--- title: Managing Federal Information Processing Standards (FIPS) mode description: Use Federal Information Processing Standards (FIPS) mode to ensure PingAccess uses encryption algorithms that meet FIPS requirements. component: pingaccess version: 9.1 page_id: pingaccess:configuring_and_customizing_pingaccess:pa_fips_mode canonical_url: https://docs.pingidentity.com/pingaccess/9.1/configuring_and_customizing_pingaccess/pa_fips_mode.html revdate: June 1, 2026 section_ids: fips-mode-requirements: FIPS mode requirements viewing-fips-mode-status: Viewing FIPS mode status enter-or-exit-fips-mode: Enter or exit FIPS mode entering-fips-mode: Entering FIPS mode steps: Steps example: Example: example-2: Example: exiting-fips-mode: Exiting FIPS mode steps-2: Steps --- # Managing Federal Information Processing Standards (FIPS) mode Use Federal Information Processing Standards (FIPS) mode to ensure PingAccess uses encryption algorithms that meet FIPS requirements. | | | | - | ---------------------------------------------------------------------------------------------------- | | | The following features are unavailable in FIPS mode:- SHA-1 - PKCS#12 certificates and private keys | ## FIPS mode requirements To run PingAccess in FIPS mode, you must meet the following requirements: * Certificate and private key format requirements PingAccess only supports PEM-formatted certificates and private keys, meaning you must: * Import or export key pairs using the PEM-encoded format. * Use the [PBES2](https://datatracker.ietf.org/doc/html/rfc8018#section-6.2) encryption scheme with AES or Triple DES encryption and a 128-bit salt. | | | | - | ------------------------------------------------------------------------------------------ | | | In practice, this could mean that you can only import PEM files generated by PingFederate. | * For PEM files, the private key must precede the certificates. * Key pair password requirements For any key pair imported or exported from PingAccess, the key pair's password must contain at least 14 characters. ## Viewing FIPS mode status You can view your environment's FIPS mode status in the PingAccess admin console or audit log. To check your environment's FIPS mode status: * In the admin console Go to **Account > About** and review the **System Information** section. * In the audit log Start PingAccess, then review the audit log for info-level entries. If FIPS mode is enabled, you should see an entry like the following: ``` INFO [] Fipsconfig - PingAccess is currently running in FIPS Mode. ``` ## Enter or exit FIPS mode * Entering FIPS mode * Exiting FIPS mode ## Entering FIPS mode Enable FIPS mode to ensure that PingAccess exclusively uses encryption algorithms that the FIPS standard permits. If you're running PingAccess in a clustered environment, you should perform this procedure on all nodes. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | In this procedure, you can set specific security providers, TLS protocols, and TLS cipher suites that can be used. If any selections you make aren't FIPS-compliant, then enabling FIPS mode can't guarantee your environment is FIPS-compliant. | ### Steps 1. Open the `/conf/fips-mode.properties` file or create a new one if it's been removed. 1. Set the `pa.fips.mode` property to `true`. #### Example: ``` pa.fips.mode=true ``` 2. (Optional) Exempt one or more security providers from being excluded by FIPS mode by adding a comma-separated list of class names to the `pa.fips.additionalAllowedProviders` property. #### Example: ``` pa.fips.additionalallowedproviders=X,Y ``` 3. (Optional) Add or remove allowed TLS protocols by editing the `pa.fips.tls.protocols` property to include a comma-separated list of valid TLS protocols. The default value is: ``` pa.fips.tls.protocols = TLSv1.2 ``` 4. (Optional) Add or remove allowed TLS cipher suites by editing the `pa.fips.tls.ciphers` property to include a comma-separated list of valid TLS cipher suites. The default value is: ``` pa.fips.tls.ciphers = TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, \ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, \ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, \ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, \ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, \ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, \ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, \ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ``` | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | Some of the default cipher suites might not be compatible with every JDK version that can be used with PingAccess. If a TLS cipher suite isn't supported by the JDK version you're using, PingAccess will log a warning in the `pingaccess.log` file when the cipher suite is invoked.PingAccess can ignore any flagged TLS cipher suites with no performance impact. To clear the warning message, you can remove the flagged suites from the `pa.fips.tls.ciphers` property. | 5. Save and close the `/conf/fips-mode.properties` file. 2. If you're [running PingAccess as a Windows service](../installing_and_uninstalling_pingaccess/pa_running_pa_as_a_service.html), reconfigure the classpath for the libraries required for FIPS mode: 1. Comment out the following line: ``` set.default.BC_PATH=../../resource/bc/non-fips ``` 2. Uncomment the following line or set a `BC_PATH` environment variable to `../../resource/bc/fips`: ``` # set.default.BC_PATH=../../resource/bc/fips ``` | | | | - | ------------------------------------------------------------------------------------------------------------ | | | You can find more information in the `/sbin/windows/PingAccessService.conf` file's inline comments. | 3. Restart PingAccess. ## Exiting FIPS mode Exit FIPS mode to allow the use of non-FIPS-compliant encryption. If you're running PingAccess in a clustered environment, you should perform this procedure on all nodes. ### Steps 1. Open the `/conf/fips-mode.properties` file. 1. Set the `pa.fips.mode` property to `false`. ``` pa.fips.mode=false ``` 2. Save and close the `/conf/fips-mode.properties` file. 2. If you're [running PingAccess as a Windows service](../installing_and_uninstalling_pingaccess/pa_running_pa_as_a_service.html), reconfigure the classpath for the libraries required for FIPS mode. 1. Uncomment the following line: ``` # set.default.BC_PATH=../../resource/bc/non-fips ``` 2. Comment out the following line, or the `BC_PATH` environment variable to `../../resource/bc/fips` that you set, if applicable: ``` set.default.BC_PATH=../../resource/bc/fips ``` | | | | - | ------------------------------------------------------------------------------------------------------------ | | | You can find more information in the `/sbin/windows/PingAccessService.conf` file's inline comments. | 3. Restart PingAccess.