---
title: Managing cipher suites
description: You can enable, disable, and re-order cipher suites in PingFederate.
component: pingfederate
version: 13.0
page_id: pingfederate:administrators_reference_guide:pf_managing_cipher_suites
canonical_url: https://docs.pingidentity.com/pingfederate/13.0/administrators_reference_guide/pf_managing_cipher_suites.html
revdate: July 5, 2022
section_ids:
  about-this-task: About this task
  steps: Steps
  related-links: Related links
---

# Managing cipher suites

You can enable, disable, and re-order cipher suites in PingFederate.

## About this task

The SSL/TLS server-client handshake involves negotiating cipher suites to use for encryption and decryption on each side of a secured transaction. You can find cipher suites in the following configuration files:

* `com.pingidentity.crypto.SunJCEManager.xml`

* `com.pingidentity.crypto.AWSCloudHSMJCEManager.xml`

* `com.pingidentity.crypto.LunaJCEManager.xml`

* `com.pingidentity.crypto.NcipherJCEManager.xml`

* `com.pingidentity.crypto.BCFIPSJCEManager.xml`

These cipher-suite configuration files are located in the `<pf_install>/server/default/data/config-store` directory. These files comment out weaker cipher suites. To ensure the most secure transactions, retain this cipher-suite configuration.

|   |                                                                                                                                                                                                                                              |
| - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | For Oracle Java SE Development Kit 11, the JCE jurisdiction policy defaults to unlimited strength. For more information, see the [Oracle JDK Migration Guide](https://docs.oracle.com/en/java/javase/11/migrate/) in Oracle's documentation. |

Starting with PingFederate 9.1, cipher suites are selected based on the order that they are listed in the cipher-suite configuration file for new installations. For upgrades, you can enable the same selection mechanism as well.

## Steps

For a clustered PingFederate environment, perform these steps on the console node, and then click **Replicate Configuration** on **System > Server > Cluster Management**.

To enable cipher-suite selection based on listing order after an upgrade, follow these steps.

1. Create a new text file with the following content.

   ```xml
   <?xml version="1.0" encoding="UTF-8"?>
   <c:config xmlns:c="http://www.sourceid.org/2004/05/config">
       <c:item name="prefer-server-cipher-suites">true</c:item>
   </c:config>
   ```

2. Save this file as `cipher-suite-settings.xml` in the `<pf_install>/pingfederate/server/default/data/config-store` directory.

3. Restart PingFederate.

   For a clustered PingFederate environment, perform these steps on the console node, and then click **Replicate Configuration** on **System > Server > Cluster Management**.

   |   |                                                                                                                                                    |
   | - | -------------------------------------------------------------------------------------------------------------------------------------------------- |
   |   | For each engine node, restart PingFederate to load the changes made in the `cipher-suite-settings.xml` file after the configuration is replicated. |

## Related links

* [Secure sockets layer](../introduction_to_pingfederate/pf_secure_sock_layer.html)