The purpose of password encoding is to
deter casual observation
of passwords in server configuration and property files. Use the PropFilePasswordEncoder utility
to encode passwords stored in properties files. WebSphere® Application Server does not provide
a utility for decoding the passwords. Encoding is not sufficient to
fully protect passwords. Native security is the primary mechanism
for protecting passwords used in WebSphere Application
Server configuration and property files.
About this task
WebSphere Application
Server contains several encoded passwords in files that are not encrypted. WebSphere Application Server
provides the
PropFilePasswordEncoder utility, which you can
use to encode passwords. The purpose of password encoding is to deter
casual observation of passwords in server configuration and property
files. The
PropFilePasswordEncoder utility does not encode
passwords that are contained within XML or XMI files.
Table 1. XML
and XMI files that contain encoded passwords. Instead, WebSphere Application Server
automatically encodes the passwords in these files. XML and XMI files
that contain encoded passwords include the following:File name |
Additional information |
profile_root/config/cells/cell_name/security.xml
|
The following fields contain encoded
passwords: - LTPA password
- JAAS authentication
data
- User registry server password
- LDAP user registry
bind password
- Keystore password
- Truststore password
- Cryptographic token device password
|
war/WEB-INF/ibm_web_bnd.xml
|
Specifies the passwords for the default
basic authentication for the resource-ref bindings within all the
descriptors, except in the Java cryptography
architecture |
ejb jar/META-INF/ibm_ejbjar_bnd.xml
|
Specifies the passwords for the default
basic authentication for the resource-ref bindings within all the
descriptors, except in the Java cryptography
architecture |
client jar/META-INF/ibm-appclient_bnd.xml
|
Specifies the passwords
for the default basic authentication for the resource-ref bindings
within all the descriptors, except in the Java cryptography architecture |
ear/META-INF/ibm_application_bnd.xml
|
Specifies the passwords
for the default basic authentication for the run as bindings within
all the descriptors |
profile_root/config/cells/cell_name
/nodes/node_name/servers/
server_name/security.xml
|
The following fields
contain encoded passwords: - Keystore password
- Truststore password
- Cryptographic token
device password
- Session persistence password
|
profile_root/config/cells/cell_name
/nodes/node_name/servers/
server_name/resources.xml
|
The following fields
contain encoded passwords: - WAS40Datasource password
- mailTransport password
- mailStore password
- MQQueue
queue mgr password
|
|
|
ibm-webservices-bnd.xmi
|
|
ibm-webservicesclient-bnd.xmi
|
|
Table 2. The PropFilePasswordEncoder utility
- Partial
File List. You use the PropFilePasswordEncoder utility
to encode the passwords in properties files. These files include:File name |
Additional information |
profile_root
/properties/sas.client.props
|
Specifies the passwords for the
following files: - com.ibm.ssl.keyStorePassword
- com.ibm.ssl.trustStorePassword
- com.ibm.CORBA.loginPassword
|
profile_root
/properties/sas.tools.properties
|
Specifies passwords
for: - com.ibm.ssl.keyStorePassword
- com.ibm.ssl.trustStorePassword
- com.ibm.CORBA.loginPassword
|
profile_root
/properties/sas.stdclient.properties
|
Specifies passwords
for: - com.ibm.ssl.keyStorePassword
- com.ibm.ssl.trustStorePassword
- com.ibm.CORBA.loginPassword
|
profile_root
/properties/wsserver.key
|
|
profile_root/profiles/AppSrvXX/properties/sib.client.ssl.properties
|
Specifies passwords for: - com.ibm.ssl.keyStorePassword
- com.ibm.ssl.trustStorePassword
|
profile_root/UDDIReg/scripts/UDDIUtilityTools.properties
|
|
To encode a password
again in one of the previous
files, complete the following steps:
Procedure
- Access
the file using a text editor and type over the encoded
password. The new password is shown is no longer
encoded and must be re-encoded.
- Use the PropFilePasswordEncoder.bat or
the PropFilePasswordEncode.sh file in the profile_root/bin directory
to encode the password again.
If you
are encoding files that are not SAS properties files, type PropFilePasswordEncoder "file_name" password_properties_list
Important: When you use the
PropFilePasswordEncoder utility,
a prompt asks whether a backup version of the original file is required.
If a backup version is required, a backup file (.bak), is created
with the clear text password. Examine the results and then delete
this backup file. It contains the unencrypted password. If you do
not want to see this prompt, edit the PropFilePasswordEncoder utility
and add the following Java system
property as a parameter:
-Dcom.ibm.websphere.security.util.createBackup=true or
-Dcom.ibm.websphere.security.util.createBackup=falseA true value
for the Java system property
creates a backup file and a false value disables
the backup file.
where:
"file_name" is
the name of the z/SAS properties file, and
password_properties_list is
the name of the properties to encode within the file.
Note: Only the
password should be encoded in this file using the PropFilePasswordEncoder tool.
Use
the PropFilePasswordEncoder utility to encode WebSphere Application Server password files
only. The utility cannot encode passwords that are contained in XML
files or other files that contain open and close tags. To change passwords
in these files, use the administrative console or an assembly tool
such as the Rational® Application
Developer.
Results
If you reopen the affected
files, the passwords are encoded. WebSphere Application
Server
does not provide a utility for decoding the passwords.
Example
The following example shows how to use the
PropFilePasswordEncoder tool:
PropFilePasswordEncoder C:\WASV8\WebSphere\AppServer\profiles\AppSrv\properties
\sas.client.props com.ibm.ssl.keyStorePassword,com.ibm.ssl.trustStorePassword
where:
PropFilePasswordEncoder is
the name of the utility that you are running from the profile_root/profiles/profile_name/bin
directory.
C:\WASV6\WebSphere\AppServer\profiles\AppSrv\properties\sas.client.props is
the name of the file that contains the passwords to encode.
com.ibm.ssl.keyStorePassword is
a password to encode in the file.
com.ibm.ssl.trustStorePassword is
a second password to encode in the file.