Enabling FIPS Mode - PingAccess

Enabling FIPS Mode - PingAccess - 6.3

PingAccess

bundle

pingaccess-63

ft:publication_title

PingAccess

Product_Version_ce

PingAccess 6.3

category

Product

pa-63

pingaccess

ContentType_ce

Enable FIPS Mode to ensure that PingAccess exclusively uses encryption algorithms permitted by the FIPS standard.

If your environment is clustered, perform this procedure on all nodes.

Note: In this procedure, you can manually specify Security providers, TLS protocols, and TLS cipher suites that can be used. If your manual inclusions are not FIPS-compliant, your environment may not be FIPS-compliant even in FIPS mode.

Open the <PA Home>/conf/fips-mode.properties file, or create it if it has been removed.
Set the pa.fips.mode property to true.
```
pa.mode.fips=true
```
Optional: Exempt one or more security providers from being excluded by FIPS mode by adding a comma-separated list of class names to the pa.fips.additionalAllowedProviders property.
```
pa.fips.additionalallowedproviders=X,Y
```
Optional: Add or remove TLS protocols by editing the pa.fips.tls.protocols property to include a comma-separated list of valid TLS protocols.
The default value is:
```
pa.fips.tls.protocols = TLSv1.2
```

Optional: Add or remove TLS cipher suites by editing the pa.fips.tls.ciphers property to include a comma-separated list of valid TLS cipher suites.

The default value is:

pa.fips.tls.ciphers = TLS_AES_256_GCM_SHA384, \
                      TLS_AES_128_GCM_SHA256, \
                      TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, \
                      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, \
                      TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, \
                      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, \
                      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, \
                      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, \
                      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, \
                      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, \
                      TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, \
                      TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, \
                      TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, \
                      TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, \
                      TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, \
                      TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, \
                      TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, \
                      TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, \
                      TLS_EMPTY_RENEGOTIATION_INFO_SCSV

Save and close the file.
Restart PingAccess.