PingIntelligence

Obfuscating ASE keys and passwords

You must obfuscate the keys and passwords configured in ase.conf, cluster.conf, and abs.conf in the config directory.

About this task

ASE ships with a default ase_master.key, which is used to obfuscate the various keys and passwords. It is recommended to generate your own ase_master.key.

The following keys and passwords are obfuscated in the three configuration files:

  • ase.conf: Email and key store (PKCS#12) password

  • cluster.conf: ABS access and secret key

  • abs.conf: Cluster authentication key, gateway_credential

The new ase_master.key is used to obfuscate the keys and passwords in the various configuration files.

During the process of obfuscating keys and passwords, ASE must be stopped.

The following diagram summarizes the obfuscation process:

Diagram of the key/password obfuscation process.

Steps

  1. To generate the ase_master.key, run the generate_obfkey command in the ASE command-line interface (CLI):

    /opt/pingidentity/ase/bin/cli.sh generate_obfkey -u admin -p
Please take a backup of config/ase_master.key, config/ase.conf,
config/abs.conf, config/cluster.conf before proceeding

Warning: Once you create a new obfuscation master key, you should obfuscate
all config keys also using cli.sh obfuscate_keys

Warning: Obfuscation master key file /opt/pingidentity/ase/config/ase_master.key
already exist.

This command will delete it create a new key in the same file
Do you want to proceed [y/n]:y
creating new obfuscation master key
Success: created new obfuscation master key at
/opt/pingidentity/ase/config/ase_master.key

    In an ASE cluster, the new ase_master.key must be manually copied to each of the cluster nodes.

  2. Enter the keys and passwords in clear text in ase.conf, cluster.conf, and abs.conf.

  3. Run the obfuscate_keys command to obfuscate keys and passwords:

    /opt/pingidentity/ase/bin/cli.sh obfuscate_keys -u admin -p
Please take a backup of config/ase_master.key, config/ase.conf, config/abs.conf, and config/cluster.conf before proceeding
If config keys and password are already obfuscated using the current master key, it is not obfuscated again
Following keys will be obfuscated:
config/ase.conf: sender_password, keystore_password
config/abs.conf: access_key, secret_key
config/cluster.conf: cluster_secret_key
Do you want to proceed [y/n]:y
obfuscating config/ase.conf, success
obfuscating config/abs.conf, success
obfuscating config/cluster.conf, success

  4. Start ASE after keys and passwords are obfuscated.

Next steps

After the keys and passwords are obfuscated, the ase_master.key must be moved to a secure location from ASE.