WebSphere Application Server - Express, Version 6.0.x     Operating Systems: AIX, HP-UX, Linux, Solaris, Windows

Protecting plain text passwords

Why and when to perform this task

WebSphere Application Server contains several plain text passwords. These passwords are not encrypted, but are encoded. WebSphere Application Server provides the PropFilePasswordEncoder utility, which you can use to encode these passwords. However, the utility does not encode passwords that are contained within XML or XMI files. Instead, WebSphere Application Server automatically encodes the passwords in the following XML or XMI files, as the files are modified by the administrative console.
Table 1. XML and XMI files that contain plain text passwords
File name Additional information
WAS_INSTALL_ROOT/profiles/profile_name/config/
cells/cell_name/security.xml
The following fields contain encoded passwords:
  • LTPA password
  • JAAS authentication data
  • User registry server password
  • LDAP user registry bind password
  • Keystore password
  • Truststore password
  • Cryptographic token device password
war/WEB-INF/ibm_web_bnd.xml
Specifies the passwords for the default basic authentication for the resource-ref bindings within all the descriptors, except in the Java cryptography architecture.
ejb jar/META-INF/ibm_ejbjar_bnd.xml
Specifies the passwords for the default basic authentication for the resource-ref bindings within all the descriptors, except in the Java cryptography architecture.
client jar/META-INF/ibm-appclient_bnd.xml
Specifies the passwords for the default basic authentication for the resource-ref bindings within all the descriptors, except in the Java cryptography architecture.
ear/META-INF/ibm_application_bnd.xml
Specifies the passwords for the default basic authentication for the run as bindings within all the descriptors.
WAS_INSTALL_ROOT /profiles/profile_name/config/
cells/cell_name/nodes/node_name/servers/
server_name/server.xml
The following fields contain encoded passwords:
  • Keystore password
  • Truststore password
  • Cryptographic token device password
  • Authentication target password
  • Session persistence password
  • DRS client data replication password
profile_root/config/cells/cell_name/nodes/
node_name/servers/server.xml
The following fields contain encoded passwords:
  • Keystore password
  • Truststore password
  • Cryptographic token device password
  • Authentication target password
  • Session persistence password
  • DRS client data replication password
WAS_INSTALL_ROOT/profiles/profile_name/config/
cells/cell_name/nodes/node_name/servers/
server_name/resources.xml
The following fields contain encoded passwords:
  • WAS40Datasource password
  • mailTransport password
  • mailStore password
  • MQQueue queue mgr password
For WebSphere Application Server and WebSphere Application Server Express:
  • WAS_INSTALL_ROOT/profiles/profile_name/config
    /cells/cell_name/ws-security.xml
  • WAS_INSTALL_ROOT/profiles/profile_name/config
    /cells/cell_name/nodes/node_name/servers/server_name
    /ws-security
 
ibm-webservices-bnd.xmi
 
ibm-webservicesclient-bnd.xmi
 

You can use the PropFilePasswordEncoder utility to encode the passwords that are found in the following files.

Table 2. Files that you can encode using the PropFilePasswordEncoder utility
File name Additional information
WAS_INSTALL_ROOT/profiles/profile_name
/properties/sas.client.props
Specifies the passwords for the following files:
  • com.ibm.ssl.keyStorePassword
  • com.ibm.ssl.trustStorePassword
  • com.ibm.CORBA.loginPassword
WAS_INSTALL_ROOT/profiles/profile_name
/properties/soap.client.props
Specifies passwords for:
  • com.ibm.ssl.keyStorePassword
  • com.ibm.ssl.trustStorePassword
  • com.ibm.SOAP.loginPassword
profile_root/properties/soap.client.props
Specifies passwords for:
  • com.ibm.ssl.keyStorePassword
  • com.ibm.ssl.trustStorePassword
  • com.ibm.SOAP.loginPassword
WAS_INSTALL_ROOT/profiles/profile_name
/properties/sas.tools.properties
Specifies passwords for:
  • com.ibm.ssl.keyStorePassword
  • com.ibm.ssl.trustStorePassword
  • com.ibm.CORBA.loginPassword
WAS_INSTALL_ROOT/profiles/profile_name
/properties/sas.stdclient.properties
Specifies passwords for:
  • com.ibm.ssl.keyStorePassword
  • com.ibm.ssl.trustStorePassword
  • com.ibm.CORBA.loginPassword
WAS_INSTALL_ROOT/profiles/profile_name
/properties/wsserver.key
 
To encode a password again in one of the previous files, complete the following steps:

Steps for this task

  1. Access the file using a text editor and type over the encoded password in plain text. The new password is shown in plain text and must be encoded.
  2. Use the PropFilePasswordEncoder.bat or the PropFilePasswordEncode.sh file in the WAS_INSTALL_ROOT/profiles/profile_name/bin/ directory to encode the password again.

    If you are encoding the SAS properties files again, type: PropFilePasswordEncoder file_name -sas and the PropFilePasswordEncoder file encodes the known SAS properties.

    If you are encoding files that are not SAS properties files, type PropFilePasswordEncoder file_name password_properties_list

    where:

    file_name is the name of the z/SAS properties file, and password_properties_list is the name of the properties to encode within the file.
    Note: Only the password should be encoded in this file using the PropFilePasswordEncoder tool.

    Use the PropFilePasswordEncoder utility to encode WebSphere Application Server password files only. The utility cannot encode passwords that are contained in XML files or other files that contain open and close tags.

Result

If you reopen the affected files, the passwords do not display in plain text. Instead, the passwords display encoded. WebSphere Application Server does not provide a utility for decoding the passwords.



Related reference
Supported authentication protocols

Task topic    

Terms of Use | Feedback

Last updated: Jun 8, 2005 12:45:23 PM EDT
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp?topic=/com.ibm.websphere.express.doc/info/exp/ae/tsec_protplaintxt.html

© Copyright IBM Corporation 2003, 2005. All Rights Reserved.
This information center is powered by Eclipse technology. (http://www.eclipse.org)