PingFederate Server

Managing cipher suites

You can enable, disable, and re-order cipher suites in PingFederate.

About this task

The SSL/TLS server-client handshake involves negotiating cipher suites to use for encryption and decryption on each side of a secured transaction. You can find cipher suites in the following configuration files:

  • com.pingidentity.crypto.SunJCEManager.xml

  • com.pingidentity.crypto.AWSCloudHSMJCEManager.xml

  • com.pingidentity.crypto.LunaJCEManager.xml

  • com.pingidentity.crypto.NcipherJCEManager.xml

  • com.pingidentity.crypto.BCFIPSJCEManager.xml

These cipher-suite configuration files are located in the <pf_install>/server/default/data/config-store directory. These files comment out weaker cipher suites. To ensure the most secure transactions, retain this cipher-suite configuration.

For Oracle Java SE Development Kit 11, the JCE jurisdiction policy defaults to unlimited strength. For more information, see the Oracle JDK Migration Guide in Oracle’s documentation.

Starting with PingFederate 9.1, cipher suites are selected based on the order that they are listed in the cipher-suite configuration file for new installations. For upgrades, you can enable the same selection mechanism as well

.

Steps

  • Choose one of the following actions.

    Choose from:

    • Edit the applicable cipher-suite configuration file.

    • Save your changes.

    • Restart PingFederate.

      1. Edit the applicable cipher-suite configuration file.

      2. Save your changes.

      3. Restart PingFederate.

      For a clustered PingFederate environment, perform these steps on the console node, and then click Replicate Configuration on System → Server → Cluster Management.

    For each engine node, restart PingFederate to load the changes made in the cipher-suite configuration file after the configuration is replicated.

  • To enable cipher-suite selection based on listing order after an upgrade, follow these steps.

    1. Create a new text file with the following content.

<?xml version="1.0" encoding="UTF-8"?>
<c:config xmlns:c="http://www.sourceid.org/2004/05/config">
    <c:item name="prefer-server-cipher-suites">true</c:item>
</c:config>
  1. Save this file as cipher-suite-settings.xml in the <pf_install>/pingfederate/server/default/data/config-store directory.

  2. Restart PingFederate.

    For a clustered PingFederate environment, perform these steps on the console node, and then click Replicate Configuration on System → Server → Cluster Management.

    For each engine node, restart PingFederate to load the changes made in the cipher-suite-settings.xml file after the configuration is replicated.