Obfuscating ABS keys and passwords - PingIntelligence for APIs

Obfuscating ABS keys and passwords - PingIntelligence for APIs - 5.2

PingIntelligence

bundle

pingintelligence-52

ft:publication_title

PingIntelligence

Product_Version_ce

PingIntelligence for APIs 5.2 (Latest)

category

APISecurity

AdvancedAPICybersecurity

Capability

Environment

Product

apisecurity

capability

linux

pi-52

pingintelligence

private

ContentType_ce

Using the ABS command line interface, you can obfuscate the keys and passwords configured in abs.properties.

The following keys and passwords are obfuscated:

mongo_password
jks_password
email_password

ABS ships with a default abs_master.key, which is used to obfuscate the various keys and passwords. It is recommended to generate your own abs_master.key. The default jks_password abs123 is configured in the abs.properties file.

Note:

During the process of obfuscation of keys and password, ABS must be stopped.

The following diagram summarizes the obfuscation process:

Diagram of the ABS password obfuscation process.

To generate the abs_master.key, run the generate_obfkey command in the ABS command-line interface (CLI):

/opt/pingidentity/abs/bin/cli.sh generate_obfkey -u admin -p admin

Please take a backup of config/abs_master.key before proceeding.

Warning: Once you create a new obfuscation master key, you should obfuscate all config keys also using cli.sh -obfuscate_keys

Warning: Obfuscation master key file
/pingidentity/abs/config/abs_master.key already exist. This command will delete it create a new key in the same file

Do you want to proceed [y/n]: y

creating new obfuscation master key
Success: created new obfuscation master key at /pingidentity/abs/config/abs_master.key

Important:

In an ABS cluster, the abs_master.key must be manually copied to each of the cluster nodes.

The new abs_master.key is used to obfuscate the passwords in abs.properties file.

To obfuscate the keys and passwords:

Enter the keys and passwords in clear text in abs.properties file.

Run the obfuscate_keys command:

/opt/pingidentity/abs/bin/cli.sh obfuscate_keys -u admin -p admin

Please take a backup of config/abs.password before proceeding

Enter clear text keys and password before obfuscation.

Following keys will be obfuscated

config/abs.properties: mongo_password, jks_password and email_password
Do you want to proceed [y/n]: y

obfuscating /pingidentity/abs/config/abs.properties

Success: secret keys in /pingidentity/abs/config/abs.properties obfuscated

After passwords are obfuscated, start ABS.

Important: After the keys and passwords are obfuscated, the abs_master.key must be moved to a secure location from ABS.