Page created: 12 May 2020
|
Page updated: 29 Mar 2022
In Bouncy Castle FIPS mode, whenever PingFederate uses FIPS-approved algorithms, it uses the Bouncy Castle implementation of those algorithms. There are still a number of cases where PingFederate uses algorithms that are not FIPS-approved. For details on the contexts where PingFederate uses algorithms that are not FIPS-approved, contact customer support.
The integration of Bouncy Castle FIPS provider supports two phases:
- Hybrid to transition private keys from default keystore to the Bouncy Castle keystore.
- Non-Hybrid to start storing private keys only in the Bouncy Castle keystore.
Several properties in the <pf_install>/pingfederate/bin/run.properties file allow you to configure these phases as shown in the following table.
Phase | Properties |
---|---|
Hybrid | pf.hsm.mode=BCFIPS
|
Non-Hybrid | pf.hsm.mode=BCFIPS
|
You can run either Java 8 or 11 when integrating with the BCFIPS provider. The setup
steps are the same for both environments.
Important:
The only way to switch from BCFIPS mode back to non-BCFIPS mode is to roll back PingFederate with an archive.