torsdag 27 augusti 2015

Certificate chain, PingFederate/PingAccess

Either current versions of PingFederate (8.0) or PingAccess (3.2) fixes the ssl certificate change automatically, despite you have the intermediate certificate installed.

To fix this you simple need to perform the following steps:

1) Determine which intermediate certificate was used to sign the SSL certificate.  This may be determined by noting the Issuer DN when viewing certificate details. Export it to a file.

2) Check your runtime server certificate and export only the public key to a file.

3) Combine the exported public key for your runtime server certificate with the intermediates public key. To do this, use the following openssl command:

openssl crl2pkcs7 -nocrl -certfile yourruntimeserversSSLpublickey.crt -certfile publickeyintermediateca.crt -outform PEM -out csr_response.p7

4) Now import the resulting p7 file. You do this by simple choosing Import CSR response.


5) To test that PingFederate/PingAccess is indeed including the intermediate certificate when negotiating SSL, you may test with the following command, which should show both the primary and intermediate certificates in the response:

openssl s_client -connect yourservername:443 -showcerts

onsdag 26 augusti 2015

Disable SSLv3 in PingFederate

If you are running PingFederate 7.X or older you have SSLv3 enabled. Since SSLv3 is considered insecure I wanted to remove it from our PingFederate systems.

You disable SSLv3 pretty easy by changing the following configuration file:

$INSTALLDIR/pingfederate/etc/jetty-runtime.xml

Search for a line which looks like this:

<New class="com.pingidentity.appserver.jetty.server.connector.ssl.RuntimeSslContextFactory"></New>

It should like this instead:

<New class="com.pingidentity.appserver.jetty.server.connector.ssl.RuntimeSslContextFactory">
                <Set name="includeProtocols">
                <Array type="java.lang.String">
                <Item>TLSv1</Item>
                <Item>TLSv1.1</Item>
                <Item>TLSv1.2</Item>
                </Array>
                </Set>


PingFederate 8 and newer have SSLv3 disabled by default.