In Bouncy Castle FIPS mode, whenever PingFederate uses FIPS-approved algorithms, it uses the Bouncy Castle implementation of those algorithms. There are still a number of cases where PingFederate uses algorithms that are not FIPS-approved. For details on the contexts where PingFederate uses algorithms that are not FIPS-approved, contact customer support.
The integration of Bouncy Castle FIPS provider supports two phases:
- Hybrid to transition private keys from default keystore to the Bouncy Castle keystore.
- Non-Hybrid to start storing private keys only in the Bouncy Castle keystore.
Several properties in the <pf_install>/pingfederate/bin/run.properties file allow you to configure these phases as shown in the following table.
The only way to switch from BCFIPS mode back to non-BCFIPS mode is to roll back PingFederate with an archive.