Third-party libraries deployed in PingFederate, such as JDBC drivers, are not guaranteed to operate in a FIPS-compliant fashion. When FIPS 140-2 compliance is a goal, you should confirm with the vendor before using any third-party libraries.

Plugins such as adapters and password credential validators need to be individually assessed for FIPS compliance. The FIPS status of a plugin is displayed in the Summary page inside its configuration. A warning is also logged on start-up for any configured plugins that are not FIPS-compliant or have not yet been assessed.

The integration of BCFIPS provider supports two phases:

  • Hybrid to transition private keys from default keystore to the Bouncy Castle keystore.
  • Non-Hybrid to start storing private keys only in the Bouncy Castle keystore.

Several properties in the <pf_install>/pingfederate/bin/ file allow you to configure these phases as shown in the following table.

Phase Properties
Hybrid pf.hsm.mode=BCFIPS


Non-Hybrid pf.hsm.mode=BCFIPS


You can run either Java 8 or 11 when integrating with the BCFIPS provider. The setup steps are the same for both environments.

The only way to switch from BCFIPS mode back to non-BCFIPS mode is to roll back PingFederate with an archive.