Page created: 29 Jan 2021 |
Page updated: 22 Sep 2021
This procedure describes how to integrate PingFederate with Bouncy Castle FIPS provider when you are running either Java 8 or 11.
Go go the
<!--Crypto provider -->section.
Update the class attribute value of the construct element for both the
JCEManager and CertificateService service endpoint.
<!-- Crypto provider --> <service-point id="JCEManager" interface="com.pingidentity.crypto.JCEManager"> <invoke-factory> ... <construct class="com.pingidentity.crypto.BCFIPSJCEManager"/> </invoke-factory> </service-point> <service-point id="CertificateService" interface="com.pingidentity.crypto.CertificateService"> <invoke-factory model="autoreloadable"> ... <construct class="com.pingidentity.crypto.BCFIPSCertificateServiceImpl"/> </invoke-factory> </service-point> ...
- Go go the
Change the pf.hsm.mode property to
If you are setting up a new PingFederate installation, set the value of
the pf.hsm.hybrid property to
falseto store newly created or imported certificates on your HSM.
If you are configuring an existing PingFederate installation, set the
pf.hsm.hybrid value to
truefor the flexibility to store each relevant key and certificate on the HSM or the local trust store.This allows you to transition the storage of keys and certificates to your HSM without deploying a new PingFederate environment. For more information, see Transitioning to an HSM.
- Change the pf.hsm.mode property to
- On Linux systems, the Bouncy Castle FIPS-approved secure random number generator may drain a large amount of entropy during initial seeding. If available entropy becomes too low, the PingFederate server or bundled command-line tools may stall on startup for long periods of time. If this occurs, then you will likely need to integrate with a hardware random number generator or install an entropy-supplementing daemon like rngd.