This procedure describes how to integrate PingFederate with Bouncy Castle
FIPS provider when you are running either Java 8 or 11.
-
Edit the
<pf_install>/pingfederate/server/default/conf/META-INF/hivemodule.xml
file.
-
Go go the
<!--Crypto provider -->
section.
-
Update the class attribute value of the construct element for both the
JCEManager and CertificateService service endpoint.
<!-- Crypto provider -->
<service-point id="JCEManager" interface="com.pingidentity.crypto.JCEManager">
<invoke-factory>
...
<construct class="com.pingidentity.crypto.BCFIPSJCEManager"/>
</invoke-factory>
</service-point>
<service-point id="CertificateService" interface="com.pingidentity.crypto.CertificateService">
<invoke-factory model="autoreloadable">
...
<construct class="com.pingidentity.crypto.BCFIPSCertificateServiceImpl"/>
</invoke-factory>
</service-point>
...
-
Edit the
<pf_install>/pingfederate/bin/run.properties
file.
-
Change the pf.hsm.mode property to
BCFIPS
.
-
If you are setting up a new PingFederate installation, set the value of
the pf.hsm.hybrid property to
false
to store newly created or imported
certificates on your HSM.
-
If you are configuring an existing PingFederate installation, set the
pf.hsm.hybrid value to
true
for the flexibility to store each relevant key and certificate on the
HSM or the local trust store.
This allows you to transition the storage of keys and certificates to your HSM without
deploying a new
PingFederate environment. For more
information, see
Transitioning to an HSM.
-
On Linux systems, the Bouncy Castle FIPS-approved secure random number
generator may drain a large amount of entropy during initial seeding. If
available entropy becomes too low, the PingFederate server or bundled
command-line tools may stall on startup for long periods of time. If this
occurs, then you will likely need to integrate with a hardware random number
generator or install an entropy-supplementing daemon like
rngd.