Using ABS command line interface, you can obfuscate the keys and passwords configured in
abs.properties. The keys and passwords obfuscated include:
-
mongo_password -
jks_password -
email_password
ABS ships with a default abs_master.key which is used to obfuscate the keys
and passwords. It is recommended to generate your own abs_master.key.
The following diagram summarizes the obfuscation process: 
Generate abs_master.key
You can generate the abs_master.key by running the
generate_obfkey ABS CLI command.
/opt/pingidentity/abs/bin/cli.sh generate_obfkey -u admin -p admin
Please take a backup of config/abs_master.key before proceeding.
Warning: Once you create a new obfuscation master key, you should obfuscate all config keys also using cli.sh -obfuscate_keys
Warning: Obfuscation master key file
/pingidentity/abs/config/abs_master.key already exists. This command will delete it and create a new key in the same file
Do you want to proceed [y/n]: y
Creating new obfuscation master key
Success: created new obfuscation master key at /pingidentity/abs/config/abs_master.keyThe new abs_master.key is used to obfuscate the passwords in
abs.properties file.
Important:
After the keys and passwords are obfuscated, the
abs_master.key
must be moved to a secure location and not stored on
ABS.
In an ABS cluster, the abs_master.key must be manually copied to each of the
cluster nodes.
Obfuscate key and passwords
Enter the keys and passwords in clear text in the abs.properties file. Run
the obfuscate_keys command to obfuscate keys and passwords:
/opt/pingidentity/abs/bin/cli.sh obfuscate_keys -u admin -p admin
Please take a backup of config/abs.password before proceeding
Enter clear text keys and passwords before obfuscation.
Following keys will be obfuscated
config/abs.properties: mongo_password, jks_password and email_password
Do you want to proceed [y/n]: y
obfuscating /pingidentity/abs/config/abs.properties
Success: secret keys in /pingidentity/abs/config/abs.properties obfuscatedStart ABS after passwords are obfuscated.