PingAccess

Managing Federal Information Processing Standards (FIPS) mode

Use Federal Information Processing Standards (FIPS) mode to ensure PingAccess uses encryption algorithms that meet FIPS requirements.

The following features are unavailable in FIPS mode:

  • SHA-1

  • PKCS#12 certificates and private keys

FIPS mode requirements

To run PingAccess in FIPS mode, you must meet the following requirements:

Certificate and private key format requirements

PingAccess only supports PEM-formatted certificates and private keys, meaning you must:

  • Import or export key pairs using the PEM-encoded format.

  • Use the PBES2 encryption scheme with AES or Triple DES encryption and a 128-bit salt.

    In practice, this could mean that you can only import PEM files generated by PingFederate.

  • For PEM files, the private key must precede the certificates.

Key pair password requirements

For any key pair imported or exported from PingAccess, the key pair’s password must contain at least 14 characters.

Viewing FIPS mode status

You can view your environment’s FIPS mode status in the PingAccess admin console or audit log. To check your environment’s FIPS mode status:

In the admin console

Go to Account > About and review the System Information section.

In the audit log

Start PingAccess, then review the audit log for info-level entries. If FIPS mode is enabled, you should see an entry like the following:

INFO [] Fipsconfig - PingAccess is currently running in FIPS Mode.

Enter or exit FIPS mode

  • Entering FIPS mode

  • Exiting FIPS mode

Entering FIPS mode

Enable FIPS mode to ensure that PingAccess exclusively uses encryption algorithms that the FIPS standard permits. If you’re running PingAccess in a clustered environment, you should perform this procedure on all nodes.

In this procedure, you can set specific security providers, TLS protocols, and TLS cipher suites that can be used. If any selections you make aren’t FIPS-compliant, then enabling FIPS mode can’t guarantee your environment is FIPS-compliant.

Steps

  1. Open the <PA Home>/conf/fips-mode.properties file or create a new one if it’s been removed.

    1. Set the pa.fips.mode property to true.

      Example:

      pa.fips.mode=true

    2. (Optional) Exempt one or more security providers from being excluded by FIPS mode by adding a comma-separated list of class names to the pa.fips.additionalAllowedProviders property.

      Example:

      pa.fips.additionalallowedproviders=X,Y

    3. (Optional) Add or remove allowed TLS protocols by editing the pa.fips.tls.protocols property to include a comma-separated list of valid TLS protocols.

      The default value is:

      pa.fips.tls.protocols = TLSv1.2

    4. (Optional) Add or remove allowed TLS cipher suites by editing the pa.fips.tls.ciphers property to include a comma-separated list of valid TLS cipher suites.

      The default value is:

      pa.fips.tls.ciphers = TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, \
                      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, \
                      TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, \
                      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, \
                      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, \
                      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, \
                      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, \
                      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

      Some of the default cipher suites might not be compatible with every JDK version that can be used with PingAccess. If a TLS cipher suite isn’t supported by the JDK version you’re using, PingAccess will log a warning in the pingaccess.log file when the cipher suite is invoked.

      PingAccess can ignore any flagged TLS cipher suites with no performance impact. To clear the warning message, you can remove the flagged suites from the pa.fips.tls.ciphers property.

    5. Save and close the <PA Home>/conf/fips-mode.properties file.

  2. If you’re running PingAccess as a Windows service, reconfigure the classpath for the libraries required for FIPS mode:

    1. Comment out the following line:

      set.default.BC_PATH=../../resource/bc/non-fips

    2. Uncomment the following line or set a BC_PATH environment variable to ../../resource/bc/fips:

      # set.default.BC_PATH=../../resource/bc/fips

    You can find more information in the <PA_HOME>/sbin/windows/PingAccessService.conf file’s inline comments.

  3. Restart PingAccess.

Exiting FIPS mode

Exit FIPS mode to allow the use of non-FIPS-compliant encryption. If you’re running PingAccess in a clustered environment, you should perform this procedure on all nodes.

Steps

  1. Open the <PA Home>/conf/fips-mode.properties file.

    1. Set the pa.fips.mode property to false.

      pa.fips.mode=false

    2. Save and close the <PA Home>/conf/fips-mode.properties file.

  2. If you’re running PingAccess as a Windows service, reconfigure the classpath for the libraries required for FIPS mode.

    1. Uncomment the following line:

      # set.default.BC_PATH=../../resource/bc/non-fips

    2. Comment out the following line, or the BC_PATH environment variable to ../../resource/bc/fips that you set, if applicable:

      set.default.BC_PATH=../../resource/bc/fips

    You can find more information in the <PA_HOME>/sbin/windows/PingAccessService.conf file’s inline comments.

  3. Restart PingAccess.