Configuring FIPS 140-3 for Snowflake Connector
Snowflake Connector supports FIPS 140-3 compliant cryptographic operations through integration with BouncyCastle FIPS (BCFIPS) security provider. Learn how to configure the connector for FIPS-compliant environments.
Before You Begin
Make sure you meet these prerequisites for the configuration:
-
Mule Runtime 4.10.0 or later
-
Snowflake Connector version 1.4.0 or later
-
BouncyCastle FIPS libraries v2 or later
-
Java 17 or later with FIPS-capable JVM
-
Snowflake JDBC Driver - FIPS Edition (required for FIPS environments)
|
FIPS-Certified JDBC driver required: Snowflake provides a separate FIPS-certified JDBC driver specifically designed for FIPS 140-3 compliant environments. If you operate in a FIPS environment, you must use the FIPS-certified driver instead of the standard Snowflake JDBC driver.
The FIPS driver is built with FIPS-certified cryptographic libraries and is validated for use in regulated environments. Using the standard driver in a FIPS environment doesn’t meet compliance requirements. For more information on obtaining the FIPS-certified driver, see the Snowflake JDBC Driver documentation. |
Understanding FIPS Mode Detection
Snowflake Connector automatically detects FIPS mode by checking the mule.security.model system property. When this property is set to a value starting with fips140 (for example, fips140-3), the connector operates in FIPS mode with enhanced security controls.
Example:
-Dmule.security.model=fips140-3Configure BCFIPS with the Snowflake Connector
Configure BCFIPS using one of these options:
|
FIPS approved algorithms only: Regardless of which configuration option you choose, you must configure the system property The connector doesn’t set this property automatically. This is a JVM-wide configuration that affects all applications and processes running in the JVM. The system administrator must set this property manually or through your Mule runtime configuration. Example: Without this property, BCFIPS may allow non-FIPS-approved algorithms, which could violate compliance requirements in regulated environments. |
Configure BCFIPS in Java Security (Recommended)
Use this option for production environments to:
-
Manage security configuration from a central location
-
Apply consistently across all applications
-
Avoid runtime modifications to security infrastructure
-
Follow enterprise security governance practices
Follow these steps:
-
Locate your Java security configuration file:
$JAVA_HOME/jre/lib/security/java.security
-
Add the BCFIPS provider to the security provider list. Insert it at an appropriate position (typically position 1 or 2):
security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider security.provider.2=sun.security.provider.Sun # ... other providers -
Make sure the BCFIPS JAR is available in the JVM classpath or the Mule application’s shared libraries.
-
Restart your Mule runtime instance.
Enable Auto-Registration
Use this option for environments where modifying java.security is not feasible, the connector can automatically register BCFIPS at runtime.
|
Important security considerations:
|
Follow these steps:
-
Set the auto-registration system property:
-Dmule.snowflake.fips.bcfips.autoregister=true -
Make sure FIPS mode is enabled:
-Dmule.security.model=fips140-3 -
The connector automatically registers BCFIPS when establishing the first connection.
Example Mule runtime startup:
java -Dmule.security.model=fips140-3 \
-Dmule.snowflake.fips.bcfips.autoregister=true \
-Dorg.bouncycastle.fips.approved_only=true \
-jar mule-standalone.jarUnderstanding Standard (Non-FIPS) Mode
In standard mode (when mule.security.model isn’t set or doesn’t start with fips140), the connector automatically handles BCFIPS registration without requiring additional configuration. This ensures seamless operation for non-regulated environments.
System Properties Reference
| Property | Description | Values | Default | Scope |
|---|---|---|---|---|
|
Enables FIPS mode detection |
|
Not set (standard mode) |
Connector |
|
Enables automatic BCFIPS registration in FIPS mode |
|
|
Connector |
|
REQUIRED for FIPS compliance. Restricts BCFIPS to use only FIPS-approved algorithms |
|
|
JVM-wide |
|
The |
Migrate Existing Deployments
You need to assess the current configuration and choose the appropriate configuration method.
Non-FIPS Environments
No action required. The connector maintains full backward compatibility and automatically handles BCFIPS registration.
For FIPS Environments
-
Assess the current configuration:
-
Verify if BCFIPS is already configured in
java.security -
Check for existing BouncyCastle provider registrations
-
Identify the Snowflake JDBC driver in use (standard versus FIPS-certified)
-
-
Choose the configuration method:
-
Recommended: Configure BCFIPS in
java.security -
Alternative: Enable auto-registration
-
-
Configure FIPS-certified components:
-
Replace standard Snowflake JDBC driver with FIPS-certified driver (
snowflake-jdbc-fips) -
Make sure BouncyCastle FIPS libraries version 2.x are available
-
-
Update system properties:
-
Add
-Dmule.security.model=fips140-3(enables FIPS mode detection) -
Add
-Dorg.bouncycastle.fips.approved_only=true(Required for FIPS compliance) -
If using auto-registration, add
-Dmule.snowflake.fips.bcfips.autoregister=true
-
-
Test in Non-Production:
-
Deploy to development or staging environment
-
Verify connectivity and operations
-
Review logs for any security-related warnings
-
-
Production deployment:
-
Schedule maintenance window
-
Deploy configuration changes
-
Monitor logs for successful FIPS initialization
-
Validate all Snowflake operations
-