Enabling FIPS mode
About this task
Enable FIPS mode to ensure that PingAccess exclusively uses encryption algorithms permitted by the FIPS standard. If your environment is clustered, make sure to perform this procedure on all nodes.
|
In this procedure, you can manually specify security providers, TLS protocols, and TLS cipher suites that can be used. If your manual inclusions are not FIPS-compliant, your environment might not be FIPS-compliant even in FIPS mode. |
Steps
-
Open the
<PA Home>/conf/fips-mode.propertiesfile, or create it if it has been removed. -
Set the
pa.fips.modeproperty totrue.pa.fips.mode=true
-
Optional: Exempt one or more security providers from being excluded by FIPS mode by adding a comma-separated list of class names to the
pa.fips.additionalAllowedProvidersproperty.Example:
pa.fips.additionalallowedproviders=X,Y
-
Optional: Add or remove TLS protocols by editing the
pa.fips.tls.protocolsproperty to include a comma-separated list of valid TLS protocols.The default is:
pa.fips.tls.protocols = TLSv1.2
-
Optional: Add or remove TLS cipher suites by editing the
pa.fips.tls.ciphersproperty to include a comma-separated list of valid TLS cipher suites.The default is:
pa.fips.tls.ciphers = TLS_AES_256_GCM_SHA384, \ TLS_AES_128_GCM_SHA256, \ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, \ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, \ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, \ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, \ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, \ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, \ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, \ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, \ TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, \ TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, \ TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, \ TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, \ TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, \ TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, \ TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, \ TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, \ TLS_EMPTY_RENEGOTIATION_INFO_SCSV -
Save and close the file.
-
Restart PingAccess.