Managing cipher suites
You can enable, disable, and re-order cipher suites in PingFederate.
About this task
The SSL/TLS server-client handshake involves negotiating cipher suites to use for encryption and decryption on each side of a secured transaction. You can find cipher suites in the following configuration files:
-
com.pingidentity.crypto.SunJCEManager.xml
-
com.pingidentity.crypto.AWSCloudHSMJCEManager.xml
-
com.pingidentity.crypto.LunaJCEManager.xml
-
com.pingidentity.crypto.NcipherJCEManager.xml
-
com.pingidentity.crypto.BCFIPSJCEManager.xml
These cipher-suite configuration files are located in the <pf_install>/server/default/data/config-store
directory. These files comment out weaker cipher suites. To ensure the most secure transactions, retain this cipher-suite configuration.
Because of the import restrictions of some countries, Oracle Server Java SE Runtime Environment (JRE) 8 has built-in restrictions on available cryptographic strength (key size). To use larger key sizes, enable the Java Cryptography Extension (JCE) unlimited strength jurisdiction policy. For more information, see the Java 8 release notes in Oracle’s documentation. For Oracle Java SE Development Kit 11, the JCE jurisdiction policy defaults to unlimited strength. For more information, see the Oracle JDK Migration Guide in Oracle’s documentation. |
Starting with PingFederate 9.1, cipher suites are selected based on the order that they are listed in the cipher-suite configuration file for new installations. For upgrades, you can enable the same selection mechanism as well
.
Steps
-
Choose one of the following actions.
Choose from:
-
Edit the applicable cipher-suite configuration file.
-
Save your changes.
-
Restart PingFederate.
-
Edit the applicable cipher-suite configuration file.
-
Save your changes.
-
Restart PingFederate.
For a clustered PingFederate environment, perform these steps on the console node, and then click Replicate Configuration on System → Server → Cluster Management.
-
For each engine node, restart PingFederate to load the changes made in the cipher-suite configuration file after the configuration is replicated.
-
-
To enable cipher-suite selection based on listing order after an upgrade, follow these steps.
-
Create a new text file with the following content.
-
<?xml version="1.0" encoding="UTF-8"?> <c:config xmlns:c="http://www.sourceid.org/2004/05/config"> <c:item name="prefer-server-cipher-suites">true</c:item> </c:config>
-
Save this file as
cipher-suite-settings.xml
in the<pf_install>/pingfederate/server/default/data/config-store
directory. -
Restart PingFederate.
For a clustered PingFederate environment, perform these steps on the console node, and then click Replicate Configuration on System → Server → Cluster Management.
For each engine node, restart PingFederate to load the changes made in the
cipher-suite-settings.xml
file after the configuration is replicated.