Managing cipher suites - PingFederate - 11.0

PingFederate Server

bundle
pingfederate-110
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 11.0
category
Product
pf-110
pingfederate
ContentType_ce

You can enable, disable, and re-order cipher suites in PingFederate.

The SSL/TLS server-client handshake involves negotiating cipher suites to use for encryption and decryption on each side of a secured transaction. You can find cipher suites in the following configuration files:

  • com.pingidentity.crypto.SunJCEManager.xml
  • com.pingidentity.crypto.AWSCloudHSMJCEManager.xml
  • com.pingidentity.crypto.LunaJCEManager.xml
  • com.pingidentity.crypto.NcipherJCEManager.xml
  • com.pingidentity.crypto.BCFIPSJCEManager.xml

These cipher-suite configuration files are located in the <pf_install>/server/default/data/config-store directory. These files comment out weaker cipher suites. To ensure the most secure transactions, retain this cipher-suite configuration.

Important:

Due to the import restrictions of some countries, Oracle Server Java SE Runtime Environment (JRE) 8 has built-in restrictions on available cryptographic strength (key size). To use larger key sizes, enable the Java Cryptography Extension (JCE) unlimited strength jurisdiction policy. For more information, see the Java 8 release notes in Oracle's documentation.

For Oracle Java SE Development Kit 11, the JCE jurisdiction policy defaults to unlimited strength. For more information, see the Oracle JDK Migration Guide in Oracle's documentation.

Starting with PingFederate 9.1, cipher suites are selected based on the order that they are listed in the cipher-suite configuration file for new installations. For upgrades, you can enable the same selection mechanism as well.

  • Choose one of the following actions.
    • Edit the applicable cipher-suite configuration file.
    • Save your changes.
    • Restart PingFederate.
    1. Edit the applicable cipher-suite configuration file.
    2. Save your changes.
    3. Restart PingFederate.

      For a clustered PingFederate environment, perform these steps on the console node, and then click Replicate Configuration on System > Server > Cluster Management.

      Important:

      For each engine node, restart PingFederate to load the changes made in the cipher-suite configuration file after the configuration is replicated.

  • To enable cipher-suite selection based on listing order after an upgrade, follow these steps.
    1. Create a new text file with the following content.
      <?xml version="1.0" encoding="UTF-8"?>
      <c:config xmlns:c="http://www.sourceid.org/2004/05/config">
          <c:item name="prefer-server-cipher-suites">true</c:item>
      </c:config>
    2. Save this file as cipher-suite-settings.xml in the <pf_install>/pingfederate/server/default/data/config-store directory.
    3. Restart PingFederate.

      For a clustered PingFederate environment, perform these steps on the console node, and then click Replicate Configuration on System > Server > Cluster Management.

      Important:

      For each engine node, restart PingFederate to load the changes made in the cipher-suite-settings.xml file after the configuration is replicated.