The SSL/TLS server-client handshake involves negotiating cipher suites to be used for encryption and decryption on each side of a secured transaction. Cipher suites are stored in the following configuration files:
- com.pingidentity.crypto.SunJCEManager.xml
- com.pingidentity.crypto.AWSCloudHSMJCEManager.xml
- com.pingidentity.crypto.LunaJCEManager.xml
- com.pingidentity.crypto.NcipherJCEManager.xml
These cipher-suite configuration files are located in the <pf_install>/server/default/data/config-store directory. Weaker cipher suites are commented out in these files. Retain this cipher-suite configuration to ensure the most secure transactions.
Due to the import restrictions of some countries, Oracle Server JRE (Java SE Runtime Environment) 8 has built-in restrictions on available cryptographic strength (key size). To use larger key sizes, the Java Cryptography Extension (JCE) "unlimited strength" jurisdiction policy must be enabled. For more information, see the Java 8 release notes from Oracle (www.oracle.com/technetwork/java/javase/8u151-relnotes-3850493.html).
For Oracle Java SE Development Kit 11, the JCE jurisdiction policy defaults to unlimited strength. For more information, see the Oracle JDK Migration Guide (docs.oracle.com/en/java/javase/11/migrate/).
Starting with PingFederate 9.1, cipher suites are selected based on the order that they are listed in the cipher-suite configuration file for new installations. For upgrades, you may enable the same selection mechanism as well.
-
To enable, disable, or re-order cipher suites, follow these steps.
-
To enable cipher-suite selection based on listing order after an upgrade,
follow these steps.