PingFederate Server

Bouncy Castle FIPS provider

In Bouncy Castle FIPS mode, all security-related cryptographic operations in PingFederate are handled by the Bouncy Castle FIPS security provider. Bouncy Castle FIPS is a FIPS 140-2 validated software cryptographic module. Operating in Bouncy Castle FIPS mode may be required if PingFederate is running as part of a FedRAMP-certified cloud service.

Third-party libraries deployed in PingFederate, such as JDBC drivers, are not guaranteed to operate in a FIPS-compliant fashion. When FIPS 140-2 compliance is a goal, you should confirm with the vendor before using any third-party libraries.

Plugins such as adapters and password credential validators need to be individually assessed for FIPS compliance. The FIPS status of a plugin is displayed in the Summary page inside its configuration. A warning is also logged on start-up for any configured plugins that are not FIPS-compliant or have not yet been assessed.

The integration of Bouncy Castle FIPS provider supports two phases:

  • Hybrid to transition private keys from default keystore to the Bouncy Castle keystore.

  • Non-Hybrid to start storing private keys only in the Bouncy Castle keystore.

Several properties in the <pf_install>/pingfederate/bin/run.properties file allow you to configure these phases as shown in the following table.

Phase Properties

Hybrid

pf.hsm.mode=BCFIPS

pf.hsm.hybrid=true

Non-Hybrid

pf.hsm.mode=BCFIPS

pf.hsm.hybrid=false

You can run Java 17 when integrating with the BCFIPS provider.

The only way to switch from BCFIPS mode back to non-BCFIPS mode is to roll back PingFederate with an archive.