Enabling FIPS 140-2 compliance mode in MULE ESB

Question

To enable the FIPS 140-2 compliance mode I had gone through MULE documentation https://docs.mulesoft.com/mule-user-guide/v/3.7/fips-140-2-compliance-support.

I had followed the steps mentioned below as per recommended in MULE documentation :

1. Copy cryptojce.jar, cryptojcommon.jar & jcmFIPS.jar in ${JAVA_HOME}/lib/ext
2. Edit java.security file (${JAVA_HOME}/lib/security/java.security) add security.provider.1=com.rsa.jsafe.provider.JsafeJCE.
3. Edit wrapper.conf file (mule/conf/wrapper.conf) add wrapper.java.additional.7=-Dmule.security.model=fips140-2.
4. Start Mule. On mule console I got the message mentioned below:

---

Mule ESB and Integration Platform
Version: 3.5.2 Build:....
MuleSoft, Inc.
Security model: fips140-2

---

From the message it is clear that FIPS140-2 is used as security model. Even after providing three JAR’s out of four of RSA’s BSAFE as certified security provider.

How can I verify that FIPS 140-2 compliance mode is enable on Mule ?

This message is also shown even If I don't prepare the Java Env as mentioned in the docs.

Answer 1

That message, as the docs say, is only linked to running mule in FIPS security mode so that cipher suites are restricted to the approved ones. You need to be running Mule in a proper Java environment to have full compliance, which is what the docs are specifying at the beginning, so you need to follow all the steps. I hope that clarifies things.