PingIntelligence

Obfuscating ABS keys and passwords

Using the ABS command line interface, you can obfuscate the keys and passwords configured in abs.properties.

About this task

The following keys and passwords are obfuscated:

  • mongo_password

  • jks_password

  • email_password

ABS ships with a default abs_master.key, which is used to obfuscate the various keys and passwords. It is recommended to generate your own abs_master.key. The default jks_password abs123 is configured in the abs.properties file.

During the process of obfuscation of keys and password, ABS must be stopped.

The following diagram summarizes the obfuscation process:

Diagram of the ABS password obfuscation process.

Steps

  1. To generate the abs_master.key, run the generate_obfkey command in the ABS command-line interface (CLI):

    /opt/pingidentity/abs/bin/cli.sh generate_obfkey -u admin -p admin

Please take a backup of config/abs_master.key before proceeding.

Warning: Once you create a new obfuscation master key, you should obfuscate all config keys also using cli.sh -obfuscate_keys

Warning: Obfuscation master key file
/pingidentity/abs/config/abs_master.key already exist. This command will delete it create a new key in the same file

Do you want to proceed [y/n]: y

creating new obfuscation master key
Success: created new obfuscation master key at /pingidentity/abs/config/abs_master.key

    In an ABS cluster, the abs_master.key must be manually copied to each of the cluster nodes.

    Result:

    The new abs_master.key is used to obfuscate the passwords in abs.properties file.

  2. To obfuscate the keys and passwords:

    1. Enter the keys and passwords in clear text in abs.properties file.

    2. Run the obfuscate_keys command:

      /opt/pingidentity/abs/bin/cli.sh obfuscate_keys -u admin -p admin

Please take a backup of config/abs.password before proceeding

Enter clear text keys and password before obfuscation.

Following keys will be obfuscated

config/abs.properties: mongo_password, jks_password and email_password
Do you want to proceed [y/n]: y

obfuscating /pingidentity/abs/config/abs.properties

Success: secret keys in /pingidentity/abs/config/abs.properties obfuscated

  3. After passwords are obfuscated, start ABS.

    After the keys and passwords are obfuscated, the abs_master.key must be moved to a secure location from ABS.