---
title: Enabling FIPS mode
description: Enable FIPS mode to ensure that PingAccess exclusively uses encryption algorithms permitted by the FIPS standard. If your environment is clustered, make sure to perform this procedure on all nodes.
component: pingaccess
version: 9.0
page_id: pingaccess:configuring_and_customizing_pingaccess:pa_enabling_fips_mode
canonical_url: https://docs.pingidentity.com/pingaccess/9.0/configuring_and_customizing_pingaccess/pa_enabling_fips_mode.html
revdate: August 23, 2023
section_ids:
  about-this-task: About this task
  steps: Steps
  example: Example:
  example-2: Example:
---

# Enabling FIPS mode

## About this task

Enable FIPS mode to ensure that PingAccess exclusively uses encryption algorithms permitted by the FIPS standard. If your environment is clustered, make sure to perform this procedure on all nodes.

|   |                                                                                                                                                                                                                                          |
| - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | In this procedure, you can manually specify security providers, TLS protocols, and TLS cipher suites that can be used. If your manual inclusions are not FIPS-compliant, your environment might not be FIPS-compliant even in FIPS mode. |

## Steps

1. Open the `<PA Home>/conf/fips-mode.properties` file or create it if it's been removed.

2. Set the `pa.fips.mode` property to `true`.

   ### Example:

   ```
   pa.fips.mode=true
   ```

3. (Optional) Exempt one or more security providers from being excluded by FIPS mode by adding a comma-separated list of class names to the `pa.fips.additionalAllowedProviders` property.

   ### Example:

   ```
   pa.fips.additionalallowedproviders=X,Y
   ```

4. (Optional) Add or remove TLS protocols by editing the `pa.fips.tls.protocols` property to include a comma-separated list of valid TLS protocols.

   The default is:

   ```
   pa.fips.tls.protocols = TLSv1.2
   ```

5. (Optional) Add or remove TLS cipher suites by editing the `pa.fips.tls.ciphers` property to include a comma-separated list of valid TLS cipher suites.

   The default is:

   ```
   pa.fips.tls.ciphers = TLS_AES_256_GCM_SHA384, \
                         TLS_AES_128_GCM_SHA256, \
                         TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, \
                         TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, \
                         TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, \
                         TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, \
                         TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, \
                         TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, \
                         TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, \
                         TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, \
                         TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, \
                         TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, \
                         TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, \
                         TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, \
                         TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, \
                         TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, \
                         TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, \
                         TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, \
                         TLS_EMPTY_RENEGOTIATION_INFO_SCSV
   ```

   |   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
   | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   |   | Some of the default cipher suites aren't supported by every JDK version that can be used with PingAccess. If a TLS cipher suite isn't supported by the JDK version you're using, PingAccess will log a warning in the `pingaccess.log` file when the cipher suite is invoked.PingAccess can ignore any flagged TLS cipher suites with no performance impact. To clear the warning message, you can remove the flagged suites from the `pa.fips.tls.ciphers` property. |

6. Save and close the `<PA Home>/conf/fips-mode.properties` file.

7. If you're [running PingAccess as a Windows service](../installing_and_uninstalling_pingaccess/pa_running_pa_as_a_service.html), reconfigure the classpath for the libraries required for FIPS mode:

   1. Comment out the following line:

      ```
      set.default.BC_PATH=../../resource/bc/non-fips
      ```

   2. Uncomment the following line or set a `BC_PATH` environment variable to `../../resource/bc/fips`:

      ```
      # set.default.BC_PATH=../../resource/bc/fips
      ```

   |   |                                                                                                |
   | - | ---------------------------------------------------------------------------------------------- |
   |   | Learn more in the inline comments in the `<PA_HOME>/sbin/windows/PingAccessService.conf` file. |

8. Restart PingAccess.