Contact Us 1-800-596-4880
  1. Homepage
  2. Government Cloud

  3. FIPS 140-3 Compliance Support

FIPS 140-3 Compliance Support in Government Cloud

Configure Mule runtime engine (Mule) to run in a Federal Information Processing Standard (FIPS) 140-3 certified environment in MuleSoft Government Cloud.

Mule doesn’t run in FIPS security mode by default. To enable it, you must:

  • Install a certified cryptography module in your Java environment.

  • Adjust Mule runtime settings to run in FIPS security mode.

Follow the migration path that matches your scenario:

Compatibility

FIPS 140-3 support in MuleSoft Government Cloud requires:

  • Mule runtime engine 4.9 (Government Cloud supported version)

  • Java 17 or later

  • FIPS license from the license .zip file provided by MuleSoft (the non-FIPS license isn’t valid for FIPS mode)

Assumptions

This document assumes you are familiar with FIPS 140-3, the US government security standard that requires compliant parties to use only cryptographic algorithms and techniques certified by NIST.

These instructions use Bouncy Castle 2.0.0, the recommended FIPS 140-3 certified security provider for Mule runtime. If you use a different certified security provider, refer to that provider’s documentation for configuration instructions.

Migrating from FIPS 140-2 to FIPS 140-3

If you are currently running Mule in FIPS 140-2 mode and want to move to FIPS 140-3, apply these cipher and configuration changes.

Cipher and Protocol Changes

  • TLS and cipher suites:
    FIPS 140-3 requires support for TLS 1.3 and TLS 1.2. Earlier TLS versions aren’t supported. Use only the FIPS 140-3 compliant cipher suites listed in the FIPS 140-3 Compliant Cipher Suites section. Remove or replace any custom TLS or cipher configuration that references FIPS 140-2-only or non–FIPS 140-3 cipher suites.

  • Configuration file:
    FIPS 140-3 uses the $MULE_HOME/conf/tls-fips140-3.conf file for TLS cipher configuration. Ensure your runtime uses this file and that you have removed or replaced references to any FIPS 140-2 TLS configuration file.

Security Provider and Java Configuration

  • Bouncy Castle version:
    Replace the FIPS 140-2 Bouncy Castle provider (typically 1.x FIPS) with Bouncy Castle 2.0.0 FIPS. Install the JARs listed in Installing Bouncy Castle Security Provider and update java.security to use BouncyCastleFipsProvider and BouncyCastleJsseProvider as shown there.

  • KeyManagerFactory and TrustManagerFactory:
    In $JAVA_HOME/conf/security/java.security, set:

    ssl.KeyManagerFactory.algorithm=PKIX
ssl.TrustManagerFactory.algorithm=PKIX

Runtime Configuration (wrapper.conf)

  • Security model:
    Change the Mule security model from FIPS 140-2 to FIPS 140-3:

    # Enable FIPS 140-3 security mode (replace fips140-2)
wrapper.java.additional.<n>=-Dmule.security.model=fips140-3

  • Approved-only mode:
    Add or ensure:

    wrapper.java.additional.<n>=-Dorg.bouncycastle.fips.approved_only=true

  • Java 17+ module access:
    Add:

    wrapper.java.additional.<n>=--add-opens=java.base/sun.security.provider=org.bouncycastle.fips.core

Keystore Format

  • BCFKS:
    FIPS 140-3 requires keystores and truststores in BCFKS format. If you are still using PKCS12 or JKS from your FIPS 140-2 setup, convert them to BCFKS using the steps in FIPS 140-3 Compliant Keystore Formats. Update all TLS contexts in your Mule apps to reference the new keystores and set type="bcfks".

Connectors and Post-Migration

  • Use only connectors tagged as fips-140-3-verified in Anypoint Exchange. Replace or remove connectors that are only verified for FIPS 140-2.

  • Restart Mule after all changes and confirm in startup logs that FIPS 140-3 security mode is enabled.

Migrating from Non-FIPS to FIPS 140-3

If you are running Mule in standard (non-FIPS) mode and need to move directly to FIPS 140-3, complete these steps.

Prerequisites

  • Mule runtime engine 4.9

  • Java 17 or later

  • A FIPS license from the license .zip file provided by MuleSoft.

Steps

  1. Install the FIPS 140-3 certified cryptography provider:
    Follow Installing Bouncy Castle Security Provider to install Bouncy Castle 2.0.0 FIPS and configure java.security (providers and ssl.KeyManagerFactory.algorithm / ssl.TrustManagerFactory.algorithm).

  2. Configure Mule for FIPS 140-3 mode:
    In $MULE_HOME/conf/wrapper.conf, add the properties described in Running Mule in FIPS Security Mode (mule.security.model=fips140-3, org.bouncycastle.fips.approved_only=true, and the --add-opens option). For Mule 4.9, set the keystore type explicitly:

    wrapper.java.additional.<n>=-Dmule.keystore.type=BCFKS

  3. Convert keystores and truststores to BCFKS:
    Standard Mule setups often use PKCS12 or JKS. Convert all keystores and truststores used by your applications to BCFKS using the procedure in FIPS 140-3 Compliant Keystore Formats.

  4. Update TLS configuration in Mule apps:
    In your Mule configuration files, update every tls:context to use the new BCFKS keystores and truststores with type="bcfks" as shown in FIPS 140-3 Compliant Keystore Formats.

  5. Remove non-compliant cipher and protocol usage:
    Don’t configure custom cipher suites or TLS versions that aren’t FIPS 140-3 compliant. Rely on the default FIPS 140-3 cipher suites (see FIPS 140-3 Compliant Cipher Suites) and ensure no connectors or custom code force non-approved algorithms.

