Changing default settings

For security reasons, you should change the default master key and passwords in API Security Enforcer (ASE).

About this task

To change the default values:

Steps

Stop ASE by running the stop.sh command.

Example:

/opt/pingidentity/ase/bin/stop.sh -u admin –p admin
checking API Security Enforcer status…sending stop request to ASE. please wait…
API Security Enforcer stopped

If you try to generate your ase_master.key in step 2 without stopping ASE, you see the following:

/opt/pingidentity/ase/bin/cli.sh admin generate_obfkey -u admin -p admin
API Security Enforcer is running. Please stop ASE before generating new obfuscation master key

To change the default ase_master.key, run the generate_obfkey command.

You must have the ase_master.key to obfuscate keys and passwords in ASE.

Example:

/opt/pingidentity/ase/bin/cli.sh -u admin -p admin generate_obfkey
Please take a backup of config/ase_master.key, config/ase.conf,
config/abs.conf, config/cluster.conf before proceeding
Warning: Once you create a new obfuscation master key, you should
obfuscate all config keys also using cli.sh obfuscate_keys
Warning: Obfuscation master key file /opt/pingidentity/ase/config/ase_master.key already exist.
This command will delete it create a new key in the same file
Do you want to proceed [y/n]:

To obfuscate all keys and passwords with the new ase_master.key, enter the keys and passwords in ase.conf, abs.conf, and cluster.conf in clear text and run the obfuscation commands.

For more information on obfuscation, see Obfuscating keys and passwords.

After a generating a new ase_master.key, start ASE by running the start.sh command.

Example:

/opt/pingidentity/ase/bin/start.sh
Starting API Security Enforcer 4.1...
please see /opt/pingidentity/ase/logs/controller.log for more details

To change the keystore password, run the update_keystore_password command.

ASE must be running to update the keystore password. The default password is asekeystore.

Example:
```
/opt/pingidentity/ase/bin/cli.sh update_keystore_password -u admin -p admin
New password >
New password again >
keystore password updated
```

To change the default admin password, run the update_password command.

Example:

/opt/pingidentity/ase/bin/cli.sh update_password -u admin
Old password >
New password >
New password again >
Password updated successfully

You can change the password on a single ASE node and propagate the change to other nodes in the ASE cluster. For more information, see Propagate changed password.

You must update any change in the ASE admin password by adding the new password in the PingIntelligence for APIs Dashboard. Add the new password to the <pi_install_dir>/webgui/config/webgui.properties file and obfuscate it.