PingIntelligence

Securing an ASE cluster

You can secure an API Security Enforcer (ASE) cluster using a new SSL certificate.

To achieve this, you can either use a self-signed certificate or a certificate authority (CA)-signed SSL certificate:

Creating a self-signed certificate

About this task

Flowchart summarizing the steps for a creating self-signed certificate

To create a self-signed certificate:

Steps

  1. Create a cluster key pair by running the following command-line interface (CLI) command:

    create_cluster_key_pair [--yes | -y]
    create private key for cluster server
    --yes | -y : create private key without confirmation prompt

    The Private key in the pair is automatically created and updated in the keystore in <pi_install_path>/pingidentity/ase/config/certs/ directory.

    Example:

    The following command creates dh1024.pem in the /opt/pingidentity/ase/config/certs/cluster/ directory:

    $ pingidentity/ase/bin/cli.sh -u admin -p admin create_cluster_key_pair
    Warning: create_cluster_key_pair will delete any existing cluster key_pair, CSR and self-signed certificate
    Do you want to proceed [y/n]:y
    Ok, creating new cluster key pair. Creating DH parameter may take around 20 minutes. Please wait
    Cluster key created at keystore
    Cluster dh param file created at /opt/pingidentity/ase/config/certs/cluster/dh1024.pem
    shell
  2. Generate a certificate signing request (CSR) from the private key running the following CLI command:

    create_cluster_csr [--yes | -y]
    create certificate signing request for cluster server
    --yes | -y : create certificate signing request without confirmation prompt

    Example:

    The following command creates a .csr file in the /opt/pingidentity/ase/config/certs/cluster/directory:

    $ pingidentity/ase/bin/cli.sh -u admin -p admin create_cluster_csr
    Warning: create_cluster_csr will delete any existing cluster CSR and self signed certificate
    Do you want to proceed [y/n]:y
    please provide following info
    Country Code >OP
    State >GP
    Location >IP
    Organization >KP
    Organization Unit >Kpase
    Common Name >www.123.com
    Generating CSR. Please wait...
    OK, cluster csr created at /opt/pingidentity/ase/config/certs/cluster/cluster.csr
    shell

    Result:

    This .csr file is saved in the <pi_install_path>/pingidentity/ase/config/certs/cluster/ directory.

  3. Generate a self-signed certificate by running the following command:

    create_cluster_self_sign_cert [--yes | -y]
    --yes | -y : create self signed certificate without confirmation prompt

    Example:

    The following command creates a self-signed certificate in the key store:

    $ pingidentity/ase/bin/cli.sh -u admin -p admin create_cluster_self_sign_cert
    Warning: create_cluster_self_sign_cert will delete any existing cluster self signed certificate
    Do you want to proceed [y/n]:y
    Creating new cluster self signed certificate
    OK, self sign certificate created in key store
    shell

    The certificate is automatically created in the key store in the <pi_install_path>/pingidentity/ase/config/certs/ directory.

  4. Restart the ASE cluster for synchronizing the key and certificate.

    For more information, follow the instructions in Restarting an ASE cluster.