API Security Enforcer (ASE) provides two types of authentication:
- Linux Pluggable Authentication Module (PAM)
- ASE native authentication (default method)
All actions carried out on ASE require an authenticated user.
The two methods to choose the authentication method include:
- Configure auth_method parameter in the ase.conf file. For more information, see ASE Initial Configuration.
- Run a command-line interface (CLI) command (
update_auth_method <method>
).
The following diagram shows the transition between authentication modes.
The authentication method can be changed during run-time without restarting ASE.
Configuring ASE native authentication
By default, ASE uses native ASE authentication which ships with the system. Each user can run
CLI commands by including the shared username and password with each command. The
system ships with a default username (admin
) and password
(admin
).
Always change the default password using the update_password command. For more information on ASE commands, see Appendix A.
Configuring Linux PAM authentication
PAM-based authentication provides the flexibility to authenticate administrators using existing authentication servers, such as your organization’s LDAP directory. When PAM authentication is active, ASE logs the identity of the user executing each CLI command. This provides a user-specific audit trail of administrative access to the ASE system.
Recovering ASE from unavailable pam.d script
When an invalid script name is entered while changing to PAM authentication, the PAM module defaults to etc/pam.d/others for authentication. This makes ASE inaccessible to administrators. If this happens, you must recover ASE.
To recover ASE: