You must obfuscate the keys and passwords configured in
abs.conf in the config directory. ASE
ships with a default
ase_master.key which is used to obfuscate the various
keys and passwords. It is recommended to generate your own
The following keys and passwords are obfuscated in the three configuration files:
ase.conf– Email and Keystore (PKCS#12) password
cluster.conf– ABS access and secret key
abs.conf– Cluster authentication key, gateway_credential
The following diagram summarizes the obfuscation process:
Generate your ase_master.key
You can generate the
ase_master.key by running the
generate_obfkey command in the ASE CLI:
/opt/pingidentity/ase/bin/cli.sh generate_obfkey -u admin -p Please take a backup of config/ase_master.key, config/ase.conf, config/abs.conf, config/cluster.conf before proceeding Warning: Once you create a new obfuscation master key, you should obfuscate all config keys also using cli.sh obfuscate_keys Warning: Obfuscation master key file /opt/pingidentity/ase/config/ase_master.key already exist. This command will delete it create a new key in the same file Do you want to proceed [y/n]:y creating new obfuscation master key Success: created new obfuscation master key at /opt/pingidentity/ase/config/ase_master.key
ase_master.key is used to obfuscate the keys and passwords in the
various configuration files.
ase_master.keymust be manually copied to each of the cluster nodes.
Obfuscate key and passwords
Enter the keys and passwords in clear text in
abs.conf. Run the
obfuscate_keys command to obfuscate keys and passwords:
/opt/pingidentity/ase/bin/cli.sh obfuscate_keys -u admin -p Please take a backup of config/ase_master.key, config/ase.conf, config/abs.conf, and config/cluster.conf before proceeding If config keys and password are already obfuscated using the current master key, it is not obfuscated again Following keys will be obfuscated: config/ase.conf: sender_password, keystore_password config/abs.conf: access_key, secret_key config/cluster.conf: cluster_secret_key Do you want to proceed [y/n]:y obfuscating config/ase.conf, success obfuscating config/abs.conf, success obfuscating config/cluster.conf, success
Start ASE after keys and passwords are obfuscated.
ase_master.keymust be moved to a secure location from ASE.