PingIntelligence

Obfuscating keys and passwords

Using API Behavioral Security (ABS) command line interface, you can obfuscate the keys and passwords configured inabs.properties.

About this task

The keys and passwords obfuscated include:

  • mongo_password

  • jks_password

  • email_password

ABS ships with a default abs_master.key which is used to obfuscate the keys and passwords. It is recommended to generate your own abs_master.key.

The following diagram summarizes the obfuscation process.

A flowchart of the obfuscation process as described in the text.

Steps

  1. To obfuscate keys and passwords, stop ABS.

  2. To generate your abs_master.key , run the generate_obfkey ABS CLI command.

    /opt/pingidentity/abs/bin/cli.sh generate_obfkey -u admin -p admin
    Please take a backup of config/abs_master.key before proceeding.
    Warning: Once you create a new obfuscation master key, you should obfuscate all config keys also using cli.sh -obfuscate_keys
    Warning: Obfuscation master key file
    /pingidentity/abs/config/abs_master.key already exists. This command will delete it and create a new key in the same file
    Do you want to proceed [y/n]: y
    Creating new obfuscation master key
    Success: created new obfuscation master key at /pingidentity/abs/config/abs_master.key

    The new abs_master.key is used to obfuscate the passwords in abs.properties file.

    After the keys and passwords are obfuscated, the abs_master.keymust be moved to a secure location and not stored on ABS.

    In an ABS cluster, the abs_master.key must be manually copied to each of the cluster nodes.

  3. To obfuscate key and passwords, enter the keys and passwords in clear text in the abs.properties file.

  4. Run the obfuscate_keys command.

    /opt/pingidentity/abs/bin/cli.sh obfuscate_keys -u admin -p admin
    Please take a backup of config/abs.password before proceeding
    Enter clear text keys and passwords before obfuscation.
    Following keys will be obfuscated
    config/abs.properties: mongo_password, jks_password and email_password
    Do you want to proceed [y/n]: y
    obfuscating /pingidentity/abs/config/abs.properties
    Success: secret keys in /pingidentity/abs/config/abs.properties obfuscated
  5. Start ABS after passwords are obfuscated.