--- title: Bouncy Castle FIPS provider description: In Bouncy Castle Federal Information Processing Standards (FIPS) mode, all security-related cryptographic operations in PingFederate are handled by the Bouncy Castle FIPS security provider. Bouncy Castle FIPS is a FIPS 140-2 validated software cryptographic module. Operating in Bouncy Castle FIPS mode might be required if PingFederate is running as part of a FedRAMP-certified cloud service. component: pingfederate version: 13.1 page_id: pingfederate:getting_started_with_pingfederate:pf_bouncy_castle_fips_provider canonical_url: https://docs.pingidentity.com/pingfederate/13.1/getting_started_with_pingfederate/pf_bouncy_castle_fips_provider.html llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: October 24, 2025 section_ids: bouncy-castle-operational-notes: Bouncy Castle operational notes bouncy-castle-upgrade-considerations: Bouncy Castle upgrade considerations --- # Bouncy Castle FIPS provider In Bouncy Castle Federal Information Processing Standards (FIPS) mode, all security-related cryptographic operations in PingFederate are handled by the Bouncy Castle FIPS security provider. Bouncy Castle FIPS is a FIPS 140-2 validated software cryptographic module. Operating in Bouncy Castle FIPS mode might be required if PingFederate is running as part of a FedRAMP-certified cloud service. Third-party libraries deployed in PingFederate, such as JDBC drivers, aren't guaranteed to operate in a FIPS-compliant fashion. When FIPS 140-3 compliance is a goal, you should confirm with the vendor before using any third-party libraries. Plugins such as adapters and password credential validators need to be individually assessed for FIPS compliance. The FIPS status of a plugin is displayed in the Summary page inside its configuration. A warning is also logged on start-up for any configured plugins that are not FIPS-compliant or have not yet been assessed. The integration of Bouncy Castle FIPS provider supports two phases: * **Hybrid** to transition private keys from default keystore to the Bouncy Castle keystore. * **Non-Hybrid** to start storing private keys only in the Bouncy Castle keystore. Several properties in the `/pingfederate/bin/run.properties` file allow you to configure these phases as shown in the following table. | Phase | Properties | | ---------- | ----------------------------------------- | | Hybrid | `pf.hsm.mode=BCFIPS``pf.hsm.hybrid=true` | | Non-Hybrid | `pf.hsm.mode=BCFIPS``pf.hsm.hybrid=false` | | | | | - | ------------------------------------------------------------------------------------------------------------- | | | The only way to switch from BCFIPS mode back to non-BCFIPS mode is to roll back PingFederate with an archive. | ## Bouncy Castle operational notes When using the Bouncy Castle FIPS provider, some restrictions apply to PingFederate. * As an OpenID Provider, PingFederate can use static or dynamically rotating keys to sign ID tokens, JSON web tokens (JWTs) for client authentication, and OpenID Connect request objects. When using dynamically rotating keys as part of the default configuration, the memory, not the BCFIPS key stores, stores short-term keys. The HSM can store static keys. * PingFederate limits cipher suites to those listed in the `/pingfederate/server/default/data/config-store/com.pingidentity.crypto.BCFIPSJCEManager.xml` file. ## Bouncy Castle upgrade considerations If you're upgrading to FIPS 140-3, you might notice specific behavior changes due to the stricter requirements of the new standard. By default, PingFederate runs in approved mode. This is controlled by the setting `pf.fips.allow.unapproved.algorithms` in `run.properties`, which is set to `false` by default. When running in this approved mode, the following algorithms are no longer available for use: * DES decryption * RSA PKCS#1.5 encryption * SHA-1 for signature generation Learn more detailed information on these and other potential changes in the [Bouncy Castle BC-FJA 2.0.0 Porting Guide](https://downloads.bouncycastle.org/fips-java/docs/BC-FJA%202.0.0%20Porting%20Guide.pdf).