites +------------- + +Only the `MongoDB Enterprise`_ version supports FIPS mode. + +Your system must have an OpenSSL library configured with the FIPS 140-2 +module before you can run your :program:`mongod` or :program:`mongos` in +FIPS mode. + +For Red Hat Enterprise Linux 6.x (RHEL 6.x) or its derivatives such as +CentOS 6.x, the OpenSSL toolkit must be at least +``openssl-1.0.1e-16.el6_5`` to use FIPS mode. To upgrade the toolkit +for these platforms, issue the following command: + +.. code-block:: sh + + sudo yum update openssl + +Some versions of Linux periodically execute a process to `prelink` dynamic +libraries with pre-assigned addresses. This process modifies the OpenSSL +libraries, specifically ``libcrypto``. The OpenSSL FIPS mode will +subsequently fail the signature check performed upon startup to ensure +``libcrypto`` has not been modified since compilation. + +To configure the Linux prelink process to not prelink ``libcrypto``: + +.. code-block:: sh + + sudo bash -c "echo '-b /usr/lib64/libcrypto.so.*' >>/etc/prelink.conf.d/openssl-prelink.conf" + +.. _`MongoDB Enterprise`: http://www.mongodb.com/products/mongodb-enterprise + +Procedure +--------- + +Configure MongoDB to use SSL +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +See :doc:`/tutorial/configure-ssl` for details about configuring OpenSSL. + +Run ``mongod`` or ``mongos`` instance in FIPS mode +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Perform these steps after you :doc:`/tutorial/configure-ssl`. + +.. include:: /includes/steps/fips-config.rst + +For more information about configuration files, see +:doc:`/reference/configuration-options`. + +Confirm FIPS mode is running +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Check the server log file for a message FIPS 140-2 is active. diff --git a/source/tutorial/configure-ssl.txt b/source/tutorial/configure-ssl.txt index 634d932cf8f..ac085aea3c6 100644 --- a/source/tutorial/configure-ssl.txt +++ b/source/tutorial/configure-ssl.txt @@ -247,25 +247,6 @@ information on SSL connections for clients. All connections, including those that have not presented certificates are encrypted using SSL. -Run in FIPS Mode ----------------- - -`MongoDB Enterprise`_ supports running in FIPS mode. - -If your :program:`mongod` or :program:`mongos` is running on a system -with an OpenSSL library configured with the FIPS 140-2 module, you can -run :program:`mongod` or :program:`mongos` in FIPS mode, with the -:setting:`~net.ssl.FIPSMode` setting. - -For Red Hat Enterprise Linux 6.x (RHEL 6.x) or its derivatives such as -CentOS 6.x, the OpenSSL toolkit must be at least -``openssl-1.0.1e-16.el6_5`` to run in FIPS mode. To upgrade the toolkit -for these platforms, issue the following command: - -.. code-block:: javascript - - yum update openssl - .. _ssl-certificate-password: SSL Certificate Passphrase @@ -296,3 +277,11 @@ passphrase as necessary. run :program:`mongod` or :program:`mongos` in a non-interactive session (e.g. without a terminal or as a service on Windows), you cannot use the passphrase prompt option. + +.. _ssl-run-fips-mode: + +Run in FIPS Mode +---------------- + +See :doc:`/tutorial/configure-fips` for more details. +