In Bouncy Castle FIPS mode, all security-related cryptographic operations in PingFederate are handled by the Bouncy Castle FIPS security provider. Bouncy Castle FIPS is a FIPS 140-2 validated software cryptographic module. Operating in Bouncy Castle FIPS mode may be required if PingFederate is running as part of a FedRAMP-certified cloud service.
Third-party libraries deployed in PingFederate, such as JDBC drivers, are not guaranteed to operate in a FIPS-compliant fashion. When FIPS 140-2 compliance is a goal, you should confirm with the vendor before using any third-party libraries.
Plugins such as adapters and password credential validators need to be individually assessed for FIPS compliance. The FIPS status of a plugin is displayed in the Summary page inside its configuration. A warning is also logged on start-up for any configured plugins that are not FIPS-compliant or have not yet been assessed.
The integration of Bouncy Castle FIPS provider supports two phases:
- Hybrid to transition private keys from default keystore to the Bouncy Castle keystore.
- Non-Hybrid to start storing private keys only in the Bouncy Castle keystore.
Several properties in the <pf_install>/pingfederate/bin/run.properties file allow you to configure these phases as shown in the following table.
Phase | Properties |
---|---|
Hybrid | pf.hsm.mode=BCFIPS
|
Non-Hybrid | pf.hsm.mode=BCFIPS
|
The only way to switch from BCFIPS mode back to non-BCFIPS mode is to roll back PingFederate with an archive.