Page created: 15 Jul 2020
|
Page updated: 8 Jul 2021
| 2 min read
Product PingFederate 10.2
This procedure describes how to integrate PingFederate with Bouncy Castle FIPS provider if you are running Java 8.
- Download the Bouncy Castle FIPS library bc-fips-1.0.2.jar file from https://www.bouncycastle.org/fips-java/.
- Place the .jar file into your JRE; for example, JAVA_HOME/jre/lib/ext.
-
Edit the JAVA_HOME/jre/lib/security/java.security file,
and place the
org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
line at the top of the list.$JAVA_HOME/jre/lib/security/java.security provider list: security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider security.provider.2=sun.security.provider.Sun security.provider.3=sun.security.rsa.SunRsaSign security.provider.4=sun.security.ec.SunEC security.provider.5=com.sun.net.ssl.internal.ssl.Provider security.provider.6=com.sun.crypto.provider.SunJCE security.provider.7=sun.security.jgss.SunProvider security.provider.8=com.sun.security.sasl.Provider security.provider.9=org.jcp.xml.dsig.internal.dom.XMLDSigRI security.provider.10=sun.security.smartcardio.SunPCSC
-
Edit the
<pf_install>/pingfederate/server/default/conf/META-INF/hivemodule.xml
file.
-
Go go the
<!--Crypto provider -->
section. -
Update the class attribute value of the construct element for both the
JCEManager and CertificateService service endpoint.
<!-- Crypto provider --> <service-point id="JCEManager" interface="com.pingidentity.crypto.JCEManager"> <invoke-factory> ... <construct class="com.pingidentity.crypto.BCFIPSJCEManager"/> </invoke-factory> </service-point> <service-point id="CertificateService" interface="com.pingidentity.crypto.CertificateService"> <invoke-factory model="autoreloadable"> ... <construct class="com.pingidentity.crypto.BCFIPSCertificateServiceImpl"/> </invoke-factory> </service-point> ...
-
Go go the
-
Edit the
<pf_install>/pingfederate/bin/run.properties
file.
-
Change the org.bouncycastle.fips.approved_only
property to
false
.Note: This version of PingFederate does not support the approved_only mode because in some cases PingFederate uses algorithms that are not FIPS-approved. For information about those cases, contact customer support. -
Change the pf.hsm.mode property to
BCFIPS
. -
If you are setting up a new PingFederate installation, set the value of
the pf.hsm.hybrid property to
false
to store newly created or imported certificates on your HSM. -
If you are configuring an existing PingFederate installation, set the
pf.hsm.hybrid value to
true
for the flexibility to store each relevant key and certificate on the HSM or the local trust store.This allows you to transition the storage of keys and certificates to your HSM without deploying a new PingFederate environment. For more information, see Transitioning to an HSM.
-
Change the org.bouncycastle.fips.approved_only
property to
-
If you run PingFederate as a service on Windows, edit the
<pf_install>/pingfederate/sbin/wrapper/PingFederateService.conf
file, and remove or comment out the following line:
wrapper.java.additional.14=-Dorg.bouncycastle.fips.approved_only=true