--- title: Obfuscating ASE keys and passwords description: You must obfuscate the keys and passwords configured in ase.conf, cluster.conf, and abs.conf in the config directory. component: pingintelligence version: 5.2 page_id: pingintelligence:installing_pingintelligence_for_apis:pingintelligence_obfuscating_ase canonical_url: https://docs.pingidentity.com/pingintelligence/5.2/installing_pingintelligence_for_apis/pingintelligence_obfuscating_ase.html revdate: April 3, 2024 section_ids: about-this-task: About this task steps: Steps next-steps: Next steps --- # Obfuscating ASE keys and passwords You must obfuscate the keys and passwords configured in `ase.conf`, `cluster.conf`, and `abs.conf` in the `config` directory. ## About this task ASE ships with a default `ase_master.key`, which is used to obfuscate the various keys and passwords. It is recommended to generate your own `ase_master.key`. The following keys and passwords are obfuscated in the three configuration files: * `ase.conf`: Email and key store (PKCS#12) password * `cluster.conf`: ABS access and secret key * `abs.conf`: Cluster authentication key, `gateway_credential` The new `ase_master.key` is used to obfuscate the keys and passwords in the various configuration files. | | | | - | ------------------------------------------------------------------------------------------------------------------------- | | | During the process of obfuscating keys and passwords, ASE must be [stopped](pingintelligence_starting_stopping_ase.html). | The following diagram summarizes the obfuscation process: ![Diagram of the key/password obfuscation process.](../_images/pcv1564009150135.png) ## Steps 1. To generate the `ase_master.key`, run the `generate_obfkey` command in the ASE command-line interface (CLI): ``` /opt/pingidentity/ase/bin/cli.sh generate_obfkey -u admin -p Please take a backup of config/ase_master.key, config/ase.conf, config/abs.conf, config/cluster.conf before proceeding Warning: Once you create a new obfuscation master key, you should obfuscate all config keys also using cli.sh obfuscate_keys Warning: Obfuscation master key file /opt/pingidentity/ase/config/ase_master.key already exist. This command will delete it create a new key in the same file Do you want to proceed [y/n]:y creating new obfuscation master key Success: created new obfuscation master key at /opt/pingidentity/ase/config/ase_master.key ``` | | | | - | ------------------------------------------------------------------------------------------------- | | | In an ASE cluster, the new `ase_master.key` must be manually copied to each of the cluster nodes. | 2. Enter the keys and passwords in clear text in `ase.conf`, `cluster.conf`, and `abs.conf`. 3. Run the `obfuscate_keys` command to obfuscate keys and passwords: ``` /opt/pingidentity/ase/bin/cli.sh obfuscate_keys -u admin -p Please take a backup of config/ase_master.key, config/ase.conf, config/abs.conf, and config/cluster.conf before proceeding If config keys and password are already obfuscated using the current master key, it is not obfuscated again Following keys will be obfuscated: config/ase.conf: sender_password, keystore_password config/abs.conf: access_key, secret_key config/cluster.conf: cluster_secret_key Do you want to proceed [y/n]:y obfuscating config/ase.conf, success obfuscating config/abs.conf, success obfuscating config/cluster.conf, success ``` 4. Start ASE after keys and passwords are obfuscated. ## Next steps | | | | - | -------------------------------------------------------------------------------------------------------------- | | | After the keys and passwords are obfuscated, the `ase_master.key` must be moved to a secure location from ASE. |