If you have a system running PingAccess you have maybe notices when scanning the system with ssllabs scanner that it supports Secure Client-Initiated Renegotiation which is not good in a security point of view.
So how do you disable it? Well, since PingAccess is a Java application it simple relies on Java do disable it. The easiest way to disable it is in the run.sh or run.bat:
"$JAVA" -classpath "$CLASSPATH" $JAVA_OPTS \
-Djavax.net.ssl.sessionCacheSize=5000 \
-Djava.net.preferIPv4Addresses=true \
-Djava.net.preferIPv4Stack=true \
-Djava.net.preferIPv6Addresses=false \
-Djava.awt.headless=true \
-Djdk.tls.rejectClientInitiatedRenegotiation=true \
-Dpa.jwk="$pajwk" \
-Dblitz4j.configuration="$BLITZ_PROPS" \
-Drun.properties="$runprops" \
-Dbootstrap.properties="$bootprops" \
-Dpa.home="$PA_HOME" \
com.pingidentity.pa.cli.Starter "$@"
By adding that little tls.reject line you have disabled Secure Client-Initiated Renogoation in PingAccess.
Inga kommentarer:
Skicka en kommentar