---
title: Integrating Bouncy Castle FIPS providers
description: This procedure describes how to integrate PingFederate with Bouncy Castle Federal Information Processing Standards (FIPS) provider.
component: pingfederate
version: 13.1
page_id: pingfederate:getting_started_with_pingfederate:pf_integrating_bouncy_castle_fips
canonical_url: https://docs.pingidentity.com/pingfederate/13.1/getting_started_with_pingfederate/pf_integrating_bouncy_castle_fips.html
llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
revdate: November 18, 2025
section_ids:
  steps: Steps
---

# Integrating Bouncy Castle FIPS providers

This procedure describes how to integrate PingFederate with Bouncy Castle Federal Information Processing Standards (FIPS) provider.

## Steps

1. Edit the `<pf_install>/pingfederate/server/default/conf/service-points.conf` file.

   1. Go to the `# Crypto provider services` section.

   2. Set `jce.manager` to `com.pingidentity.crypto.BCFIPSJCEManager`.

   3. Set `certificate.service` to `com.pingidentity.crypto.BCFIPSCertificateServiceImpl`.

   |   |                                                                                                                                                                                    |
   | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   |   | In clustered PingFederate environments, you must manually edit the `service-points.conf` file on each node because cluster replication can't replicate this change to other nodes. |

2. Edit the `<pf_install>/pingfederate/bin/run.properties` file.

   1. Change the `pf.hsm.mode` property to `BCFIPS`.

   2. If you are setting up a new PingFederate installation, set the value of the `pf.hsm.hybrid` property to `false` to store newly created or imported certificates on your HSM.

   3. If you are configuring an existing PingFederate installation, set the `pf.hsm.hybrid` value to `true` for the flexibility to store each relevant key and certificate on the HSM or the local trust store.

   This allows you to transition the storage of keys and certificates to your HSM without deploying a new PingFederate environment. For more information, see [Transitioning to an HSM](../administrators_reference_guide/pf_transition_to_hsm.html).

|   |                                                                                                                                                                                                                                                                                                                                                                                                                                                |
| - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | On Linux systems, the Bouncy Castle FIPS-approved secure random number generator can drain a large amount of entropy during initial seeding. If available entropy becomes too low, the PingFederate server or bundled command-line tools can stall on startup for long periods of time. If this occurs, then you will likely need to integrate with a hardware random number generator or install an entropy-supplementing daemon like `rngd`. |