Skip to content
|
search
Kong Gateway
3.2.x (latest)

Install and Configure the FIPS Compliant Package

This how-to guide explains how to install and configure the Kong Gateway FIPS-compliant package. After following the steps in this guide, you will have a FIPS-compliant Kong Gateway with FIPS mode enabled.

Installing a Kong Gateway FIPS compliant package

The FIPS-compliant Ubuntu 20.04 package can be installed using the package distinctively named kong-enterprise-edition-fips. To install the package follow these instructions:

  1. Set up the Kong APT repository: 
     echo "deb [trusted=yes] https://download.konghq.com/gateway-3.x-ubuntu-$(lsb_release -sc)/ \
 default all" | sudo tee /etc/apt/sources.list.d/kong.list
  2. Update the repository: 
     sudo apt-get update

  3. Install the Kong Gateway FIPS package:

     apt install -y kong-enterprise-edition-fips=3.2.2.0

The FIPS-compliant Red Hat 8 package can be installed using the package distinctively named kong-enterprise-edition-fips. To install the package follow these instructions:

  1. Download the FIPS package:

     curl -Lo kong-enterprise-edition-fips-3.2.2.0.rpm \
 $( rpm --eval "https://download.konghq.com/gateway-3.x-rhel-%{rhel}/Packages/k/kong-enterprise-edition-fips-3.2.2.0.rhel%{rhel}.amd64.rpm")

  2. Install the Kong Gateway FIPS package:

     yum install kong-enterprise-edition-fips-3.2.2.0

  1. Set up the Kong Yum repository:

     curl $(rpm --eval "https://download.konghq.com/gateway-3.x-rhel-%{rhel}/config.repo") | sudo tee /etc/yum.repos.d/kong.repo

  2. Install the Kong Gateway FIPS package:

     yum install kong-enterprise-edition-fips-3.2.2.0

Configure FIPS

To start in FIPS mode, set the following configuration property to on in the kong.conf configuration file before starting Kong Gateway:

fips = on # fips mode is enabled, causing incompatible ciphers to be disabled

You can also set this configuration using an environment variable:

export KONG_FIPS=on

If you are migrating from Kong Gateway 3.1 to 3.2 in FIPS mode and are using the key-auth-enc plugin, you should send PATCH or POST requests to all existing key-auth-enc credentials to re-hash them in SHA256.

Migrating from non-FIPS to FIPS mode and backwards is not supported.