---
title: FIPS 140–3 compliance with PingGateway
description: To achieve FIPS 140–3 compliance, configure the Bouncy Castle FIPS libraries with PingGateway. This enables the use of the Bouncy Castle FIPS keystore and security provider in FIPS-approved mode.
component: pinggateway
version: 2026
page_id: pinggateway:installation-guide:fips
canonical_url: https://docs.pingidentity.com/pinggateway/2026/installation-guide/fips.html
revdate: 2025-06-15T20:05:56Z
keywords: ["Bouncy Castle FIPS", "Security", "Setup & Configuration"]
section_ids:
  download-bouncy-castle-libraries: Download the Bouncy Castle libraries
  set-up-server-before-bouncy-castle: Add the libraries to PingGateway
  enable-bouncy-castle: Enable the Bouncy Castle FIPS provider
---

# FIPS 140–3 compliance with PingGateway

To achieve [FIPS 140–3](https://csrc.nist.gov/publications/detail/fips/140/3/final) compliance, configure the [Bouncy Castle FIPS libraries](https://www.bouncycastle.org/fips-java/) with PingGateway. This enables the use of the Bouncy Castle FIPS keystore and security provider in FIPS-approved mode.

Bouncy Castle FIPS is useful when dealing with government data, where meeting the FIPS 140–3 security requirements is necessary for regulatory compliance. Bouncy Castle FIPS doesn't require use of an HSM through a PKCS#11 interface.

|   |                                                                                                                                                     |
| - | --------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | Bouncy Castle FIPS is less performant than other keystores. The destroyable keys can't be cached and must be read from the keystore with every use. |

To configure PingGateway to use Bouncy Castle FIPS:

1. [Download the Bouncy Castle libraries](#download-bouncy-castle-libraries).

2. [Add the libraries to PingGateway](#set-up-server-before-bouncy-castle).

3. [Enable the Bouncy Castle FIPS provider](#enable-bouncy-castle).

## Download the Bouncy Castle libraries

Before you begin, download the [Bouncy Castle FIPS libraries](https://www.bouncycastle.org/fips-java/):

| File                            | Description                                         |
| ------------------------------- | --------------------------------------------------- |
| `bc-fips-latestVersion.jar`     | Bouncy Castle FIPS security provider implementation |
| `bcpkix-fips-latestVersion.jar` | PKI support                                         |
| `bctls-fips-latestVersion.jar`  | TLS support                                         |
| `bcutil-fips-latestVersion.jar` | ASN.1 utility classes                               |

Ping Identity supports PingGateway and its use of the Bouncy Castle libraries. Ping Identity doesn't support third-party libraries themselves.

## Add the libraries to PingGateway

1. Create an `extra` folder to hold additional `.jar` files:

   * Linux

     `$HOME/.openig/extra`

   * Windows

     `%appdata%\OpenIG\extra`

2. Copy the Bouncy Castle libraries you downloaded into the PingGateway `extra` folder.

3. Create Bouncy Castle FIPS format keystores or truststores from any PingGateway keystores or truststores.

   The following example command creates a BCFKS keystore from a PKCS12 `gateway-keystore` file, where the `gateway-keystore.pin` file holds the keystore password:

   ```console
   $ keytool \
   -importkeystore \
   -srckeystore /path/to/secrets/gateway-keystore \
   -srcstoretype PKCS12 \
   -srcstorepass:file /path/to/secrets/gateway-keystore.pin \
   -destkeystore /path/to/secrets/gateway-keystore.bcfks \
   -deststoretype BCFKS \
   -deststorepass:file /path/to/secrets/gateway-keystore.pin \
   -providerpath $HOME/.openig/extra/bc-fips-2.0.0.jar \
   -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
   -noprompt
   ```

   Make sure you do this for all your PingGateway keystore and truststore files.

## Enable the Bouncy Castle FIPS provider

Update the PingGateway Java settings to use Bouncy Castle FIPS support:

1. Copy the `$JAVA_HOME/conf/security/java.security` file into the PingGateway `$HOME/.openig` (Linux) or `%appdata%\OpenIG` (Windows) folder.

2. Update the `java.security` file you copied to use the Bouncy Castle FIPS provider:

   1. Replace the list of security providers with the following:

      ```properties
      security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
      # If entropy in the system is too limited to use the default
      # deterministic random bits generator, try with C:HYBRID;ENABLE{All};
      #security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider C:HYBRID;ENABLE{All};
      security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider BCFIPS
      security.provider.3=SUN
      ```

   2. Update the default key manager factory algorithm:

      ```properties
      ssl.KeyManagerFactory.algorithm=PKIX
      ```

   3. Save your work.

3. Update the PingGateway [IG\_OPTS environment variable](envvar-sysprop.html) to use the Bouncy Castle FIPS provider:

   * Linux

   * Windows

   ```none
   export IG_OPTS="${IG_OPTS} -Dorg.bouncycastle.fips.approved_only=true -Djava.security.properties=$HOME/.openig/java.security"
   ```

   ```none
   set "IG_OPTS=%IG_OPTS% -Dorg.bouncycastle.fips.approved_only=true -Djava.security.properties=%appdata%\OpenIG\java.security"
   ```

4. Start PingGateway.

You have successfully configured PingGateway to use Bouncy Castle FIPS.