Custom mode in the Upgrade Utility
The custom-mode feature in the Upgrade Utility (invoked with the -c option on the command line) allows you to override several default security settings.
Running the Upgrade Utility in custom mode also allows you to update to the latest version of any integration bundled with PingFederate, such as the OpenToken Adapter, Agentless Integration Kit, and PingID Provisioner.
Security defaults
Using the security defaults shouldn’t cause significant issues for most PingFederate installations. The more recent default security settings include:
-
Disabling weaker cipher suites for both the SUN and LUNA Java Cryptography Extension (JCE) in PingFederate version 6.2 and later. To see which cipher suites are commented out, choose yes (
y) when prompted on whether to use the new defaults. After the upgrade is complete, refer to one of the following configuration files in the new installation’s<pf_install>/pingfederate/server/default/data/config-storedirectory: -
com.pingidentity.crypto.SunJCEManager.xml -
com.pingidentity.crypto.AWSCloudHSMJCEManager.xml -
com.pingidentity.crypto.LunaJCEManager.xml -
com.pingidentity.crypto.NcipherJCEManager.xml -
com.pingidentity.crypto.BCFIPSJCEManager.xml
Adapter upgrade
Upgrading the OpenToken Adapter from an earlier version doesn’t normally require any follow-on configuration changes.
-
If your existing installation uses a version of the OpenToken Adapter earlier than 2.3, upgrading requires minor configuration modifications in the PingFederate console and redeployment of the agent configuration file.
-
If you’re upgrading from an OpenToken version earlier than 2.5.1, you should redeploy the agent configuration files, if applicable, as well as any new agent libraries contained in recent versions of PingFederate integration kits and other plugins that use
OpenToken.