The purpose of password encoding is to deter casual observation
of passwords in server configuration and property files.
Before you begin
Make sure all server profiles within the administration console reside
on the same IBM® i system.
About this task
By default, passwords are automatically encoded with a simple masking
algorithm in various ASCII configuration files for WebSphere
® Application Server. You
can manually encode passwords in properties files that are used by Java clients
and by Application Server administrative commands.
For a description of
the OS400 encoding algorithm, see Password encoding and encryption.
To enable the OS400 password encoding algorithm for a WebSphere Application Server profile,
complete these steps:
Procedure
- Set the os400.security.password properties to turn on the OS400
password encoding algorithm and to specify which the validation list object
to use.
Use the same validation list object for all WebSphere Application
Server profiles. However, it is not recommended if you do not back up the
objects and data for all profiles simultaneously. Consider your backup and
restore policy when you decide what validation list object to use for each WebSphere Application
Server profile.
To set the properties, complete one of these steps:
- Use the -os400passwords and -validationlist options for
the manageprofiles -create utility, which is located in the app_server_root/bin directory,
to set the properties when creating the profile. To create a WebSphere Application
Server profile named prod, and to enable that profile for the OS400 encoding
algorithm using the /QSYS.LIB/QUSRSYS.LIB/WAS.VLDL validation list
object, you can complete the following steps:
- Run the Start Qshell (STRQSH) command on the IBM i command line.
- In Qshell, run the following command:
app_server_root/bin/manageprofiles
-create -profileName prod -startingPort 10150
-templatePath default -os400passwords
-validationlist /QSYS.LIB/QUSRSYS.LIB/WAS.VLDL
The previous
command is on multiple lines for illustration purposes only.
- Set the Java system properties in the setupCmdLine Qshell
script of the WebSphere Application
Server profile. To enable the OS400 password encoding algorithm, edit the profile_root/bin/setupCmdLine script
using the following steps:
- Set the os400.security.password.encoding.algorithm property to OS400.
The default setting is XOR.
- Set the os400.security.password.validation.list.object property to the
absolute name of the validation list that you need to use. The default setting
is /QSYS.LIB/QUSRSYS.LIB/EJSADMIN.VLDL.
- Save the file.
- Grant the QEJB user profile run authority (*X) to the library that
contains the validation list. If QEJB already has the minimum required
authority (*X) to access the library, then proceed to the next step.
- Use the Display Authority (DSPAUT) to check for the minimum
required authority if the validation list is created in the /QSYS.LIB/WSADMIN.LIB file.
For example:
DSPAUT OBJ('/QSYS.LIB/WSADMIN.LIB')
- Use the Change Authority (CHGAUT) command to grant run authority
to the QEJB profile only if the QEJB profile does not already have this authority.
For example:
CHGAUT OBJ('/QSYS.LIB/WSADMIN.LIB') USER(QEJB) DTAAUT(*X)
- Create a native validation list object (*VLDL). This
step is optional for server profiles. The validation list object is created
when the server is started. For remote profiles, create the validation list
if the validation list does not already exist on the system that hosts the
remote profile. Also, consider your backup and restore policy when you decide
what validation list object to use with each remote profile.
Attention: When
you use the OS400 password encoding algorithm, the Java client is not required to reside on
the same IBM i system
as the WebSphere Application
Server profile that the client accesses.
To create a validation list
object, perform the following steps with an IBM i user profile that has *ALLOBJ special
authority:
- Sign on the server with a user profile that has the *ALLOBJ
special authority.
- Use the Create Validation List (CRTVLDL) command to create
the validation list object.
For example, to create the WSVLIST
validation list object in the WSADMIN.LIB library, use the following command:
CRTVLDL VLDL(WSADMIN/WSVLIST)
- Grant the QEJB user profile *RWX authority to the validation
list object. For example, to grant *RWX authority to the WSVLIST
validation list object in the WSADMIN library , use the following command:
CHGAUT OBJ('/QSYS.LIB/WSADMIN.LIB/WSVLIST.VLDL') USER(QEJB) DTAAUT(*RWX)
- Use the Change System Value (CHGSYSVAL) command to set the
QRETSVRSEC system value to 1. For example:
CHGSYSVAL SYSVAL(QRETSVRSEC) VALUE('1')
- For server profile, start or restart the server and wait until
the server is ready for service before attempting to manually encode passwords
in properties files that belong to the profile.
Results
You have enabled the OS400 password encoding algorithm.