Contact Us 1-800-596-4880

FIPS 140-2 Compliance Support

This version of Mule reached its End of Life on May 2, 2023, when Extended Support ended.

Deployments of new applications to CloudHub that use this version of Mule are no longer allowed. Only in-place updates to applications are permitted.

MuleSoft recommends that you upgrade to the latest version of Mule 4 that is in Standard Support so that your applications run with the latest fixes and security enhancements.

The Mule 4 Runtime can be configured to run in a FIPS 140-2 certified environment. This includes all Runtime connectors, such as HTTP connector. Note that Mule does not run in FIPS security mode by default. There are two requirements:

  • Have a certified cryptography module installed in your Java environment

  • Adjust Mule Runtime settings to run in FIPS security mode

By default, Government Cloud is configured for FIPS 140-2, so you do not need to perform the following steps if you are using Government Cloud.

Assumptions

This document assumes that you are familiar with FIPS 140-2, the US government security standard that requires that compliant parties use only cryptographic algorithms and techniques that have been certified by NIST. This document also assumes that you have selected and obtained a certified security provider.

Setting Up a FIPS 140-2 Java Environment

Mule relies on the Java runtime to provide a FIPS-compliant security module, which is why the first requirement is to have a FIPS 140-2 Java environment properly set up. If you are setting up your system for FIPS compliance for the first time and you have not already configured a certified security provider, you must first select and obtain one, then set up your Java environment following the instructions specific to your selected provider.

Details for this process vary according to your selected security provider. Please refer to the documentation for your security provider for complete instructions.

Example: Setup Instructions Using Bouncy Castle Security Provider

The following example demonstrates how to install and configure Bouncy Castle security provider.

  1. Download the provider files from the BouncyCastle web page.

  2. Install the required JAR file into the $JAVA_HOME/lib/ext folder:

    FIPS-install-jars
  3. Register the security provider in the security properties file in the $JAVA_HOME/lib/security folder:

    1. Open the java.security file to add your provider’s class (for example, org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider) as the first item in the list of providers.

    2. Modify the line with SSL provider to use the Bouncy Castle provider (security.provider.4=com.sun.net.ssl.internal.ssl.Provider BCFIPS):

      FIPS-register-jar
  4. Adjust the numbering of the other security providers in the file so that they remain sequential.

    FIPS-register-jar-renumber
  5. Save your changes.

Running Mule in FIPS Security Mode

After following the steps in Setting Up a FIPS 140-2 Java Environment, set up your Mule instances to work in a FIPS 140-2-compliant environment by updating the configuration of the wrapper that launches the Mule app server.

  1. Open your wrapper.conf file (located in $MULE_HOME/conf folder).

  2. Uncomment the line that configures Mule to work in FIPS security mode (as shown). Be sure to replace the <n> with the next sequential number in your wrapper.conf file.

    FIPS-wrapper-conf-edit
  3. Save your changes.

When Mule launches again, the startup readout will indicate that FIPS security mode is enabled.

FIPS-startup

With FIPS security mode enabled, Mule automatically restricts protocol negotiations to use only the subset of approved cryptographic cipher suites. Any HTTPS connectors and any other connectors that use a TLS security layer will be affected automatically by this restriction.

Cluster Environment in FIPS mode

If you are running in FIPS mode with a Mule Runtime in a clustered environment, you should define an encryption key for the cluster. See Cluster reference for more insight.

Fine-Tuning SSL Connectors

The Mule conf folder includes two files that allow you to fine-tune the configuration of SSL connectors by manually setting which cipher suites Mule can use and which SSL protocols are allowed:

  • tls-default.conf (Allows fine-tuning when Mule is not configured to run in FIPS security mode)

  • tls-fips140-2.conf (Allows fine-tuning when Mule is running in FIPS security mode)

Open the relevant file and comment or uncomment items in the lists to manually configure the allowed cipher suites and SSL protocols. If you make no changes to these files, Mule allows the configured security manager to select cipher suites and protocols.

Tips and Limitations

  • The Bouncy Castle security provider bundled with the Mule Runtime distribution is not FIPS certified. When Mule starts in FIPS security mode, the Bouncy Castle provider is not registered or used.

  • Not all encryption schemes and signatures included in Mule Cryptography Module and Mule Secure Properties configuration options are FIPS compliant. If your application is using an algorithm that is not approved for FIPS use, you will get an error at runtime that reads:

	Could not find encryption algorithm '<algorithm-name>'.
	You are running in FIPS mode, so please verify that
	the algorithm is compliant with FIPS.
  • Keep in mind that your different environments might have different security configurations, including different encryption schemes and algorithm selections. So you might see this error in certain environments (but not others), depending on how they are set up.