You can enable, disable, and re-order cipher suites in PingFederate.
The SSL/TLS server-client handshake involves negotiating cipher suites to use for encryption and decryption on each side of a secured transaction. You can find cipher suites in the following configuration files:
- com.pingidentity.crypto.SunJCEManager.xml
- com.pingidentity.crypto.AWSCloudHSMJCEManager.xml
- com.pingidentity.crypto.LunaJCEManager.xml
- com.pingidentity.crypto.NcipherJCEManager.xml
- com.pingidentity.crypto.BCFIPSJCEManager.xml
These cipher-suite configuration files are located in the <pf_install>/server/default/data/config-store directory. These files comment out weaker cipher suites. To ensure the most secure transactions, retain this cipher-suite configuration.
Because of the import restrictions of some countries, Oracle Server Java SE Runtime Environment (JRE) 8 has built-in restrictions on available cryptographic strength (key size). To use larger key sizes, enable the Java Cryptography Extension (JCE) unlimited strength jurisdiction policy. For more information, see the Java 8 release notes in Oracle's documentation.
For Oracle Java SE Development Kit 11, the JCE jurisdiction policy defaults to unlimited strength. For more information, see the Oracle JDK Migration Guide in Oracle's documentation.
Starting with PingFederate 9.1, cipher suites are selected based on the order that they are listed in the cipher-suite configuration file for new installations. For upgrades, you can enable the same selection mechanism as well.
-
Choose one of the following actions.
- Edit the applicable cipher-suite configuration file.
- Save your changes.
- Restart PingFederate.
-
To enable cipher-suite selection based on listing order after an upgrade, follow
these steps.