The purpose of password encoding is to deter casual observation
of passwords in server configuration and property files. Use the PropFilePasswordEncoder utility
to encode passwords stored in properties files. WebSphere® Application Server does not provide
a utility for decoding the passwords. Encoding is not sufficient to
fully protect passwords. Native security is the primary mechanism
for protecting passwords used in WebSphere Application
Server configuration and property files.
About this task
WebSphere Application
Server contains several encoded passwords in files that are not encrypted. WebSphere Application Server
provides the
PropFilePasswordEncoder utility, which you can
use to encode passwords. The purpose of password encoding is to deter
casual observation of passwords in server configuration and property
files. The
PropFilePasswordEncoder utility does not encode
passwords that are contained within XML or XMI files. Instead, WebSphere Application Server
automatically encodes the passwords in these files. XML and XMI files
that contain encoded passwords include the following:
Table 1. XML
and XMI files that contain encoded passwords. This
table explains the XML and XMI files that contain encoded passwords.
File name |
Additional information |
profile_root/config/cells/cell_name/security.xml
|
The following fields contain encoded
passwords:
- LTPA password
- JAAS authentication data
- User registry server password
- LDAP user registry bind password
- Keystore password
- Truststore password
|
war/WEB-INF/ibm_web_bnd.xml
|
Specifies the passwords for the default
basic authentication for the resource-ref bindings within all the
descriptors, except in the Java™ cryptography
architecture |
ejb jar/META-INF/ibm_ejbjar_bnd.xml
|
Specifies the passwords for the default
basic authentication for the resource-ref bindings within all the
descriptors, except in the Java cryptography
architecture |
client jar/META-INF/ibm-appclient_bnd.xml
|
Specifies the passwords
for the default basic authentication for the resource-ref bindings
within all the descriptors, except in the Java cryptography architecture |
ear/META-INF/ibm_application_bnd.xml
|
Specifies the passwords
for the default basic authentication for the run as bindings within
all the descriptors |
profile_root/config/cells/cell_name
/nodes/node_name/servers/
server_name/security.xml
|
The following fields
contain encoded passwords:
- Keystore password
- Truststore password
- Session persistence password
- DRS client data replication
password
|
profile_root/config/cells/cell_name
/nodes/node_name/servers/
server_name/resources.xml
|
The following fields
contain encoded passwords:
- WAS40Datasource password
- mailTransport password
- mailStore password
- MQQueue queue mgr password
|
ibm-webservices-bnd.xmi
|
|
ibm-webservicesclient-bnd.xmi
|
|
You use the PropFilePasswordEncoder utility to encode
the passwords in properties files.
Table 2. The PropFilePasswordEncoder
utility - Partial File List. This table is a partial
file list of the PropFilePasswordEncoder utility.
File name |
Additional information |
profile_root
/properties/sas.client.props
|
Specifies the passwords for the
following files:
- com.ibm.ssl.keyStorePassword
- com.ibm.ssl.trustStorePassword
- com.ibm.CORBA.loginPassword
|
profile_root
/properties/sas.tools.properties
|
Specifies passwords
for:
- com.ibm.ssl.keyStorePassword
- com.ibm.ssl.trustStorePassword
- com.ibm.CORBA.loginPassword
|
profile_root
/properties/sas.stdclient.properties
|
Specifies passwords
for:
- com.ibm.ssl.keyStorePassword
- com.ibm.ssl.trustStorePassword
- com.ibm.CORBA.loginPassword
|
profile_root
/properties/wsserver.key
|
|
profile_root/profiles/AppSrvXX/properties/sib.client.ssl.properties
|
Specifies passwords for:
- com.ibm.ssl.keyStorePassword
- com.ibm.ssl.trustStorePassword
|
profile_root/UDDIReg/scripts/UDDIUtilityTools.properties
|
|
To encode a password again in one of the previous files, complete
the following steps:
Procedure
- Access the file using a text editor and type over the encoded
password. The new password is shown is no longer
encoded and must be re-encoded.
- Use the PropFilePasswordEncoder.bat or
the PropFilePasswordEncode.sh file in the profile_root/bin directory
to encode the password again.
If you are
encoding files that are not z/SAS properties files, type PropFilePasswordEncoder "file_name" password_properties_list
Important: When you use the
PropFilePasswordEncoder utility,
a prompt asks whether a backup version of the original file is required.
If a backup version is required, a backup file (.bak), is created
with the clear text password. Examine the results and then delete
this backup file. It contains the unencrypted password. If you do
not want to see this prompt, edit the PropFilePasswordEncoder utility
and add the following Java system
property as a parameter:
-Dcom.ibm.websphere.security.util.createBackup=true or
-Dcom.ibm.websphere.security.util.createBackup=falseA true value
for the Java system property
creates a backup file and a false value disables
the backup file.
where:
"file_name" is
the name of the z/SAS properties file, and
password_properties_list is
the name of the properties to encode within the file.
Note: Only the
password should be encoded in this file using the PropFilePasswordEncoder tool.
Use
the PropFilePasswordEncoder utility to encode WebSphere Application Server password files
only. The utility cannot encode passwords that are contained in XML
files or other files that contain open and close tags. To change passwords
in these files, use the administrative console or an assembly tool
such as the Rational® Application
Developer.
Results
If you reopen the affected files, the passwords are encoded. WebSphere Application Server
does not provide a utility for decoding the passwords.
The reliance on passwords
in configuration files can be minimized on WebSphere Application Server for z/OS
® by taking advantage of z/OS-specific
features:
- Use a System Authorization Facility (SAF) registry to remove the
requirement for a user registry server password.
- Select SAF authorization and delegation so role-to-user binding
passwords are removed.
- Use a RACF® keyring for
all SSL repertoires, and trust and key file passwords are no longer
required.
- Use native connectors, and configure sync-to-thread to possibly
remove the need for Java Authentication
and Authorization Service (JAAS) authentication data.
Example
The following example shows how to use the
PropFilePasswordEncoder tool:
PropFilePasswordEncoder C:\WASV7\WebSphere\AppServer\profiles\AppSrv\properties
\sas.client.props com.ibm.ssl.keyStorePassword,com.ibm.ssl.trustStorePassword
where:
PropFilePasswordEncoder is
the name of the utility that you are running from the profile_root/profiles/profile_name/bin
directory.
C:\WASV6\WebSphere\AppServer\profiles\AppSrv\properties\sas.client.props is
the name of the file that contains the passwords to encode.
com.ibm.ssl.keyStorePassword is
a password to encode in the file.
com.ibm.ssl.trustStorePassword is
a second password to encode in the file.