PingIntelligence

Obfuscate keys and passwords

Using the ASE command line interface, you can obfuscate keys and passwords configured in ase.conf, cluster.conf, and abs.conf. Here is the obfuscated data in each file:

  • ase.conf – Email and keystore (PKCS#12) password

  • cluster.conf – Cluster authentication key

  • abs.conf – ABS access and secret key

ASE ships with a default master key (ase_master.key) which is used to obfuscate other keys and passwords. It is recommended to generate your ownase_master.key.

During the process of obfuscation password, ASE must be stopped.

The following diagram summarizes the obfuscation process:Image showing the key and password obfuscation process

Generating your ase_master.key

You can generate the ase_master.key by running the generate_obfkey ASE CLI command.

/opt/pingidentity/ase/bin/cli.sh generate_obfkey -u admin -p

Please take a backup of config/ase_master.key, config/ase.conf, config/abs.conf, config/cluster.conf before proceeding

Warning: Once you create a new obfuscation master key, you should obfuscate all config keys also using cli.sh obfuscate_keys

Warning: Obfuscation master key file /opt/pingidentity/ase/config/ase_master.key already exists. This command will delete it and create a new key in the same file.

Do you want to proceed [y/n]:y
creating new obfuscation master key
Success: created new obfuscation master key at /opt/pingidentity/ase/config/ase_master.key

The new ase_master.key is used to obfuscate the keys and passwords in the configuration files.

In an ASE cluster, the ase_master.key must be manually copied to each cluster node.

Obfuscate keys and passwords

Enter the keys and passwords in clear text in ase.conf, cluster.conf, and abs.conf. Run the obfuscate_keys command to obfuscate keys and passwords:

/opt/pingidentity/ase/bin/cli.sh obfuscate_keys -u admin -p

Please take a backup of config/ase_master.key, config/ase.conf, config/abs.conf, and config/cluster.conf before proceeding

If config keys and passwords are already obfuscated using the current master key, they are not obfuscated again

Following keys will be obfuscated:
config/ase.conf: sender_password, keystore_password
config/abs.conf: access_key, secret_key
config/cluster.conf: cluster_secret_key

Do you want to proceed [y/n]:y
obfuscating config/ase.conf, success
obfuscating config/abs.conf, success
obfuscating config/cluster.conf, success

Start ASE after keys and passwords are obfuscated.

After the keys and passwords are obfuscated, the ase_master.key must be moved to a secure location from ASE for security reasons. If you want to restart ASE, the ase_master.key must be present in the /opt/pingidentity/ase/config/ directory.