Change default settings
It is recommended that you change the default key and password in ASE. Following is a list of commands to change the default values:
Change ase_master.key
Run the following command to create your own ASE master key to obfuscate keys and password in ASE.
Command: generate_obfkey. ASE must be stopped before creating a new ase_master.key
/opt/pingidentity/ase/bin/cli.sh admin generate_obfkey -u admin -p admin API Security Enforcer is running. Please stop ASE before generating new obfuscation master key
Stop ASE: Stop ASE by running the following command:
/opt/pingidentity/ase/bin/stop.sh -u admin –p admin checking API Security Enforcer status…sending stop request to ASE. please wait… API Security Enforcer stopped
Change ase_master.key: Enter the generate_obfkey command to change the default ASE master key:
/opt/pingidentity/ase/bin/cli.sh -u admin -p admin generate_obfkey Please take a backup of config/ase_master.key, config/ase.conf, config/abs.conf, config/cluster.conf before proceeding Warning: Once you create a new obfuscation master key, you should obfuscate all config keys also using cli.sh obfuscate_keys Warning: Obfuscation master key file /opt/pingidentity/ase/config/ase_master.key already exist. This command will delete it create a new key in the same file Do you want to proceed [y/n]:
After you change the ase_master.key, you need to obfuscate all keys and passwords with the new ase_master.key. Enter the keys and passwords in ase.conf, abs.conf, and cluster.conf in plain text and run the obfuscation commands. For more information on obfuscation, see Obfuscate keys and passwords.
Start ASE: After a new ASE master key is generated, start ASE by entering the following command:
/opt/pingidentity/ase/bin/start.sh Starting API Security Enforcer 4.1... please see /opt/pingidentity/ase/logs/controller.log for more details
Change keystore password
You can change the keystore password by entering the following command. The default password is asekeystore. ASE must be running for updating the keystore password.
Command: update_keystore_password
/opt/pingidentity/ase/bin/cli.sh update_keystore_password -u admin -p admin New password > New password again > keystore password updated
Change admin password
You can change the default admin password by entering the following command.
/opt/pingidentity/ase/bin/cli.sh update_password -u admin Old password > New password > New password again > Password updated successfully
You can change the password on a single ASE node and propagate the change to other nodes in the ASE cluster. For more information, see Propagate changed password.
Any change in the ASE admin password must be updated in the PingIntelliegence for APIs Dashboard. Add the new password to <pi_install_dir>/webgui/config/webgui.properties and obfuscate it.