Assign a key pair to a virtual host or HTTPS listener.
PingAccess listens for HTTPS requests on the Admin, Engine, and Agent ports in all deployments, and on the Config query port in clustered deployments. See the Clustering in PingAccess reference guide for a comprehensive overview of the steps necessary to set up a clustered environment.
A key pair must be assigned to each listener. By default, the listeners are configured for
HTTPS and use pregenerated key pairs associated with localhost
.
HTTPS Listener | Description |
---|---|
Admin |
Listens for requests for the administrative user interface and the PingAccess REST APIs. |
Engine |
Listens for HTTP or HTTPS requests that are proxied to target web servers associated with Sites. For more information, see Engine listeners. |
Agent |
Listens for requests from PingAccess agents. |
Sideband |
Listens for requests from sideband clients. |
Config query |
Listens for requests for configuration information from replica administrative nodes and engine nodes in clustered deployments. |
If you configure a trusted certificate group for a virtual host, or configure an engine key pair to associate it with a virtual host, those settings are used instead of any applicable HTTPS listeners or engine listeners for the virtual host.
Cipher suite ordering for HTTPS listeners:
- PingAccess supports the use of a
defined cipher suite order to ensure that the most secure cipher suites are
used first, regardless of the client request. The cipher suite order is
defined by the
tls.default.cipherSuites
property in the <PA_HOME>/conf/run.properties file. - By default, new installations of PingAccess and environments upgraded to
PingAccess 5.1 or later use this
cipher suite ordering. To direct PingAccess to use the order provided by the
client instead, use the PingAccess API
/httpsListeners
endpoint to set theuseServerCipherSuiteOrder
property tofalse
.
Assigning key pairs to virtual hosts
To assign a key pair to a virtual host:
Assigning key pairs to HTTPS listeners
To assign a new key pair for an active HTTPS listener: