Using the ASE command line interface, you can obfuscate keys and passwords configured in ase.conf, cluster.conf, and abs.conf. Here is the obfuscated data in each file:
- ase.conf – Email and keystore (PKCS#12) password
- cluster.conf – Cluster authentication key
- abs.conf – ABS access and secret key
ASE ships with a default master key (ase_master.key) which is used to obfuscate other keys and passwords. It is recommended to generate your own ase_master.key.
The following diagram summarizes the obfuscation process:
Generating your ase_master.key
You can generate the ase_master.key by running the generate_obfkey ASE CLI command.
/opt/pingidentity/ase/bin/cli.sh generate_obfkey -u admin -p
Please take a backup of config/ase_master.key, config/ase.conf, config/abs.conf, config/cluster.conf before proceeding
Warning: Once you create a new obfuscation master key, you should obfuscate all config keys also using cli.sh obfuscate_keys
Warning: Obfuscation master key file /opt/pingidentity/ase/config/ase_master.key already exists. This command will delete it and create a new key in the same file.
Do you want to proceed [y/n]:y
creating new obfuscation master key
Success: created new obfuscation master key at /opt/pingidentity/ase/config/ase_master.key
The new ase_master.key is used to obfuscate the keys and passwords in the configuration files.
Obfuscate keys and passwords
Enter the keys and passwords in clear text in ase.conf
,
cluster.conf
, and abs.conf
. Run the
obfuscate_keys
command to obfuscate keys and passwords:
/opt/pingidentity/ase/bin/cli.sh obfuscate_keys -u admin -p
Please take a backup of config/ase_master.key, config/ase.conf, config/abs.conf, and config/cluster.conf before proceeding
If config keys and passwords are already obfuscated using the current master key, they are not obfuscated again
Following keys will be obfuscated:
config/ase.conf: sender_password, keystore_password
config/abs.conf: access_key, secret_key
config/cluster.conf: cluster_secret_key
Do you want to proceed [y/n]:y
obfuscating config/ase.conf, success
obfuscating config/abs.conf, success
obfuscating config/cluster.conf, success
Start ASE after keys and passwords are obfuscated.