The integration of Bouncy Castle FIPS provider supports two phases:

  • Hybrid to transition private keys from default keystore to the Bouncy Castle keystore.
  • Non-Hybrid to start storing private keys only in the Bouncy Castle keystore.

Several properties in the <pf_install>/pingfederate/bin/ file allow you to configure these phases as shown in the following table.

Phase Properties
Hybrid pf.hsm.mode=BCFIPS


Non-Hybrid pf.hsm.mode=BCFIPS


You can run either Java 8 or 11 when integrating with the BCFIPS provider. The setup steps are the same for both environments.

The only way to switch from BCFIPS mode back to non-BCFIPS mode is to roll back PingFederate with an archive.