--- title: Obfuscate keys and passwords description: Using the ASE command line interface, you can obfuscate keys and passwords configured in ase.conf, cluster.conf, and abs.conf. Here is the obfuscated data in each file: component: pingintelligence version: 5.1 page_id: pingintelligence:api_security_enforcer:pingintelligence_obfuscating_keys_and_passwords canonical_url: https://docs.pingidentity.com/pingintelligence/5.1/api_security_enforcer/pingintelligence_obfuscating_keys_and_passwords.html revdate: May 6, 2024 section_ids: generating-your-ase_master-key: Generating your ase_master.key obfuscate-keys-and-passwords: Obfuscate keys and passwords --- # Obfuscate keys and passwords Using the ASE command line interface, you can obfuscate keys and passwords configured in `ase.conf`, `cluster.conf`, and `abs.conf`. Here is the obfuscated data in each file: * `ase.conf` – Email and keystore (PKCS#12) password * `cluster.conf` – Cluster authentication key * `abs.conf` – ABS access and secret key ASE ships with a default master key (`ase_master.key`) which is used to obfuscate other keys and passwords. It is recommended to generate your own`ase_master.key`. | | | | - | ---------------------------------------------------------------- | | | During the process of obfuscation password, ASE must be stopped. | The following diagram summarizes the obfuscation process: ![Image showing the key and password obfuscation process](../_images/jnt1564009002417.png) ## Generating your `ase_master.key` You can generate the `ase_master.key` by running the `generate_obfkey` ASE CLI command. ``` /opt/pingidentity/ase/bin/cli.sh generate_obfkey -u admin -p Please take a backup of config/ase_master.key, config/ase.conf, config/abs.conf, config/cluster.conf before proceeding Warning: Once you create a new obfuscation master key, you should obfuscate all config keys also using cli.sh obfuscate_keys Warning: Obfuscation master key file /opt/pingidentity/ase/config/ase_master.key already exists. This command will delete it and create a new key in the same file. Do you want to proceed [y/n]:y creating new obfuscation master key Success: created new obfuscation master key at /opt/pingidentity/ase/config/ase_master.key ``` The new `ase_master.key` is used to obfuscate the keys and passwords in the configuration files. | | | | - | ------------------------------------------------------------------------------------- | | | In an ASE cluster, the `ase_master.key` must be manually copied to each cluster node. | ## **Obfuscate keys and passwords** Enter the keys and passwords in clear text in `ase.conf`, `cluster.conf`, and `abs.conf`. Run the `obfuscate_keys` command to obfuscate keys and passwords: ``` /opt/pingidentity/ase/bin/cli.sh obfuscate_keys -u admin -p Please take a backup of config/ase_master.key, config/ase.conf, config/abs.conf, and config/cluster.conf before proceeding If config keys and passwords are already obfuscated using the current master key, they are not obfuscated again Following keys will be obfuscated: config/ase.conf: sender_password, keystore_password config/abs.conf: access_key, secret_key config/cluster.conf: cluster_secret_key Do you want to proceed [y/n]:y obfuscating config/ase.conf, success obfuscating config/abs.conf, success obfuscating config/cluster.conf, success ``` Start ASE after keys and passwords are obfuscated. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | After the keys and passwords are obfuscated, the `ase_master.key` must be moved to a secure location from ASE for security reasons. If you want to restart ASE, the `ase_master.key` must be present in the `/opt/pingidentity/ase/config/` directory. |