PingGateway 2025.3

FIPS 140–3 compliance

To achieve FIPS 140–3 compliance, configure the Bouncy Castle FIPS libraries with PingGateway. This enables the use of the Bouncy Castle FIPS keystore and security provider in FIPS-approved mode.

Bouncy Castle FIPS is useful when dealing with government data, where meeting the FIPS 140–3 security requirements is necessary for regulatory compliance. Bouncy Castle FIPS doesn’t require use of an HSM through a PKCS#11 interface.

Bouncy Castle FIPS is less performant than other keystores. The destroyable keys can’t be cached and must be read from the keystore with every use.

To configure PingGateway to use Bouncy Castle FIPS:

  1. Download the Bouncy Castle libraries.

  2. Add the libraries to PingGateway.

  3. Enable the Bouncy Castle FIPS provider.

Download the Bouncy Castle libraries

Before you begin, download the Bouncy Castle FIPS libraries:

File Description

bc-fips-latestVersion.jar

Bouncy Castle FIPS security provider implementation

bcpkix-fips-latestVersion.jar

PKI support

bctls-fips-latestVersion.jar

TLS support

Ping Identity supports PingGateway and its use of the Bouncy Castle libraries. Ping Identity doesn’t support third-party libraries themselves.

Add the libraries to PingGateway

  1. Create an extra folder to hold additional .jar files:

    • Linux

    • Windows

    $HOME/.openig/extra
    %appdata%\OpenIG\extra

  2. Copy the Bouncy Castle libraries you downloaded into the PingGateway extra folder.

  3. Create Bouncy Castle FIPS format keystores or truststores from any PingGateway keystores or truststores.

    The following example command creates a BCFKS keystore from a PKCS12 gateway-keystore file, where the gateway-keystore.pin file holds the keystore password:

    $ keytool \
-importkeystore \
-srckeystore /path/to/secrets/gateway-keystore \
-srcstoretype PKCS12 \
-srcstorepass:file /path/to/secrets/gateway-keystore.pin \
-destkeystore /path/to/secrets/gateway-keystore.bcfks \
-deststoretype BCFKS \
-deststorepass:file /path/to/secrets/gateway-keystore.pin \
-providerpath $HOME/.openig/extra/bc-fips-2.0.0.jar \
-providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
-noprompt

    Make sure you do this for all your PingGateway keystore and truststore files.

Enable the Bouncy Castle FIPS provider

Update the PingGateway Java settings to use Bouncy Castle FIPS support:

  1. Copy the $JAVA_HOME/conf/security/java.security file into the PingGateway $HOME/.openig (Linux) or %appdata%\OpenIG (Windows) folder.

  2. Update the java.security file you copied to use the Bouncy Castle FIPS provider:

    1. Replace the list of security providers with the following:

      security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
# If entropy in the system is too limited to use the default
# deterministic random bits generator, try with C:HYBRID;ENABLE{All};
#security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider C:HYBRID;ENABLE{All};
security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider BCFIPS
security.provider.3=SUN

    2. Update the default key manager factory algorithm:

      ssl.KeyManagerFactory.algorithm=PKIX

    3. Save your work.

  3. Update the PingGateway IG_OPTS environment variable to use the Bouncy Castle FIPS provider:

    • Linux

    • Windows

    export IG_OPTS="${IG_OPTS} -Dorg.bouncycastle.fips.approved_only=true -Djava.security.properties=$HOME/.openig/java.security"
    set "IG_OPTS=%IG_OPTS% -Dorg.bouncycastle.fips.approved_only=true -Djava.security.properties=%appdata%\OpenIG\java.security"

  4. Start PingGateway.

You have successfully configured PingGateway to use Bouncy Castle FIPS.