PingIntelligence

Native and Pluggable Authentication Modules (PAM) authentication

API Security Enforcer (ASE) provides two types of authentication:

  • Linux Pluggable Authentication Module (PAM)

  • ASE native authentication (default method)

All actions carried out on ASE require an authenticated user.

The two methods to choose the authentication method include:

  • Configure auth_method parameter in the ase.conf file. For more information, see ASE Initial Configuration.

  • Run a command-line interface (CLI) command (update_auth_method <method> ).

The following diagram shows the transition between authentication modes.

Diagram of ASE authentication mode in communication with local database transitioning to PAM mode through CLI commands to show it is now connected to Linux PAM

The authentication method can be changed during run-time without restarting ASE.

Configuring ASE native authentication

About this task

By default, ASE uses native ASE authentication which ships with the system. Each user can run CLI commands by including the shared username and password with each command. The system ships with a default username (admin) and password (admin).

Always change the default password using the update_password command. For more information on ASE commands, see Appendix A.

Steps

  • To configure ase.conf to support native authentication, use the default configuration values:

    auth_method=ase::db
  • To change the authentication from native authentication to PAM mode, enter the following command in ASE command line:

    In the example, login is a PAM script used for authentication.

    /opt/pingidentity/ase/bin/cli.sh update_auth_method pam::login -u admin -p
     <password>
  • To switch from PAM mode authentication back to native authentication, issue the following CLI command:

    /opt/pingidentity/ase/bin/cli.sh update_auth_method ase::db -u  <pam_user>  -p
     <password>

    Example:

    The following is an example of a CLI command with native authentication (-u,-p) enabled:

    /opt/pingidentity/ase/bin/cli.sh add_server -u admin -p
     <password>

Recovering ASE from unavailable pam.d script

About this task

When an invalid script name is entered while changing to PAM authentication, the PAM module defaults to etc/pam.d/others for authentication. This makes ASE inaccessible to administrators. If this happens, you must recover ASE.

To recover ASE:

Steps

  1. Copy etc/pam.d/login to etc/pam.d/other.

    Result:

    ASE will use the credentials in etc/pam.d/login to authenticate administrators.

  2. After signing back on to ASE, change the authentication method to use the correct file name.

    Copying the contents of etc/pam.d/login to etc/pam.d/other does not require a restart of ASE or the host operating system.