Contact Us 1-800-596-4880
  1. Homepage
  2. Mule Runtime (4.11)
  3. Security

  4. FIPS 140-3 Compliance Support

FIPS 140-3 Compliance Support

Run Mule 4 in a Federal Information Processing Standard (FIPS) 140-3 certified environment by enabling approved cryptography providers and runtime settings. Use this guide to install BC-FJA, enable FIPS mode, and configure TLS and keystore formats for compliant deployments. These steps help you meet federal cryptography requirements while keeping runtime behavior predictable across environments.

Mule doesn’t run in FIPS security mode by default. To use FIPS security mode:

  • Install a certified cryptography module in your Java environment.

  • Adjust Mule runtime settings to run in FIPS security mode.

Compatibility

FIPS 140-3 support requires:

  • Mule 4.11.4 or later (for earlier versions of Mule runtime, use FIPS 140-2 Compliance Support)

  • Java 17 or later

  • FIPS license from the license .zip file provided by MuleSoft (the non-FIPS license isn’t valid for FIPS mode)

Assumptions

This document assumes you’re familiar with FIPS 140-3, the US government security standard that requires that compliant parties use only cryptographic algorithms and techniques that have been certified by NIST.

These instructions use BC-FJA, the recommended FIPS 140-3 certified security provider for Mule runtime (Certificate #4943). If you use a different certified security provider, refer to that provider’s documentation for configuration instructions.

Installing BC-FJA Security Provider

Mule runtime uses BC-FJA 2.1.2 as its FIPS 140-3 certified cryptography provider.

Installation Steps

These instructions show how to install and configure BC-FJA security provider in Java 17 or later.

  1. Verify that you’re using Java 17 or later and JAVA_HOME is set.

  2. Download the BC-FJA 2.1.2 provider files from the BouncyCastle website.

  3. Copy the required JAR files to the ${MULE_HOME}/lib/boot folder:

    bc-fips-2.1.2.jar
bcutil-fips-2.1.5.jar
bctls-fips-2.1.22.jar
bcpkix-fips-2.1.10.jar

  4. Configure the security providers in the ${JAVA_HOME}/conf/security/java.security file:

    security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS

  5. Configure the key manager and trust manager algorithms in the same java.security file:

    ssl.KeyManagerFactory.algorithm=PKIX
ssl.TrustManagerFactory.algorithm=PKIX

Running Mule in FIPS Security Mode

After installing the BC-FJA provider, configure Mule to run in FIPS 140-3 mode:

  1. Open your wrapper.conf file (located in ${MULE_HOME}/conf).

  2. Add these properties. Replace <n> with the next sequential number in your file:

    # Enable FIPS 140-3 security mode
wrapper.java.additional.<n>=-Dmule.security.model=fips140-3

# Enable Bouncy Castle approved-only mode
wrapper.java.additional.<n>=-Dorg.bouncycastle.fips.approved_only=true

# Required for Java 17+ module access
wrapper.java.additional.<n>=--add-opens=java.base/sun.security.provider=org.bouncycastle.fips.core

# Set keystore type to BCFKS
wrapper.java.additional.<n>=-Dmule.keystore.type=BCFKS

  3. If you’re using a clustered environment, also add the cluster encryption key:

    wrapper.java.additional.<n>=-Dmule.cluster.network.encryption.key={your-encryption-key}

    For more information about clustering in FIPS mode, see Cluster reference.

  4. Save your changes and start Mule runtime.

In FIPS-compliant environments, all keystores and truststores typically require BCFKS format. To support legacy JKS stores, such as the default Java truststore at ${JAVA_HOME}/lib/security/cacerts, see FIPS 140-3 Compliant Keystore Formats for configuration options.

When Mule launches, the startup logs show that FIPS 140-3 security mode is enabled. Mule automatically restricts protocol negotiations to use only approved cryptographic cipher suites.