  6. Verify connector compliance:
    Only use connectors tagged as fips-140-3-verified in Anypoint Exchange. Replace or remove any connector that isn’t FIPS 140-3 verified (see Connectors Compatibility).

  7. Restart Mule and validate:
    Save all changes, restart Mule, and confirm in startup logs that FIPS 140-3 security mode is enabled. Test connectivity and integrations that use TLS and cryptography.

Installing Bouncy Castle Security Provider

Mule runtime uses Bouncy Castle 2.0.0 as its FIPS 140-3 certified cryptography provider.

Installation Steps

These instructions show how to install and configure the Bouncy Castle security provider with Java 17 or later.

  1. Verify that you are using Java 17 or later and JAVA_HOME is set.

  2. Download the Bouncy Castle 2.0.0 provider files from the Bouncy Castle website.

  3. Copy the required JAR files to the $MULE_HOME/lib/boot folder:

    bc-fips-2.0.0.jar
bctls-fips-2.0.19.jar
bcpkix-fips-2.0.7.jar
bcutil-fips-2.0.3.jar
bcpg-fips-2.0.9.jar
bcjmail-fips-2.0.5.jar

  4. Configure the security providers in the $JAVA_HOME/conf/security/java.security file:

    security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS
security.provider.3=SUN

  5. Configure the key manager and trust manager algorithms in the same java.security file:

    ssl.KeyManagerFactory.algorithm=PKIX
ssl.TrustManagerFactory.algorithm=PKIX

Running Mule in FIPS Security Mode

After installing the Bouncy Castle provider, configure Mule to run in FIPS 140-3 mode:

  1. Open your wrapper.conf file (located in $MULE_HOME/conf).

  2. Add these properties. Replace <n> with the next sequential number in your file:

    # Enable FIPS 140-3 security mode
wrapper.java.additional.<n>=-Dmule.security.model=fips140-3

# Enable Bouncy Castle approved-only mode
wrapper.java.additional.<n>=-Dorg.bouncycastle.fips.approved_only=true

# Required for Java 17+ module access
wrapper.java.additional.<n>=--add-opens=java.base/sun.security.provider=org.bouncycastle.fips.core

# For Mule 4.9: set keystore type to BCFKS
wrapper.java.additional.<n>=-Dmule.keystore.type=BCFKS

  3. If you are using a clustered environment, also add the cluster encryption key:

    wrapper.java.additional.<n>=-Dmule.cluster.network.encryption.key={your-encryption-key}

  4. Save your changes and start Mule runtime.

When Mule launches, the startup logs show that FIPS 140-3 security mode is enabled. Mule automatically restricts protocol negotiations to use only approved cryptographic cipher suites.

Not all connectors are FIPS 140-3 compliant. Only connectors tagged as fips-140-3-verified in Anypoint Exchange are certified for use in FIPS 140-3 environments. Always verify compliance in Exchange before deploying.

FIPS 140-3 Compliant Cipher Suites

These cipher suites are enabled by default when running Mule in FIPS 140-3 mode. Use these when planning or validating migrations from FIPS 140-2 or non-FIPS runtimes.

TLS 1.3 Cipher Suites

  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • TLS_AES_128_CCM_SHA256

  • TLS_AES_128_CCM_8_SHA256

TLS 1.2 Cipher Suites

  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

These cipher suites are configured in the $MULE_HOME/conf/tls-fips140-3.conf file. FIPS 140-3 requires support for TLS 1.3 and TLS 1.2. Earlier TLS versions aren’t supported.

FIPS 140-3 Compliant Keystore Formats

Keystores or truststores in Mule apps are often formatted as PKCS12 or JKS. These formats aren’t FIPS compliant. For compliance, convert them to BCFKS format:

  1. Download the bc-fips-2.0.0.jar file from the Bouncy Castle website.

  2. Use this example command to convert a keystore to BCFKS format:

BC_FIPS_JAR=${BC_PATH}/bc-fips-2.0.0.jar  # Replace with a correct path
OLD_KEYSTORE="keystore.jks"               # Replace with the keystore to convert
OLD_PASSWD="changeit"                     # Replace with the keystore password
NEW_KEYSTORE="keystore.bcfks"             # Replace with the new keystore
NEW_PASSWD="changeit"                     # Replace with the new keystore password

keytool -importkeystore \
 -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
 -providerpath ${BC_FIPS_JAR} \
 -srckeystore  ${OLD_KEYSTORE}   -srcstoretype JKS       -srcstorepass ${OLD_PASSWD} \
 -destkeystore ${NEW_KEYSTORE}   -deststoretype BCFKS    -deststorepass ${NEW_PASSWD}
If the source keystore is PKCS12, set -srcstoretype to PKCS12 in the keytool command.

  1. Update the TLS configuration in your Mule configuration file to use the new keystore or truststore:

<tls:context>
	<tls:key-store   type="bcfks" path="server.bcfks" password="changeit" keyPassword="changeit" alias="default" />
	<tls:trust-store type="bcfks" path="client.bcfks" password="changeit" />
</tls:context>

Connectors Compatibility

Only connectors tagged as fips-140-3-verified in Anypoint Exchange are certified for use in FIPS 140-3 environments. To check compliance in Exchange before deploying:

  1. Open Anypoint Exchange.

  2. Search for the connector.

  3. Check for the fips-140-3-verified tag.

Tips and Limitations

  • Not all encryption schemes and signatures are FIPS 140-3 compliant. If your app uses a non-approved algorithm, you might see a runtime error such as:

    	Could not find encryption algorithm '<algorithm-name>'.
	You are running in FIPS mode, so please verify that
	the algorithm is compliant with FIPS.

  • Different environments can have different security configurations. Test before deploying to production.

See Also