Protecting plain text passwords

Why and when to perform this task

The WebSphere Application Server has several plain text passwords. These passwords are not encrypted, but are encoded. The following is a list of files with encoded passwords:
File name Additional information
security.xml

The following fields contain encoded passwords:

  • LTPA password
  • JAAS Auth Data
  • User Registry server password
  • LDAP User Registry bind password
  • Key file password
  • Trust file password

sas.client.props  
war/WEB-INF/ibm_web_bnd.xml Specify passwords for the default basic authentication for the "resource-ref" bindings within all descriptors (except in the Java crytography architecture)
ejb jar/META-INF/ibm_ejbjar_bnd.xml Specify passwords for the default basic authentication for the "resource-ref" bindings within all descriptors (except in the Java crytography architecture)
client jar/META-INF/ibm-appclient_bnd.xml Specify passwords for the default basic authentication for the "resource-ref" bindings within all descriptors (except in the Java crytography architecture)
ear/META-INF/ibm_application_bnd.xml Specify passwords for the default basic authentication for the "run as" bindings within all descriptors
server.xml

The following fields contain encoded passwords:

  • key file password
  • trust file password
  • auth target password
  • Session persistence password
  • DRS Client data replication password (not available in WebSphere Application Server, Version 5

resource.xml (for cells, servers, and nodes)

The following fields contain encoded passwords:

  • WAS40Datasource password
  • mailTransport password
  • mailStore password
  • MQQueue queue mgr password

ws-security.xml  
ibm-webservices-bnd.xmi  
ibm-webservicesclient-bnd.xmi  
/properties/soap.client.props  
/properties/sas.tools.properties  
/properties/sas.stdclient.properties  
wsserver.key  


To re-encode a password in one of the previous files, complete the following steps:

Steps for this task

  1. Access the file using a text editor and type over the encoded password in plain text.
    The new password is shown in plain text and must be encoded.
  2. Use the PropFilePasswordEncoder.bat or PropFilePasswordEncode.sh file in the install_dir/bin/ directory to re-encode the password.

    If you are re-encoding z/SAS properties files, type PropFilePasswordEncoder "file_name" -sas and the PropFilePasswordEncoder.bat file encodes the known z/SAS properties.

    If you are encoding files that are not z/SAS properties files, type PropFilePasswordEncoder "file_name" password_properties_list

    file_name is the name of the z/SAS properties file. password_properties_list is the name of the properties to encode within the file.

    Note: Only the password should be encoded in this file using the PropFilePasswordEncoder tool.

    Use the PropFilePasswordEncoder utility to encode WebSphere Application Server password files only. The utility cannot encode passwords contained in XML files or other files that contain open and close tags.

Results

If you reopen the affected file or files, the passwords do not display in plain text. Instead, the passwords appear encoded. WebSphere Application Server does not provide a utility for decoding the passwords.

Note: The reliance on passwords in configuration files can be minimized on WebSphere Application Server for z/OS by taking advantage of z/OS-specific features:




Searchable topic ID:   tsec_protplaintxt
Last updated: Jun 21, 2007 9:56:50 PM CDT    WebSphere Application Server for z/OS, Version 5.0.2
http://publib.boulder.ibm.com/infocenter/wasinfo/index.jsp?topic=/com.ibm.websphere.zseries.doc/info/zseries/ae/tsec_protplaintxt.html

Library | Support | Terms of Use | Feedback