This procedure describes how to integrate PingFederate with Bouncy Castle FIPS provider.
-
Edit the
<pf_install>/pingfederate/server/default/conf/service-points.conf
file.
-
Go to the
# Crypto provider services
section. -
Change the
jce.manager
andcertificate.service
service endpoints to the following:... jce.manager=com.pingidentity.crypto.BCFIPSJCEManager ... certificate.service=com.pingidentity.crypto.BCFIPSCertificateServiceImpl ...
Note:In clustered PingFederate environments, you must manually edit the service-points.conf file on each node because cluster replication can't replicate this change to other nodes.
-
Go to the
-
Edit the
<pf_install>/pingfederate/bin/run.properties
file.
-
Change the pf.hsm.mode property to
BCFIPS
. -
If you are setting up a new PingFederate installation, set the value of
the pf.hsm.hybrid property to
false
to store newly created or imported certificates on your HSM. -
If you are configuring an existing PingFederate installation, set the
pf.hsm.hybrid value to
true
for the flexibility to store each relevant key and certificate on the HSM or the local trust store.This allows you to transition the storage of keys and certificates to your HSM without deploying a new PingFederate environment. For more information, see Transitioning to an HSM.
-
Change the pf.hsm.mode property to
- On Linux systems, the Bouncy Castle FIPS-approved secure random number generator may drain a large amount of entropy during initial seeding. If available entropy becomes too low, the PingFederate server or bundled command-line tools may stall on startup for long periods of time. If this occurs, then you will likely need to integrate with a hardware random number generator or install an entropy-supplementing daemon like rngd.