--- title: Obfuscate keys and passwords description: You must obfuscate the keys and passwords configured in ase.conf, cluster.conf, and abs.conf in the config directory. ASE ships with a default ase_master.key which is used to obfuscate the various keys and passwords. It is recommended to generate your own ase_master.key. component: pingintelligence version: 5.1 page_id: pingintelligence:pingintelligence_production_deployment:pingintelligence_obfuscating_ase canonical_url: https://docs.pingidentity.com/pingintelligence/5.1/pingintelligence_production_deployment/pingintelligence_obfuscating_ase.html revdate: March 27, 2024 section_ids: generate-your-ase_master-key: Generate your ase_master.key obfuscate-key-and-passwords: Obfuscate key and passwords --- # Obfuscate keys and passwords You must obfuscate the keys and passwords configured in `ase.conf,` `cluster.conf,` and `abs.conf` in the config directory. ASE ships with a default `ase_master.key` which is used to obfuscate the various keys and passwords. It is recommended to generate your own `ase_master.key`. The following keys and passwords are obfuscated in the three configuration files: * `ase.conf` – Email and Keystore (PKCS#12) password * `cluster.conf` – ABS access and secret key * `abs.conf` – Cluster authentication key, gateway\_credential | | | | - | --------------------------------------------------------------------------------------------------------------------------- | | | During the process of obfuscation of keys and password, ASE must be [stopped](pingintelligence_starting_stopping_ase.html). | The following diagram summarizes the obfuscation process: ![pcv1564009150135](../_images/pcv1564009150135.png) ## Generate your ase\_master.key You can generate the `ase_master.key` by running the `generate_obfkey` command in the ASE CLI: ``` /opt/pingidentity/ase/bin/cli.sh generate_obfkey -u admin -p Please take a backup of config/ase_master.key, config/ase.conf, config/abs.conf, config/cluster.conf before proceeding Warning: Once you create a new obfuscation master key, you should obfuscate all config keys also using cli.sh obfuscate_keys Warning: Obfuscation master key file /opt/pingidentity/ase/config/ase_master.key already exist. This command will delete it create a new key in the same file Do you want to proceed [y/n]:y creating new obfuscation master key Success: created new obfuscation master key at /opt/pingidentity/ase/config/ase_master.key ``` The new `ase_master.key` is used to obfuscate the keys and passwords in the various configuration files. | | | | - | ------------------------------------------------------------------------------------------------- | | | In an ASE cluster, the new `ase_master.key` must be manually copied to each of the cluster nodes. | ## Obfuscate key and passwords Enter the keys and passwords in clear text in `ase.conf`, `cluster.conf,` and `abs.conf`. Run the `obfuscate_keys` command to obfuscate keys and passwords: ``` /opt/pingidentity/ase/bin/cli.sh obfuscate_keys -u admin -p Please take a backup of config/ase_master.key, config/ase.conf, config/abs.conf, and config/cluster.conf before proceeding If config keys and password are already obfuscated using the current master key, it is not obfuscated again Following keys will be obfuscated: config/ase.conf: sender_password, keystore_password config/abs.conf: access_key, secret_key config/cluster.conf: cluster_secret_key Do you want to proceed [y/n]:y obfuscating config/ase.conf, success obfuscating config/abs.conf, success obfuscating config/cluster.conf, success ``` Start ASE after keys and passwords are obfuscated. | | | | - | -------------------------------------------------------------------------------------------------------------- | | | After the keys and passwords are obfuscated, the `ase_master.key` must be moved to a secure location from ASE. |