Obfuscating ASE keys and passwords - PingIntelligence for APIs

Obfuscating ASE keys and passwords - PingIntelligence for APIs - 5.2

PingIntelligence

bundle

pingintelligence-52

ft:publication_title

PingIntelligence

Product_Version_ce

PingIntelligence for APIs 5.2 (Latest)

category

APISecurity

AdvancedAPICybersecurity

Capability

Environment

Product

apisecurity

capability

linux

pi-52

pingintelligence

private

ContentType_ce

You must obfuscate the keys and passwords configured in ase.conf, cluster.conf, and abs.conf in the config directory.

ASE ships with a default ase_master.key, which is used to obfuscate the various keys and passwords. It is recommended to generate your own ase_master.key.

The following keys and passwords are obfuscated in the three configuration files:

ase.conf: Email and key store (PKCS#12) password
cluster.conf: ABS access and secret key
abs.conf: Cluster authentication key, gateway_credential

The new ase_master.key is used to obfuscate the keys and passwords in the various configuration files.

Note:

During the process of obfuscating keys and passwords, ASE must be stopped.

The following diagram summarizes the obfuscation process:

Diagram of the key/password obfuscation process.

To generate the ase_master.key, run the generate_obfkey command in the ASE command-line interface (CLI):

/opt/pingidentity/ase/bin/cli.sh generate_obfkey -u admin -p 
Please take a backup of config/ase_master.key, config/ase.conf, 
config/abs.conf, config/cluster.conf before proceeding

Warning: Once you create a new obfuscation master key, you should obfuscate 
all config keys also using cli.sh obfuscate_keys

Warning: Obfuscation master key file /opt/pingidentity/ase/config/ase_master.key 
already exist. 

This command will delete it create a new key in the same file
Do you want to proceed [y/n]:y
creating new obfuscation master key
Success: created new obfuscation master key at 
/opt/pingidentity/ase/config/ase_master.key

Important:

In an ASE cluster, the new ase_master.key must be manually copied to each of the cluster nodes.

Enter the keys and passwords in clear text in ase.conf, cluster.conf, and abs.conf.

Run the obfuscate_keys command to obfuscate keys and passwords:

/opt/pingidentity/ase/bin/cli.sh obfuscate_keys -u admin -p 
Please take a backup of config/ase_master.key, config/ase.conf, config/abs.conf, and config/cluster.conf before proceeding
If config keys and password are already obfuscated using the current master key, it is not obfuscated again
Following keys will be obfuscated:
config/ase.conf: sender_password, keystore_password
config/abs.conf: access_key, secret_key
config/cluster.conf: cluster_secret_key
Do you want to proceed [y/n]:y
obfuscating config/ase.conf, success
obfuscating config/abs.conf, success
obfuscating config/cluster.conf, success

Start ASE after keys and passwords are obfuscated.

Important:

After the keys and passwords are obfuscated, the ase_master.key must be moved to a secure location from ASE.