PingFederate Server

Bouncy Castle FIPS provider

In Bouncy Castle FIPS mode, all security-related cryptographic operations in PingFederate are handled by the Bouncy Castle FIPS security provider. Bouncy Castle FIPS is a FIPS 140-2 validated software cryptographic module. Operating in Bouncy Castle FIPS mode may be required if PingFederate is running as part of a FedRAMP-certified cloud service.

Third-party libraries deployed in PingFederate, such as JDBC drivers, are not guaranteed to operate in a FIPS-compliant fashion. When FIPS 140-2 compliance is a goal, you should confirm with the vendor before using any third-party libraries.

Plugins such as adapters and password credential validators need to be individually assessed for FIPS compliance. The FIPS status of a plugin is displayed in the Summary page inside its configuration. A warning is also logged on start-up for any configured plugins that are not FIPS-compliant or have not yet been assessed.

The integration of Bouncy Castle FIPS provider supports two phases:

  • Hybrid to transition private keys from default keystore to the Bouncy Castle keystore.

  • Non-Hybrid to start storing private keys only in the Bouncy Castle keystore.

Several properties in the <pf_install>/pingfederate/bin/run.properties file allow you to configure these phases as shown in the following table.

Phase Properties

Hybrid

pf.hsm.mode=BCFIPS

pf.hsm.hybrid=true

Non-Hybrid

pf.hsm.mode=BCFIPS

pf.hsm.hybrid=false

You can run either Java 8 or 11 when integrating with the BCFIPS provider. The setup steps are the same for both environments.

The only way to switch from BCFIPS mode back to non-BCFIPS mode is to roll back PingFederate with an archive.

Bouncy Castle operational notes

When using the Bouncy Castle FIPS provider, some restrictions apply to PingFederate.

  • As an OpenID Provider, PingFederate can use static or dynamically rotating keys to sign ID tokens, JSON web tokens (JWTs) for client authentication, and OpenID Connect request objects. When using dynamically rotating keys as part of the default configuration, the memory, not the BCFIPS key stores, stores short-term keys. The HSM can store static keys.

  • PingFederate limits cipher suites to those listed in the <pf_install>/pingfederate/server/default/data/config-store/com.pingidentity.crypto.BCFIPSJCEManager.xml file.