Managing Federal Information Processing Standards (FIPS) mode
Federal Information Processing Standards (FIPS) mode ensures that PingAccess uses encryption algorithms that meet FIPS requirements.
When FIPS mode is enabled, PingAccess updates the security.providers list to use the Bouncy Castle FIPS (BCFIPS) provider and removes all unneeded security providers that are not FIPS-compliant.
Viewing your environment’s FIPS mode status
If FIPS mode is enabled, you can view your environment’s FIPS mode status in the administrative console or the audit log:
-
To view FIPS mode in the administrative console, go to Account → About and in the System Information section, find FIPS mode status.
-
To view FIPS mode in the audit log, review the audit log after starting PingAccess. If FIPS mode is enabled, an info-level entry indicates this status. For example:
INFO [] Fipsconfig - PingAccess is currently running in FIPS Mode.
Feature changes in FIPS mode
Some features of PingAccess operate differently or are unavailable in FIPS mode.
Certificate and private key format requirements:
-
In non-FIPS mode, PingAccess supports PKCS#12 and PEM-formatted certificates and private keys. It automatically detects which format was used.
-
In FIPS mode, PingAccess only supports PEM-formatted certificates and private keys. That is, key pairs can only be imported or exported using the PEM-encoded format. Only PBES2 and AES or Triple DES encryption are accepted and 128-bit salt is required. In practice, this could mean that you can only import PEM files generated by PingFederate.
-
For PEM files in FIPS mode, the private key must precede the certificates.
Password format requirements:
-
In FIPS mode, the password must contain at least 14 characters.
To manage FIPS mode, select a tab.
-
Enabling FIPS mode
-
Disabling FIPS mode
Enabling FIPS mode
About this task
Enable FIPS mode to ensure that PingAccess exclusively uses encryption algorithms permitted by the FIPS standard. If your environment is clustered, make sure to perform this procedure on all nodes.
|
In this procedure, you can manually specify security providers, TLS protocols, and TLS cipher suites that can be used. If your manual inclusions are not FIPS-compliant, your environment might not be FIPS-compliant even in FIPS mode. |
Steps
-
Open the
<PA Home>/conf/fips-mode.propertiesfile or create it if it’s been removed. -
Set the
pa.fips.modeproperty totrue.Example:
pa.fips.mode=true
-
(Optional) Exempt one or more security providers from being excluded by FIPS mode by adding a comma-separated list of class names to the
pa.fips.additionalAllowedProvidersproperty.Example:
pa.fips.additionalallowedproviders=X,Y
-
(Optional) Add or remove TLS protocols by editing the
pa.fips.tls.protocolsproperty to include a comma-separated list of valid TLS protocols.The default is:
pa.fips.tls.protocols = TLSv1.2
-
(Optional) Add or remove TLS cipher suites by editing the
pa.fips.tls.ciphersproperty to include a comma-separated list of valid TLS cipher suites.The default is:
pa.fips.tls.ciphers = TLS_AES_256_GCM_SHA384, \ TLS_AES_128_GCM_SHA256, \ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, \ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, \ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, \ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, \ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, \ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, \ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, \ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, \ TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, \ TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, \ TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, \ TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, \ TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, \ TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, \ TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, \ TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, \ TLS_EMPTY_RENEGOTIATION_INFO_SCSVSome of the default cipher suites aren’t supported by every JDK version that can be used with PingAccess. If a TLS cipher suite isn’t supported by the JDK version you’re using, PingAccess will log a warning in the
pingaccess.logfile when the cipher suite is invoked.PingAccess can ignore any flagged TLS cipher suites with no performance impact. To clear the warning message, you can remove the flagged suites from the
pa.fips.tls.ciphersproperty. -
Save and close the
<PA Home>/conf/fips-mode.propertiesfile. -
If you’re running PingAccess as a Windows service, reconfigure the classpath for the libraries required for FIPS mode:
-
Comment out the following line:
set.default.BC_PATH=../../resource/bc/non-fips
-
Uncomment the following line or set a
BC_PATHenvironment variable to../../resource/bc/fips:# set.default.BC_PATH=../../resource/bc/fips
Learn more in the inline comments in the
<PA_HOME>/sbin/windows/PingAccessService.conffile. -
-
Restart PingAccess.
Disabling FIPS Mode
About this task
Disable FIPS Mode to allow the use of non-FIPS compliant encryption. If your environment is clustered, perform this procedure on all nodes.
Steps
-
Open the
<PA Home>/conf/fips-mode.propertiesfile. -
Set the
pa.fips.modeproperty tofalse.pa.fips.mode=false
-
Save and close the
<PA Home>/conf/fips-mode.propertiesfile. -
If you’re running PingAccess as a windows service, reconfigure the classpath for the libraries required for FIPS mode:
-
Uncomment the following line:
# set.default.BC_PATH=../../resource/bc/non-fips
-
Comment out the following line or the
BC_PATHenvironment variable to../../resource/bc/fipsthat you set:set.default.BC_PATH=../../resource/bc/fips
Learn more in the inline comments in the
<PA_HOME>/sbin/windows/PingAccessService.conffile. -
-
Restart PingAccess.