If your environment is clustered, perform this procedure on all nodes.
Note: In this procedure, you can manually specify Security providers, TLS protocols, and TLS cipher suites that can be used. If your manual inclusions are not FIPS-compliant, your environment may not be FIPS-compliant even in FIPS mode.
  1. Open the <PA Home>/conf/fips-mode.properties file, or create it if it has been removed.
  2. Set the pa.fips.mode property to true.
  3. Optional: Exempt one or more security providers from being excluded by FIPS mode by adding a comma-separated list of class names to the pa.fips.additionalAllowedProviders property.
  4. Optional: Add or remove TLS protocols by editing the pa.fips.tls.protocols property to include a comma-separated list of valid TLS protocols.
    The default value is:
    pa.fips.tls.protocols = TLSv1.2
  5. Optional: Add or remove TLS cipher suites by editing the pa.fips.tls.ciphers property to include a comma-separated list of valid TLS cipher suites.
    The default value is:
    pa.fips.tls.ciphers = TLS_AES_256_GCM_SHA384, \
                          TLS_AES_128_GCM_SHA256, \
                          TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, \
                          TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, \
                          TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, \
                          TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, \
                          TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, \
                          TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, \
                          TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, \
                          TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, \
                          TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, \
                          TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, \
                          TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, \
                          TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, \
                          TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, \
                          TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, \
                          TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, \
                          TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, \
  6. Save and close the file.
  7. Restart PingAccess.