Obfuscating keys and passwords
Using API Behavioral Security (ABS) command line interface, you can obfuscate the keys and passwords configured inabs.properties
.
About this task
The keys and passwords obfuscated include:
-
mongo_password
-
jks_password
-
email_password
ABS ships with a default abs_master.key
which is used to obfuscate the keys and passwords. It is recommended to generate your own abs_master.key
.
The following diagram summarizes the obfuscation process.
Steps
-
To obfuscate keys and passwords, stop ABS.
-
To generate your
abs_master.key
, run thegenerate_obfkey
ABS CLI command./opt/pingidentity/abs/bin/cli.sh generate_obfkey -u admin -p admin Please take a backup of config/abs_master.key before proceeding. Warning: Once you create a new obfuscation master key, you should obfuscate all config keys also using cli.sh -obfuscate_keys Warning: Obfuscation master key file /pingidentity/abs/config/abs_master.key already exists. This command will delete it and create a new key in the same file Do you want to proceed [y/n]: y Creating new obfuscation master key Success: created new obfuscation master key at /pingidentity/abs/config/abs_master.key
The new
abs_master.key
is used to obfuscate the passwords inabs.properties
file.After the keys and passwords are obfuscated, the
abs_master.key
must be moved to a secure location and not stored on ABS.In an ABS cluster, the
abs_master.key
must be manually copied to each of the cluster nodes. -
To obfuscate key and passwords, enter the keys and passwords in clear text in the
abs.properties
file. -
Run the
obfuscate_keys
command./opt/pingidentity/abs/bin/cli.sh obfuscate_keys -u admin -p admin Please take a backup of config/abs.password before proceeding Enter clear text keys and passwords before obfuscation. Following keys will be obfuscated config/abs.properties: mongo_password, jks_password and email_password Do you want to proceed [y/n]: y obfuscating /pingidentity/abs/config/abs.properties Success: secret keys in /pingidentity/abs/config/abs.properties obfuscated
-
Start ABS after passwords are obfuscated.