Ignition Cryptography Algorithms

Hello Ignition Support,

I’m investigating the possibility of deploying Ignition in a FIPS-certified environment. FIPS prohibits the use of certain cryptography algorithms, and it looks like Ignition by default may rely on one or more of these prohibited algorithms.

I have a server running RHEL 9.6 for aarch64 in FIPS mode. I’m attempting to deploy Ignition 8.3.0 for arm64. The installation succeeds, however, when I run ignition.sh start I get a message that the gateway may not have started properly. wrapper.log shows the following stack trace:

INFO   | jvm 1    | 2025/10/02 15:35:18 | E [g.CompositeClassRejectListFilter] [15:35:18.905]: Error initializing secure random. 
INFO   | jvm 1    | 2025/10/02 15:35:18 | java.security.NoSuchAlgorithmException: SHA1PRNG SecureRandom not available
INFO   | jvm 1    | 2025/10/02 15:35:18 | 	at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
INFO   | jvm 1    | 2025/10/02 15:35:18 | 	at java.base/java.security.SecureRandom.getInstance(SecureRandom.java:387)
INFO   | jvm 1    | 2025/10/02 15:35:18 | 	at com.inductiveautomation.ignition.common.util.SecureRandomProvider.<init>(SecureRandomProvider.java:45)
INFO   | jvm 1    | 2025/10/02 15:35:18 | 	at com.inductiveautomation.ignition.common.util.SecureRandomProvider.initialize(SecureRandomProvider.java:27)
INFO   | jvm 1    | 2025/10/02 15:35:18 | 	at com.inductiveautomation.ignition.gateway.IgnitionGateway.<init>(IgnitionGateway.java:560)
INFO   | jvm 1    | 2025/10/02 15:35:18 | 	at com.inductiveautomation.ignition.gateway.IgnitionGateway.main(IgnitionGateway.java:307)
INFO   | jvm 1    | 2025/10/02 15:35:18 | 	at com.inductiveautomation.catapult.Catapult.main(Catapult.java:8)
INFO   | jvm 1    | 2025/10/02 15:35:18 | 	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
INFO   | jvm 1    | 2025/10/02 15:35:18 | 	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
INFO   | jvm 1    | 2025/10/02 15:35:18 | 	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
INFO   | jvm 1    | 2025/10/02 15:35:18 | 	at java.base/java.lang.reflect.Method.invoke(Method.java:569)
INFO   | jvm 1    | 2025/10/02 15:35:18 | 	at org.tanukisoftware.wrapper.WrapperSimpleApp.run(WrapperSimpleApp.java:349)
INFO   | jvm 1    | 2025/10/02 15:35:18 | 	at java.base/java.lang.Thread.run(Thread.java:840)

It looks like Ignition is using SHA1, which is not available in FIPS environments.

Is there any way for users to specify or supply cryptography algorithms for Ignition to use? Can you point me in the right direction?

Thank you!

Only to some degree. You can control the ciphers used by the web server implementation; see Web Server Settings | Ignition User Manual and Web Server Settings | Ignition User Manual.

There are other places where cryptography is used that you cannot influence.

You will not likely succeed in restricting all of Ignition to only FIPS-compliant cryptography.

It's not possible to provide a different algorithm here, our internal SecureRandomProvider class is hardcoded to reference Java's standard built in SHA1PRNG algorithm constant:

You should contact our sales engineering department to outline your requirement, but as far as I can tell this is just impossible - the gateway won't start without that hardcoded provider being available.

@levi.transtrum - thank you for the feedback. We haven’t committed to FIPS 140 - validation or compliance for Ignition. We have hardened (and exposed configuration options for) user facing and security related areas. However, it’s probably worth a more broad crypto audit / FIPS assessment. I can’t think of good reasons to use deprecated functions unless absolutely needed for backward compatibility.

All this said, it sounds like you’re unlikely to be successful deploying Ignition in a FIPS certified environment until/unless IA invests in the same.

Thank you all very much for the quick and definitive response!