Setting up with Java 11 - PingFederate - 10.2

PingFederate Server

bundle
pingfederate-102
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 10.2
category
Product
pf-102
pingfederate
ContentType_ce

This procedure describes how to integrate PingFederate with Bouncy Castle FIPS provider if you are running Java 11.

  1. Download the Bouncy Castle FIPS library bc-fips-1.0.2.jar file from https://www.bouncycastle.org/fips-java/.
  2. Place the .jar file into <pf_install>/pingfederate/lib.
  3. Edit the JAVA_HOME/conf/security/java.security file, and place the org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider line at the top of the list.
    $JAVA_HOME/conf/security/java.security provider list:
    security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
    security.provider.2=SUN
    security.provider.3=SunRsaSign
    security.provider.4=SunEC
    security.provider.5=SunJSSE
    security.provider.6=SunJCE
    security.provider.7=SunJGSS
    security.provider.8=SunSASL
    security.provider.9=XMLDSig
    security.provider.10=SunPCSC
    security.provider.11=JdkLDAP
    security.provider.12=JdkSASL
    security.provider.13=SunPKCS11
  4. Edit the <pf_install>/pingfederate/server/default/conf/META-INF/hivemodule.xml file.
    1. Go go the <!--Crypto provider --> section.
    2. Update the class attribute value of the construct element for both the JCEManager and CertificateService service endpoint.
      <!-- Crypto provider -->
      <service-point id="JCEManager" interface="com.pingidentity.crypto.JCEManager">
         <invoke-factory>
          ...
             <construct class="com.pingidentity.crypto.BCFIPSJCEManager"/>
         </invoke-factory>
      </service-point>
      
      <service-point id="CertificateService" interface="com.pingidentity.crypto.CertificateService">
         <invoke-factory model="autoreloadable">
         ...
             <construct class="com.pingidentity.crypto.BCFIPSCertificateServiceImpl"/>
         </invoke-factory>
      </service-point>
      ...
  5. Edit the <pf_install>/pingfederate/bin/run.properties file.
    1. Change the org.bouncycastle.fips.approved_only property to false.
      Note: This version of PingFederate does not support the approved_only mode because in some cases PingFederate uses algorithms that are not FIPS-approved. For information about those cases, contact customer support.
    2. Change the pf.hsm.mode property to BCFIPS.
    3. If you are setting up a new PingFederate installation, set the value of the pf.hsm.hybrid property to false to store newly created or imported certificates on your HSM.
    4. If you are configuring an existing PingFederate installation, set the pf.hsm.hybrid value to true for the flexibility to store each relevant key and certificate on the HSM or the local trust store.
      This allows you to transition the storage of keys and certificates to your HSM without deploying a new PingFederate environment. For more information, see Transitioning to an HSM.
    5. To ensure only elliptic curve groups supported by Bouncy Castle are used in TLS, add the following lines at the end of the file:
      jdk.tls.namedGroups=secp256r1, secp384r1, secp521r1, \
                          ffdhe2048, ffdhe3072, ffdhe4096, \
                          ffdhe6144, ffdhe8192
  6. Edit the <pf_install>/pingfederate/bin/run.sh or run.bat file (depending on your operating system).
    1. Add the following line:
      pf_fips="$PF_HOME/lib/bc-fips-1.0.2.jar"
    2. Set PF_BOOT_CLASSPATH to "$runjar:$pfrunjar:$jettystartjar:$pf_console_util:$xmlbeans:$pfxml:$pf_crypto_luna:$pf_fips".
  7. If you run PingFederate as a service on Windows, edit the <pf_install>/pingfederate/sbin/wrapper/PingFederateService.conf file.
    1. Add the following line to the list of wrapper.java.classpath entries.
      wrapper.java.classpath.10=../../lib/bc-fips-1.0.2.jar
    2. Remove or comment out the following line.
      wrapper.java.additional.14=-Dorg.bouncycastle.fips.approved_only=true