Obfuscating keys and passwords - PingIntelligence for APIs

Obfuscating keys and passwords - PingIntelligence for APIs - 5.2

PingIntelligence

bundle

pingintelligence-52

ft:publication_title

PingIntelligence

Product_Version_ce

PingIntelligence for APIs 5.2 (Latest)

category

APISecurity

AdvancedAPICybersecurity

Capability

Environment

Product

apisecurity

capability

linux

pi-52

pingintelligence

private

ContentType_ce

Using the API Security Enforcer (ASE) command-line interface (CLI), you can obfuscate keys and passwords configured in the ase.conf, cluster.conf, and abs.conf files.

When obfuscating a password, you must stop ASE.

Here is the obfuscated data in each file:

ase.conf – Email and keystore (PKCS#12) password
cluster.conf – Cluster authentication key
abs.conf – ABS access and secret key

ASE ships with a default master key (ase_master.key), which is used to obfuscate other keys and passwords. You should generate your own ase_master.key.

The following diagram summarizes the obfuscation process.

Flowchart showing the key and password obfuscation process

Generate your ase_master.key by running the generate_obfkey ASE CLI command.

The new ase_master.key is used to obfuscate the keys and passwords in the configuration files.

/opt/pingidentity/ase/bin/cli.sh generate_obfkey -u admin -p 

Please take a backup of config/ase_master.key, config/ase.conf, config/abs.conf, config/cluster.conf before proceeding
    
Warning: Once you create a new obfuscation master key, you should obfuscate all config keys also using cli.sh obfuscate_keys
    
Warning: Obfuscation master key file /opt/pingidentity/ase/config/ase_master.key already exists. This command will delete it and create a new key in the same file.
    
Do you want to proceed [y/n]:y
creating new obfuscation master key
Success: created new obfuscation master key at /opt/pingidentity/ase/config/ase_master.key

Important:

In an ASE cluster, the ase_master.key must be manually copied to each cluster node.

Obfuscate keys and passwords:

Enter the keys and passwords in clear text in the ase.conf, cluster.conf, and abs.conf files.

Run the obfuscate_keys command to obfuscate keys and passwords.

  
/opt/pingidentity/ase/bin/cli.sh obfuscate_keys -u admin -p 
  
Please take a backup of config/ase_master.key, config/ase.conf, config/abs.conf, and config/cluster.conf before proceeding

If config keys and passwords are already obfuscated using the current master key, they are not obfuscated again

Following keys will be obfuscated:
config/ase.conf: sender_password, keystore_password
config/abs.conf: access_key, secret_key
config/cluster.conf: cluster_secret_key
    
Do you want to proceed [y/n]:y
obfuscating config/ase.conf, success
obfuscating config/abs.conf, success
obfuscating config/cluster.conf, success

Start ASE after keys and passwords are obfuscated.

Important:
After the keys and passwords are obfuscated, the ase_master.key must be moved to a secure location from ASE for security reasons. If you want to restart ASE, the ase_master.key must be present in the /opt/pingidentity/ase/config/ directory.