PingAccess listens for HTTPS requests on the Admin, Engine, and Agent ports in all deployments, and on the Config query port in clustered deployments.
A key pair must be assigned to each listener. By default, the listeners are configured for HTTPS and use pregenerated key pairs associated with localhost.
HTTPS Listener | Description |
---|---|
Admin | Listens for requests for the administrative user interface and the PingAccess REST APIs. |
Engine | Listens for HTTP or HTTPS requests that are proxied to target web servers associated with Sites. |
Agent | Listens for requests from PingAccess agents. |
Sideband | Listens for requests from sideband clients. |
Config query | Listens for requests for configuration information from replica administrative nodes and engine nodes in clustered deployments. |
If you configure a trusted certificate group for a virtual host, or configure an engine key pair to associate it with a virtual host, those settings are used instead of any applicable HTTPS listeners or engine listeners for the virtual host.
Cipher suite ordering for HTTPS listeners
PingAccess supports the use of a defined order for cipher suite usage to help ensure
the most secure cipher suites are used first, regardless of the client request. The
cipher suite order is defined in
<PA_HOME>/conf/run.properties
using the tls.default.cipherSuites
property.
On new installs, or in the case of an upgrade to release 5.1 or later, this behavior
is the default. You can disable this behavior and specify PingAccess to use the
order provided by the client by setting useServerCipherSuiteOrder
to false
using the PingAccess API
/httpsListeners endpoint.