The Federal Information Processing Standard (FIPS) 140-2 is a US government computer security standard published by National Institute of Standards and Technology (NIST). It specifies the security requirements for cryptographic modules. FIPS 140-2 compliance is often a requirement of the software systems used by the US government agencies.
The NIST manages a list of FIPS certified cryptographic modules. These modules are certified under the Cryptographic Module Validation Program. The list can be searched online at the NIST website.
Hazelcast uses external modules for cryptographic tasks, and it can be configured to use a FIPS 140-2 validated module. It means most of the configuration required for FIPS is outside of the Hazelcast configuration. To run Hazelcast in the FIPS compliant mode, you have to set the underlying Java runtime into FIPS mode. It may also require switching the underlying Operating System into the FIPS mode. We consider using a FIPS enabled OS as a recommended approach even in cases when it’s not asked for explicitly.
Hazelcast is not an authority which should document switching different Java
runtimes into the FIPS mode. Please consult the documentation of your Java
version to learn how to enable the FIPS mode. Usually it means changing the
list of security providers in the
java.security JRE configuration file.
Hazelcast is only responsible for enabling the OpenSSL native library into the
FIPS mode (see the Integrating OpenSSL section).
If the Hazelcast cluster configuration enables TLS communication using the
native OpenSSL library, you have to enable its FIPS mode in the Hazelcast
The FIPS mode is controlled by an optional boolean property called
fipsMode. It is disabled by default (
The following is an example OpenSSL configuration in the FIPS mode.
<hazelcast> ... <network> <ssl enabled="true"> <factory-class-name>com.hazelcast.nio.ssl.OpenSSLEngineFactory</factory-class-name> <properties> <property name="fipsMode">true</property> <property name="protocol">TLSv1.2</property> <property name="trustCertCollectionFile">trusted-certs.pem</property> <property name="keyFile">privkey.pem</property> <property name="keyCertChainFile">chain.pem</property> </properties> </ssl> </network> ... </hazelcast>
hazelcast: network: ssl: enabled: true factory-class-name: com.hazelcast.nio.ssl.OpenSSLEngineFactory properties: fipsMode: true protocol: TLSv1.2 trustCertCollectionFile: trusted-certs.pem keyFile: privkey.pem keyCertChainFile: chain.pem
fipsMode property is set to
true, the native OpenSSL engine is
either set to the FIPS mode or an exception is thrown, e.g., in the cases when
OpenSSL is compiled without the FIPS support.
If there are more Hazelcast instances (members or clients) with TLS enabled
employing the OpenSSL, then all of them must have the
configured in the same way, either enabled or disabled.
When the FIPS mode is successfully enabled, you will see the following
INFO level message in the log files.
OpenSSL is enabled in FIPS mode.
|BoringSSL libraries don’t support the FIPS mode.|
The FIPS environment configuration steps depend on the used operating system and Java version. You should consult with their documentation for the specific configurations. The following are links to such configuration for various environments.