It may be possible to run Jenkins in a FIPS-140 compliant manner when the compliance flag is enabled, and the servlet container, the JVM, and the host OS are all appropriately configured. How to configure the servlet container, JVM and host are out of scope of the Jenkins community project as this is a complex area with many pitfalls and gotchas. Some Jenkins features may not work or be disabled.
The Jenkins community does not actively check Jenkins or Plugins for FIPS-140 compliance issues. |
Plugins may or may not honour a request to run in FIPS-140 compliance mode. Before you install or upgrade any plugin, you should check the plugin’s code to ensure it adheres to the FIPS-140 standard.
If you enable FIPS-140 mode, it provides a hint to Jenkins and any plugins that have opted in that they should prefer cryptographic algorithms that may.[1] be FIPS-140 approved. This may mean that some features are disabled entirely, or may use a less secure (but compliant) form of cryptography than normal.
If any code from the JVM, servlet container, Jenkins, or any plugin requests a non-compliant algorithm, this will still be the case, and the request may be honoured. For example, this mode cannot configure the JVM, so TLS connections to external secure web sites might still use non-compliant cryptography. Additionally, Jenkins cannot ensure that plugins will even use encryption at all, when appropriate. At the end of the day, just because Jenkins and plugins run when FIPS-140 mode is enabled does not mean that it adheres to the USA government standard.
As previously mentioned, the host, JVM, and the servlet container all need to be configured appropriately to ensure that Jenkins is FIPS-140 compliant. Extreme care should be taken when installing or upgrading plugins as they may or may not be FIPS-140 compliant, and they may introduce code that is non-compliant or otherwise change the JVM configuration so that it breaks compliance.
The Jenkins community does not support Jenkins FIPS-140 mode, and due to the complex nature of JVM and servlet configuration that can change between versions, does not provide documentation for the full configuration required to run Jenkins in a fully FIPS-140 compliant manner. If you need to run Jenkins in a way that it is FIPS-140 compliant, it is recommended that you obtain support from a commercial vendor. The Jenkins community may be able to fix issues relating to FIPS-140 compliance; these will be treated as any other bug report or feature request.
Please submit your feedback about this page through this quick form.
Alternatively, if you don't wish to complete the quick form, you can simply indicate if you found this page helpful?
See existing feedback here.