PingIdentity: Disabling SSLv3 and weak ciphers for PingFederate

The PingFederate server provides best-in-class Identity Management and SSO.  However, due to US laws governing export of cryptography, the default SSL protocols and cipher suites need to be configured to harden the solution.

Below are the steps involved with making these post-installation changes.

JCE Unlimited Strength

The first step is to deploy the Java Cryptography Extension (JCE) unlimited strength policy files.  By default, the Java runtime only uses a default set of cryptographic extensions that are limited in strength.

Download the JCE from Oracle (Java7 or Java8).  Then copy the local_policy.jar and US_export_policy.jar into the ‘<JAVAHOME>\jre\lib\security’ directory being used by the application server running PingFederate.

Disable SSLv3

Disable the legacy SSLv3 protocol for both the admin and runtime server.

Open <PINGHOME>\pingfederate\etc\jetty-admin.xml and modify the AdminSSLContextFactory element so it looks like:

<New class="com.pingidentity.appserver.jetty.server.connector.ssl.AdminSSLContextFactory>
  <Set name="excludeProtocols"><Array type="java.lang.string"><item>SSLv3</item></Array></Set>
</New>

Open <PINGHOME>\pingfederate\etc\jetty-runtime.xml and modify the RuntimeSSLContextFactory element so it looks like:

<New class="com.pingidentity.appserver.jetty.server.connector.ssl.RuntimeSSLContextFactory>
  <Set name="excludeProtocols"><Array type="java.lang.string"><item>SSLv3</item></Array></Set>
</New>

Remove weak ciphers

Open <PINGHOME>\pingfederate\server\default\data\config-store\com.pingidentity.crypto.SunJCEManager.xml and uncomment all the ciphers at the top that say they are disabled because of JCE unlimited strength policy files.

Then go down to the very bottom of the file, and comment out all the ciphers which contain ‘RC4’.  Starting with TLS_ECDHE_ECDSA_WITH_RC4_128_SHA and ending with SSL_RSA_WITH_RC4_128_MD5.  Be sure the last entry TLS_EMPTY_RENEGOTIATION_INFO_SVCS is not commented out.

Validate

After restarting the PingFederate service, you should now be able to use OpenSSL to validate that SSLv3 and the weak cipher list is no longer offered.   I have written a detailed article on this procedure here.

 

REFERENCES

https://community.pingidentity.com/RC4-ciphers-deprecated-in-2016

http://www.twobotechnologies.com/blog/tag/pingfederate.html

http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html

https://en.wikipedia.org/wiki/Export_of_cryptography_from_the_United_States

https://en.wikipedia.org/wiki/International_Traffic_in_Arms_Regulations