You must obfuscate the keys and passwords configured in ase.conf,
cluster.conf,
and abs.conf
in the config directory. ASE
ships with a default ase_master.key
which is used to obfuscate the various
keys and passwords. It is recommended to generate your own
ase_master.key
.
The following keys and passwords are obfuscated in the three configuration files:
-
ase.conf
– Email and Keystore (PKCS#12) password -
cluster.conf
– ABS access and secret key -
abs.conf
– Cluster authentication key
The following diagram summarizes the obfuscation process:
Generate your ase_master.key
You can generate the ase_master.key
by running the
generate_obfkey
command in the ASE CLI:
/opt/pingidentity/ase/bin/cli.sh generate_obfkey -u admin -p
Please take a backup of config/ase_master.key, config/ase.conf,
config/abs.conf, config/cluster.conf before proceeding
Warning: Once you create a new obfuscation master key, you should obfuscate
all config keys also using cli.sh obfuscate_keys
Warning: Obfuscation master key file /opt/pingidentity/ase/config/ase_master.key
already exist.
This command will delete it create a new key in the same file
Do you want to proceed [y/n]:y
creating new obfuscation master key
Success: created new obfuscation master key at
/opt/pingidentity/ase/config/ase_master.key
The new ase_master.key
is used to obfuscate the keys and passwords in the
various configuration files.
ase_master.key
must be
manually copied to each of the cluster nodes.Obfuscate key and passwords
Enter the keys and passwords in clear text in ase.conf
,
cluster.conf,
and abs.conf
. Run the
obfuscate_keys command to obfuscate keys and passwords:
/opt/pingidentity/ase/bin/cli.sh obfuscate_keys -u admin -p
Please take a backup of config/ase_master.key, config/ase.conf, config/abs.conf, and config/cluster.conf before proceeding
If config keys and password are already obfuscated using the current master key, it is not obfuscated again
Following keys will be obfuscated:
config/ase.conf: sender_password, keystore_password
config/abs.conf: access_key, secret_key
config/cluster.conf: cluster_secret_key
Do you want to proceed [y/n]:y
obfuscating config/ase.conf, success
obfuscating config/abs.conf, success
obfuscating config/cluster.conf, success
Start ASE after keys and passwords are obfuscated.
ase_master.key
must be moved to a secure location from ASE.