Contact Us 1-800-596-4880

FIPS 140-2 Compliance Support

The Mule 4 Runtime can be configured to run in a Federal Information Processing Standard (FIPS) 140-2 certified environment. This includes all Runtime connectors, such as HTTP connector. Note that Mule does not run in FIPS security mode by default. There are two requirements:

  • Have a certified cryptography module installed in your Java environment

  • Adjust Mule Runtime settings to run in FIPS security mode

By default, Government Cloud is configured for FIPS 140-2, so you do not need to perform the following steps if you are using Government Cloud.

If you are using Runtime Fabric, see Enabling FIPS 140-2 Compliance Mode for Runtime Fabric instead of performing these steps.

Assumptions

This document assumes that you are familiar with FIPS 140-2, the US government security standard that requires that compliant parties use only cryptographic algorithms and techniques that have been certified by NIST. This document also assumes that you have selected and obtained a certified security provider.

Setting Up a FIPS 140-2 Java Environment

Mule relies on the Java runtime to provide a FIPS-compliant security module, which is why the first requirement is to have a FIPS 140-2 Java environment properly set up. If you are setting up your system for FIPS compliance for the first time and you have not already configured a certified security provider, you must first select and obtain one, then set up your Java environment following the instructions specific to your selected provider.

Details for this process vary according to your selected security provider. Please refer to the documentation for your security provider for complete instructions.

Setup Instructions Using Bouncy Castle Security Provider

The following instructions demonstrate how to set up a FIPS 140-2 Java environment.

Setup Instructions in Java 8

The following shows how to install and configure Bouncy Castle security provider in Java 8.

  1. Download the provider files from the BouncyCastle web page.

  2. Install the required JAR file into the $JAVA_HOME/lib/ext folder:

    A command line for installing a FIPS JAR file into the Java home directory
  3. Register the security provider in the security properties file in the $JAVA_HOME/lib/security folder:

    1. Open the java.security file to add your provider’s class (for example, org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider) as the first item in the list of providers.

    2. Modify the line with SSL provider to use the Bouncy Castle provider (security.provider.4=com.sun.net.ssl.internal.ssl.Provider BCFIPS):

      A list of security providers where to modify the provider
  4. Adjust the numbering of the other security providers in the file so that they remain sequential.

    A list of security providers in sequential order
  5. Save your changes.

Setup Instructions in Java 11 and Later

The following shows how to install and configure Bouncy Castle security provider in Java 11 and later.

  1. Verify that you are using Java 11 or later and JAVA_HOME is set.

  2. Download the provider files from the BouncyCastle web page.

    Provider:bc-fips-1.0.2.4  TLS: bctls-fips-1.0.17.jar  PKIX: bcpkix-fips-1.0.7.jar
  3. Copy the 3 files downloaded to /lib/boot (needed for Mule runtime) and /mule-agent-plugin/lib (needed for Mule agent) folders in Mule runtime.

  4. Run amc_setup and register Mule runtime. For example, in Add Server, you find the registration token /amc_setup -H d32c4bde-7184-444a-bd87-7a274623e14f---704247 node10 --fips, where d32c4bde-7184-444a-bd87-7a274623e14f---704247 is the key from Anypoint Runtime Manager.

  5. To enable FIPS, update $MULE_HOME/conf/wrapper.conf. Add the properties wrapper.java.additional.<n>=-Dmule.security.model=fips140-2 and wrapper.java.additional.<n>=-Dmule.cluster.network.encryption.key={someKey}, where someKey is the key from your cluster that needs to be defined if you are using a clustered environment.

  6. Get the latest Mule runtime distribution 4.5.x, which enables providers BouncyCastleFipsProvider and BouncyCastleJsseProvider and set the algorithms to PKIX.

  7. Start Mule runtime.

Running Mule in FIPS Security Mode

After following the steps in Setting Up a FIPS 140-2 Java Environment, set up your Mule instances to work in a FIPS 140-2-compliant environment by updating the configuration of the wrapper that launches the Mule app server.

  1. Open your wrapper.conf file (located in $MULE_HOME/conf folder).

  2. Uncomment the line that configures Mule to work in FIPS security mode (as shown). Be sure to replace the <n> with the next sequential number in your wrapper.conf file.

    A file with configuration settings for enabling FIPS 140-2 mode
  3. Save your changes.

When Mule launches again, the startup readout will indicate that FIPS security mode is enabled.

A console output showing startup logs for a Mule server with FIPS 140-2 security model enabled

With FIPS security mode enabled, Mule automatically restricts protocol negotiations to use only the subset of approved cryptographic cipher suites. Any HTTPS connectors and any other connectors that use a TLS security layer will be affected automatically by this restriction.

Cluster Environment in FIPS mode

If you are running in FIPS mode with a Mule Runtime in a clustered environment, you should define an encryption key for the cluster. See Cluster reference for more insight.

FIPS 140-2 Compliant Cipher Suites

The following list contains supported FIPS 140-2 compliant cipher suites. To configure the cipher suite used by on-prem Mule installations, see Fine-Tuning SSL Connectors.

  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

Fine-Tuning SSL Connectors

The Mule conf folder includes two files that allow you to fine-tune the configuration of SSL connectors by manually setting which cipher suites Mule can use and which SSL protocols are allowed:

  • tls-default.conf (Allows fine-tuning when Mule is not configured to run in FIPS security mode)

  • tls-fips140-2.conf (Allows fine-tuning when Mule is running in FIPS security mode)

Open the relevant file and comment or uncomment items in the lists to manually configure the allowed cipher suites and SSL protocols. If you make no changes to these files, Mule allows the configured security manager to select cipher suites and protocols.

Tips and Limitations

  • The Bouncy Castle security provider bundled with the Mule Runtime distribution is not FIPS certified. When Mule starts in FIPS security mode, the Bouncy Castle provider is not registered or used.

  • Not all encryption schemes and signatures included in Mule Cryptography Module and Mule Secure Properties configuration options are FIPS compliant. If your application is using an algorithm that is not approved for FIPS use, you will get an error at runtime that reads:

	Could not find encryption algorithm '<algorithm-name>'.
	You are running in FIPS mode, so please verify that
	the algorithm is compliant with FIPS.
  • Keep in mind that your different environments might have different security configurations, including different encryption schemes and algorithm selections. So you might see this error in certain environments (but not others), depending on how they are set up.