Integrating with Bouncy Castle FIPS provider - PingFederate

Integrating with Bouncy Castle FIPS provider - PingFederate - 10.1

PingFederate Server

bundle

pingfederate-101

ft:publication_title

PingFederate Server

Product_Version_ce

PingFederate 10.1

category

Product

pf-101

pingfederate

ContentType_ce

Page created: 12 May 2020 |

Page updated: 29 Mar 2022

| 1 min read

10.1 PingFederate Product User task Audience Deployment Method Content Type Software Product documentation Administrator Administration

In Bouncy Castle FIPS mode, whenever PingFederate uses FIPS-approved algorithms, it uses the Bouncy Castle implementation of those algorithms. There are still a number of cases where PingFederate uses algorithms that are not FIPS-approved. For details on the contexts where PingFederate uses algorithms that are not FIPS-approved, contact customer support.

The integration of Bouncy Castle FIPS provider supports two phases:

Hybrid to transition private keys from default keystore to the Bouncy Castle keystore.
Non-Hybrid to start storing private keys only in the Bouncy Castle keystore.

Several properties in the <pf_install>/pingfederate/bin/run.properties file allow you to configure these phases as shown in the following table.

Phase	Properties
Hybrid	`pf.hsm.mode=BCFIPS` `pf.hsm.hybrid=true`
Non-Hybrid	`pf.hsm.mode=BCFIPS` `pf.hsm.hybrid=false`

You can run either Java 8 or 11 when integrating with the BCFIPS provider. The setup steps are the same for both environments.

Important:

The only way to switch from BCFIPS mode back to non-BCFIPS mode is to roll back PingFederate with an archive.