Either current versions of PingFederate (8.0) or PingAccess (3.2) fixes the ssl certificate change automatically, despite you have the intermediate certificate installed.
To fix this you simple need to perform the following steps:
1) Determine which intermediate certificate was used to sign the SSL certificate. This may be determined by noting the Issuer DN when viewing certificate details. Export it to a file.
2) Check your runtime server certificate and export only the public key to a file.
3) Combine the exported public key for your runtime server certificate with the intermediates public key. To do this, use the following openssl command:
openssl crl2pkcs7 -nocrl -certfile yourruntimeserversSSLpublickey.crt -certfile publickeyintermediateca.crt -outform PEM -out csr_response.p7
4) Now import the resulting p7 file. You do this by simple choosing Import CSR response.
5) To test that PingFederate/PingAccess is indeed including the intermediate certificate when negotiating SSL, you may test with the following command, which should show both the primary and intermediate certificates in the response:
openssl s_client -connect yourservername:443 -showcerts
Visar inlägg med etikett PingFederate. Visa alla inlägg
Visar inlägg med etikett PingFederate. Visa alla inlägg
torsdag 27 augusti 2015
onsdag 26 augusti 2015
Disable SSLv3 in PingFederate
If you are running PingFederate 7.X or older you have SSLv3 enabled. Since SSLv3 is considered insecure I wanted to remove it from our PingFederate systems.
You disable SSLv3 pretty easy by changing the following configuration file:
$INSTALLDIR/pingfederate/etc/jetty-runtime.xml
Search for a line which looks like this:
<New class="com.pingidentity.appserver.jetty.server.connector.ssl.RuntimeSslContextFactory"></New>
It should like this instead:
<New class="com.pingidentity.appserver.jetty.server.connector.ssl.RuntimeSslContextFactory">
<Set name="includeProtocols">
<Array type="java.lang.String">
<Item>TLSv1</Item>
<Item>TLSv1.1</Item>
<Item>TLSv1.2</Item>
</Array>
</Set>
PingFederate 8 and newer have SSLv3 disabled by default.
You disable SSLv3 pretty easy by changing the following configuration file:
$INSTALLDIR/pingfederate/etc/jetty-runtime.xml
Search for a line which looks like this:
<New class="com.pingidentity.appserver.jetty.server.connector.ssl.RuntimeSslContextFactory"></New>
It should like this instead:
<New class="com.pingidentity.appserver.jetty.server.connector.ssl.RuntimeSslContextFactory">
<Set name="includeProtocols">
<Array type="java.lang.String">
<Item>TLSv1</Item>
<Item>TLSv1.1</Item>
<Item>TLSv1.2</Item>
</Array>
</Set>
PingFederate 8 and newer have SSLv3 disabled by default.
tisdag 14 juli 2015
OGNL script in PingFederate for allowing different OAuth scopes depending on groupmembership
When configuring OAuth 2.0 in PingFederate you can by issuance criteria demand that a user must be a member of an LDAP group to be able to get a OAuth 2.0 token. But in some cases you have a mobile application with several scopes. And in some of those cases you do not want to give access to all scopes to all users in one group. So here is a little OGNL sample on how to give access to different scopes depending on groupmember ship in LDAP.
#this.get("context.OAuthScopes").toString().matches("(?i).*scope1*")?#this.get("ds.LDAPSTORE.memberOf").toString().matches("(?i).*CN=scope1group,OU=groups,O=ldap.*")?@java.lang.Boolean@TRUE:@java.lang.Boolean@FALSE:#this.get("context.OAuthScopes").toString().matches("(?i).*scope2*")?#this.get("ds.LDAPSTORE.memberOf").toString().matches("(?i).*CN=scope2group,OU=groups,O=ldap.*")?@java.lang.Boolean@TRUE:@java.lang.Boolean@FALSE:@java.lang.Boolean@FALSE
Hopefully this is useful for someone out there!
Prenumerera på:
Inlägg (Atom)