PingIntelligence

Securing an ASE cluster

You can secure an API Security Enforcer (ASE) cluster using a new SSL certificate.

To achieve this, you can either use a self-signed certificate or a certificate authority (CA)-signed SSL certificate:

  • Self-signed certificate

  • CA-signed certificate

Creating a self-signed certificate

About this task

Flowchart summarizing the steps for a creating self-signed certificate

To create a self-signed certificate:

Steps

  1. Create a cluster key pair by running the following command-line interface (CLI) command:

    create_cluster_key_pair [--yes | -y]
create private key for cluster server
--yes | -y : create private key without confirmation prompt

    The Private key in the pair is automatically created and updated in the keystore in <pi_install_path>/pingidentity/ase/config/certs/ directory.

    Example:

    The following command creates dh1024.pem in the /opt/pingidentity/ase/config/certs/cluster/ directory:

    $ pingidentity/ase/bin/cli.sh -u admin -p admin create_cluster_key_pair
Warning: create_cluster_key_pair will delete any existing cluster key_pair, CSR and self-signed certificate
Do you want to proceed [y/n]:y
Ok, creating new cluster key pair. Creating DH parameter may take around 20 minutes. Please wait
Cluster key created at keystore
Cluster dh param file created at /opt/pingidentity/ase/config/certs/cluster/dh1024.pem

  2. Generate a certificate signing request (CSR) from the private key running the following CLI command:

    create_cluster_csr [--yes | -y]
create certificate signing request for cluster server
--yes | -y : create certificate signing request without confirmation prompt

    Example:

    The following command creates a .csr file in the /opt/pingidentity/ase/config/certs/cluster/directory:

    $ pingidentity/ase/bin/cli.sh -u admin -p admin create_cluster_csr
Warning: create_cluster_csr will delete any existing cluster CSR and self signed certificate
Do you want to proceed [y/n]:y
please provide following info
Country Code >OP
State >GP
Location >IP
Organization >KP
Organization Unit >Kpase
Common Name >www.123.com
Generating CSR. Please wait...
OK, cluster csr created at /opt/pingidentity/ase/config/certs/cluster/cluster.csr

    Result:

    This .csr file is saved in the <pi_install_path>/pingidentity/ase/config/certs/cluster/ directory.

  3. Generate a self-signed certificate by running the following command:

    create_cluster_self_sign_cert [--yes | -y]
--yes | -y : create self signed certificate without confirmation prompt

    Example:

    The following command creates a self-signed certificate in the key store:

    $ pingidentity/ase/bin/cli.sh -u admin -p admin create_cluster_self_sign_cert
Warning: create_cluster_self_sign_cert will delete any existing cluster self signed certificate
Do you want to proceed [y/n]:y
Creating new cluster self signed certificate
OK, self sign certificate created in key store

    The certificate is automatically created in the key store in the <pi_install_path>/pingidentity/ase/config/certs/ directory.

  4. Restart the ASE cluster for synchronizing the key and certificate.

    For more information, follow the instructions in Restarting an ASE cluster.

Creating a CA-signed certificate

About this task

Flowchart summarizing the steps to creating a CA-signed certificate for an ASE cluster

To create a CA-signed SSL certificate:

Steps

  1. Create a cluster key pair by running the following CLI command:

    create_cluster_key_pair [--yes | -y]
create private key for cluster server
--yes | -y : create private key without confirmation prompt

    Example:

    The following command creates a key in the /opt/pingidentity/ase/config/certs/cluster/ directory:

    $ pingidentity/ase/bin/cli.sh -u admin -p admin create_cluster_key_pair
Warning: create_cluster_key_pair will delete any existing cluster key_pair, CSR and self-signed certificate
Do you want to proceed [y/n]:y
Ok, creating new cluster key pair. Creating DH parameter may take around 20 minutes. Please wait
Cluster key created at keystore
Cluster dh param file created at /opt/pingidentity/ase/config/certs/cluster/dh1024.pem

    The private key in the pair is automatically created and updated in the key store in the <pi_install_path>/pingidentity/ase/config/certs/ directory.

  2. Generate a certificate signing request (CSR) from the private key using the following CLI command:

    create_cluster_csr [--yes | -y]
create certificate signing request for cluster server
--yes | -y : create certificate signing request without confirmation prompt

    This .csr file gets saved in the <pi_install_path>/pingidentity/ase/config/certs/cluster/ directory.

    Example:

    The following command creates a .csr file in the /opt/pingidentity/ase/config/certs/cluster/ directory:

    $ pingidentity/ase/bin/cli.sh -u admin -p admin create_cluster_csr
Warning: create_cluster_csr will delete any existing cluster CSR and self signed certificate
Do you want to proceed [y/n]:y
please provide following info
Country Code >OP
State >GP
Location >IP
Organization >KP
Organization Unit >Kpase
Common Name >www.123.com
Generating CSR. Please wait...
OK, cluster csr created at /opt/pingidentity/ase/config/certs/cluster/cluster.csr

  3. Upload the CSR created in step 2 to the CA-signing authority’s website to get a CA-signed certificate.

  4. Download the CA-signed certificate from the CA-signing authority’s website.

  5. Import the signed CA-certificate into ASE cluster by running the following CLI command:

    import_cluster_cert {cert_path} [--yes | -y]
import CA signed certificate for cluster server
--yes | -y : import CA signed certificate without confirmation prompt

    The certificate is imported into the key store in the <pi_install_path>/pingidentity/ase/config/certs/ directory.

    Example:

    ./cli.sh -uadmin -padmin import_cluster_key_pair /home/ec2-user/cert_folder/signed_cert/test.elasticbeam.com.key
Warning: import_cluster_key_pair will overwrite any existing cluster certificates
Do you want to proceed [y/n]:y
Exporting cluster key to API Security Enforcer...
OK, key pair added to keystore
2:43
[ec2-user@rhel76-cluster-nodes-6-12 bin]$ ./cli.sh -uadmin -padmin import_cluster_cert /home/ec2-user/cert_folder/signed_cert/test.elastic.crt
Warning: import_cluster_cert will overwrite any existing cluster signed certificate
Do you want to proceed [y/n]:y
Exporting cluster certificate to API Security Enforcer...
OK, signed certificate added to keystore

  6. Synchronizing the key and certificate by restarting the ASE cluster.

    For more information, follow the instructions in Restarting an ASE cluster.