Document SSL FIPS mode usage

source/includes/steps-fips-config.yaml

@@ -0,0 +1,27 @@
+title:
+  text: Change configuration file.
+  character: "`"
+stepnum: 1
+pre: |
+  To configure your :program:`mongod` or :program:`mongos` instance to use
+  FIPS mode, shut down the instance and update the configuration file with
+  the following setting:
+ref: "change-config-file"
+action:
+  language: yaml
+  code: |
+     net:
+        ssl:
+           FIPSMode: true
+---
+title:
+  text: "Start :program:`mongod` or :program:`mongos` instance with configuration file."
+  character: "`"
+stepnum: 2
+ref: "start-service-config-file"
+pre: "For example, run this command to start the  :program:`mongod` instance with its configuration file:"
+action:
+  language: javascript
+  code: |
+     mongod --config /etc/mongodb.conf
+...

source/tutorial/configure-fips.txt

@@ -0,0 +1,71 @@
+==========================
+Configure MongoDB for FIPS
+==========================
+
+.. default-domain:: mongodb
+
+.. versionadded:: 2.6
+
+Overview
+--------
+
+The Federal Information Processing Standard (FIPS) is a U.S. government
+computer security standard used to certify software modules and libraries
+that encrypt and decrypt data securely. You can configure MongoDB to run
+with a FIPS 140-2 certified library for OpenSSL. Configure FIPS to run by
+default or as needed from the command line.
+
+Prerequisites
+-------------
+
+Only the `MongoDB Enterprise`_ version supports FIPS mode.
+
+Your system must have an OpenSSL library configured with the FIPS 140-2
+module before you can run your :program:`mongod` or :program:`mongos` in
+FIPS mode.
+
+For Red Hat Enterprise Linux 6.x (RHEL 6.x) or its derivatives such as
+CentOS 6.x, the OpenSSL toolkit must be at least
+``openssl-1.0.1e-16.el6_5`` to use FIPS mode. To upgrade the toolkit
+for these platforms, issue the following command:
+
+.. code-block:: sh
+
+   sudo yum update openssl
+
+Some versions of Linux periodically execute a process to `prelink` dynamic
+libraries with pre-assigned addresses. This process modifies the OpenSSL
+libraries, specifically ``libcrypto``. The OpenSSL FIPS mode will
+subsequently fail the signature check performed upon startup to ensure
+``libcrypto`` has not been modified since compilation.
+
+To configure the Linux prelink process to not prelink ``libcrypto``:
+
+.. code-block:: sh
+
+   sudo bash -c "echo '-b /usr/lib64/libcrypto.so.*' >>/etc/prelink.conf.d/openssl-prelink.conf"
+
+.. _`MongoDB Enterprise`: http://www.mongodb.com/products/mongodb-enterprise
+
+Procedure
+---------
+
+Configure MongoDB to use SSL
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+See :doc:`/tutorial/configure-ssl` for details about configuring OpenSSL.
+
+Run ``mongod`` or ``mongos`` instance in FIPS mode
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Perform these steps after you :doc:`/tutorial/configure-ssl`.
+
+.. include:: /includes/steps/fips-config.rst
+
+For more information about configuration files, see
+:doc:`/reference/configuration-options`.
+
+Confirm FIPS mode is running
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Check the server log file for a message FIPS 140-2 is active.

source/tutorial/configure-ssl.txt

@@ -247,25 +247,6 @@ information on SSL connections for clients.
    All connections, including those that have not presented
    certificates are encrypted using SSL.
 
-Run in FIPS Mode
-----------------
-
-`MongoDB Enterprise`_ supports running in FIPS mode.
-
-If your :program:`mongod` or :program:`mongos` is running on a system
-with an OpenSSL library configured with the FIPS 140-2 module, you can
-run :program:`mongod` or :program:`mongos` in FIPS mode, with the
-:setting:`~net.ssl.FIPSMode` setting.
-
-For Red Hat Enterprise Linux 6.x (RHEL 6.x) or its derivatives such as
-CentOS 6.x, the OpenSSL toolkit must be at least
-``openssl-1.0.1e-16.el6_5`` to run in FIPS mode. To upgrade the toolkit
-for these platforms, issue the following command:
-
-.. code-block:: javascript
-
-   yum update openssl
-
 .. _ssl-certificate-password:
 
 SSL Certificate Passphrase
@@ -296,3 +277,11 @@ passphrase as necessary.
    run :program:`mongod` or :program:`mongos` in a non-interactive
    session (e.g. without a terminal or as a service on Windows),
    you cannot use the passphrase prompt option.
+
+.. _ssl-run-fips-mode:
+
+Run in FIPS Mode
+----------------
+
+See :doc:`/tutorial/configure-fips` for more details.
+