Not all connectors are FIPS 140-3 compliant. Only connectors tagged as fips-140-3-verified in Anypoint Exchange are certified to use in FIPS 140-3 environments. Always verify compliance in Exchange before deploying.

FIPS 140-3 Compliant Cipher Suites

These cipher suites are enabled by default when running Mule in FIPS 140-3 mode.

TLS 1.3 Cipher Suites

  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • TLS_AES_128_CCM_SHA256

  • TLS_AES_128_CCM_8_SHA256

TLS 1.2 Cipher Suites

  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

These cipher suites are configured in the ${MULE_HOME}/conf/tls-fips140-3.conf file. FIPS 140-3 requires support for TLS 1.3 and TLS 1.2. Earlier TLS versions aren’t supported.

FIPS 140-3 Compliant Keystore Formats

Keystores or truststores in non-FIPS environments are typically formatted as PKCS12 or JKS. These formats aren’t FIPS-compliant. Convert them to BCFKS format.

  1. Use this example command to convert a JKS keystore to BCFKS format. If the source keystore is PKCS12, set -srcstoretype to PKCS12 in the keytool command:

    BC_FIPS_JAR=${MULE_HOME}/lib/boot/bc-fips-2.1.2.jar  # Replace with a correct path
OLD_KEYSTORE="keystore.jks"                          # Replace with the keystore to convert
OLD_PASSWD="changeit"                                # Replace with the keystore password
NEW_KEYSTORE="keystore.bcfks"                        # Replace with the new keystore
NEW_PASSWD="changeit"                                # Replace with the new keystore password

keytool -importkeystore \
 -providerclass sun.security.provider.Sun \
 -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
 -providerpath ${BC_FIPS_JAR} \
 -srckeystore  ${OLD_KEYSTORE}   -srcstoretype JKS       -srcstorepass ${OLD_PASSWD} \
 -destkeystore ${NEW_KEYSTORE}   -deststoretype BCFKS    -deststorepass ${NEW_PASSWD}

  2. Update the TLS configuration in your Mule application to use the new keystore or truststore:

    <tls:context>
	<tls:key-store   type="bcfks" path="server.bcfks" password="changeit" keyPassword="changeit" alias="default" />
	<tls:trust-store type="bcfks" path="client.bcfks" password="changeit" />
</tls:context>

  3. By default, the JVM truststore at ${JAVA_HOME}/lib/security/cacerts is a JKS. There are two approaches to handle this special case:

    • Convert to BCFKS

      • Convert the JKS store to BCFKS using the keytool command as described in FIPS 140-3 Compliant Keystore Formats, pointing OLD_KEYSTORE to ${JAVA_HOME}/lib/security/cacerts and NEW_KEYSTORE to ${JAVA_HOME}/lib/security/cacerts.bcfks

      • Add these properties to your wrapper.conf file:

        wrapper.java.additional.<n>=-Djavax.net.ssl.trustStore=${JAVA_HOME}/lib/security/cacerts.bcfks
wrapper.java.additional.<n>=-Djavax.net.ssl.trustStorePassword=changeit
wrapper.java.additional.<n>=-Djavax.net.ssl.trustStoreType=bcfks

    • Allow legacy JKS store

      • Add this property to your wrapper.conf file:

        wrapper.java.additional.<n>=-Dorg.bouncycastle.jca.enable_jks=true

Connectors Compatibility

Only connectors tagged as fips-140-3-verified in Anypoint Exchange are certified for use in FIPS 140-3 environments. To check compliance in Exchange before deploying:

  1. Open Anypoint Exchange.

  2. Search for the connector.

  3. Check for the fips-140-3-verified tag.

Tips and Limitations

  • Not all encryption schemes and signatures are FIPS 140-3 compliant. If your application uses a non-approved algorithm, you get this runtime error:

	Could not find encryption algorithm '<algorithm-name>'.
	You are running in FIPS mode, so please verify that
	the algorithm is compliant with FIPS.

  • Different environments can have different security configurations. Test before deploying to production.

See Also