Setting up with Java 8 - PingFederate - 10.2

PingFederate Server

PingFederate Server
PingFederate 10.2

This procedure describes how to integrate PingFederate with Bouncy Castle FIPS provider if you are running Java 8.

  1. Download the Bouncy Castle FIPS library bc-fips-1.0.2.jar file from
  2. Place the .jar file into your JRE; for example, JAVA_HOME/jre/lib/ext.
  3. Edit the JAVA_HOME/jre/lib/security/ file, and place the org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider line at the top of the list.
    $JAVA_HOME/jre/lib/security/ provider list:
  4. Edit the <pf_install>/pingfederate/server/default/conf/META-INF/hivemodule.xml file.
    1. Go go the <!--Crypto provider --> section.
    2. Update the class attribute value of the construct element for both the JCEManager and CertificateService service endpoint.
      <!-- Crypto provider -->
      <service-point id="JCEManager" interface="com.pingidentity.crypto.JCEManager">
             <construct class="com.pingidentity.crypto.BCFIPSJCEManager"/>
      <service-point id="CertificateService" interface="com.pingidentity.crypto.CertificateService">
         <invoke-factory model="autoreloadable">
             <construct class="com.pingidentity.crypto.BCFIPSCertificateServiceImpl"/>
  5. Edit the <pf_install>/pingfederate/bin/ file.
    1. Change the org.bouncycastle.fips.approved_only property to false.
      Note: This version of PingFederate does not support the approved_only mode because in some cases PingFederate uses algorithms that are not FIPS-approved. For information about those cases, contact customer support.
    2. Change the pf.hsm.mode property to BCFIPS.
    3. If you are setting up a new PingFederate installation, set the value of the pf.hsm.hybrid property to false to store newly created or imported certificates on your HSM.
    4. If you are configuring an existing PingFederate installation, set the pf.hsm.hybrid value to true for the flexibility to store each relevant key and certificate on the HSM or the local trust store.
      This allows you to transition the storage of keys and certificates to your HSM without deploying a new PingFederate environment. For more information, see Transitioning to an HSM.
  6. If you run PingFederate as a service on Windows, edit the <pf_install>/pingfederate/sbin/wrapper/PingFederateService.conf file, and remove or comment out the following line: