Setting up with Java 8 or Java 11 - PingFederate - 10.3

PingFederate Server

bundle
pingfederate-103
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 10.3
category
Product
pf-103
pingfederate
ContentType_ce

This procedure describes how to integrate PingFederate with Bouncy Castle FIPS provider when you are running either Java 8 or 11.

  1. Edit the <pf_install>/pingfederate/server/default/conf/META-INF/hivemodule.xml file.
    1. Go go the <!--Crypto provider --> section.
    2. Update the class attribute value of the construct element for both the JCEManager and CertificateService service endpoint.
      <!-- Crypto provider -->
      <service-point id="JCEManager" interface="com.pingidentity.crypto.JCEManager">
         <invoke-factory>
          ...
             <construct class="com.pingidentity.crypto.BCFIPSJCEManager"/>
         </invoke-factory>
      </service-point>
      
      <service-point id="CertificateService" interface="com.pingidentity.crypto.CertificateService">
         <invoke-factory model="autoreloadable">
         ...
             <construct class="com.pingidentity.crypto.BCFIPSCertificateServiceImpl"/>
         </invoke-factory>
      </service-point>
      ...
  2. Edit the <pf_install>/pingfederate/bin/run.properties file.
    1. Change the pf.hsm.mode property to BCFIPS.
    2. If you are setting up a new PingFederate installation, set the value of the pf.hsm.hybrid property to false to store newly created or imported certificates on your HSM.
    3. If you are configuring an existing PingFederate installation, set the pf.hsm.hybrid value to true for the flexibility to store each relevant key and certificate on the HSM or the local trust store.
      This allows you to transition the storage of keys and certificates to your HSM without deploying a new PingFederate environment. For more information, see Transitioning to an HSM.
  3. On Linux systems, the Bouncy Castle FIPS-approved secure random number generator may drain a large amount of entropy during initial seeding. If available entropy becomes too low, the PingFederate server or bundled command-line tools may stall on startup for long periods of time. If this occurs, then you will likely need to integrate with a hardware random number generator or install an entropy-supplementing daemon like rngd.