When FIPS mode is enabled, PingAccess updates the security.providers list to use the Bouncy Castle FIPS (BCFIPS) provider and removes all unneeded security providers that are not FIPS-compliant.

If FIPS mode is enabled, you can view your environment's FIPS mode status in the administrative console or the audit log:

  • To view FIPS mode in the administrative console, go to Account > About and in the System Information section, find FIPS mode status.
  • To view FIPS mode in the audit log, review the audit log after starting PingAccess. If FIPS mode is enabled, an info-level entry indicates this status. For example:
    INFO [] Fipsconfig - PingAccess is currently running in FIPS Mode.

Some features of PingAccess operate differently or are unavailable in FIPS mode.

Certificate and private key format requirements:

  • In non-FIPS mode, PingAccess supports PKCS#12 and PEM-formatted certificates and private keys. It automatically detects which format was used.
  • In FIPS mode, PingAccess only supports PEM-formatted certificates and private keys. That is, key pairs can only be imported or exported using the PEM-encoded format. Only PBES2 and AES or Triple DES encryption are accepted and 128-bit salt is required. In practice, this could mean that you can only import PEM files generated by PingFederate.
  • For PEM files in FIPS mode, the private key must precede the certificates.

Password format requirements:

  • In FIPS mode, the password must contain at least 14 characters.

To manage FIPS mode, select a tab.