1. Download the Bouncy Castle FIPS library bc-fips-1.0.2.jar file from https://www.bouncycastle.org/fips-java/.
  2. Place the .jar file into your JRE; for example, JAVA_HOME/jre/lib/ext.
  3. Edit the JAVA_HOME/jre/lib/security/java.security file, and place the org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider line at the top of the list.
    $JAVA_HOME/jre/lib/security/java.security provider list:
    security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
    security.provider.2=sun.security.provider.Sun
    security.provider.3=sun.security.rsa.SunRsaSign
    security.provider.4=sun.security.ec.SunEC
    security.provider.5=com.sun.net.ssl.internal.ssl.Provider
    security.provider.6=com.sun.crypto.provider.SunJCE
    security.provider.7=sun.security.jgss.SunProvider
    security.provider.8=com.sun.security.sasl.Provider
    security.provider.9=org.jcp.xml.dsig.internal.dom.XMLDSigRI
    security.provider.10=sun.security.smartcardio.SunPCSC
    
  4. Edit the <pf_install>/pingfederate/server/default/conf/META-INF/hivemodule.xml file.
    1. Go go the <!--Crypto provider --> section.
    2. Update the class attribute value of the construct element for both the JCEManager and CertificateService service endpoint.
      <!-- Crypto provider -->
      <service-point id="JCEManager" interface="com.pingidentity.crypto.JCEManager">
         <invoke-factory>
          ...
             <construct class="com.pingidentity.crypto.BCFIPSJCEManager"/>
         </invoke-factory>
      </service-point>
      
      <service-point id="CertificateService" interface="com.pingidentity.crypto.CertificateService">
         <invoke-factory model="autoreloadable">
         ...
             <construct class="com.pingidentity.crypto.BCFIPSCertificateServiceImpl"/>
         </invoke-factory>
      </service-point>
      ...
  5. Edit the <pf_install>/pingfederate/bin/run.properties file.
    1. Change the org.bouncycastle.fips.approved_only property to false.
      Note: This version of PingFederate does not support the approved_only mode because in some cases PingFederate uses algorithms that are not FIPS-approved. For information about those cases, contact customer support.
    2. Change the pf.hsm.mode property to BCFIPS.
    3. If you are setting up a new PingFederate installation, set the value of the pf.hsm.hybrid property to false to store newly created or imported certificates on your HSM.
    4. If you are configuring an existing PingFederate installation, set the pf.hsm.hybrid value to true for the flexibility to store each relevant key and certificate on the HSM or the local trust store.
      This allows you to transition the storage of keys and certificates to your HSM without deploying a new PingFederate environment. For more information, see Transitioning to an HSM.
  6. If you run PingFederate as a service on Windows, edit the <pf_install>/pingfederate/sbin/wrapper/PingFederateService.conf file, and remove or comment out the following line:
    wrapper.java.additional.14=-Dorg.bouncycastle.fips.approved_only=true