Encoding passwords in files

The purpose of password encoding is to deter casual observation of passwords in server configuration and property files. Use the PropFilePasswordEncoder utility to encode passwords stored in properties files. WebSphere® Application Server does not provide a utility for decoding the passwords. Encoding is not sufficient to fully protect passwords. Native security is the primary mechanism for protecting passwords used in WebSphere Application Server configuration and property files.

About this task

WebSphere Application Server contains several encoded passwords in files that are not encrypted. WebSphere Application Server provides the PropFilePasswordEncoder utility, which you can use to encode passwords. The purpose of password encoding is to deter casual observation of passwords in server configuration and property files. The PropFilePasswordEncoder utility does not encode passwords that are contained within XML or XMI files.
Important: The PropFilePasswordEncoder only updates existing property and XML files. If subsequent files are added, such as can occur after installing a new application, this procedure should be rerun for those new files.
Table 1. XML and XMI files that contain encoded passwords. Instead, WebSphere Application Server automatically encodes the passwords in these files. XML and XMI files that contain encoded passwords include the following:
File name Additional information Navigation
[IBM i]
profile_root/config/cells/cell_name
/security.xml
The following fields contain encoded passwords:
  • LTPA password
  • JAAS authentication data
  • User registry server password
  • LDAP user registry bind password
  • Keystore password
  • Truststore password
  • Cryptographic token device password
[Updated in January 2014]security[Updated in January 2014] > Global security > Apply.
war/WEB-INF/ibm_web_bnd.xml
Specifies the passwords for the default basic authentication for the resource-ref bindings within all the descriptors, except in the Java cryptography architecture  
ejb jar/META-INF/ibm_ejbjar_bnd.xml
Specifies the passwords for the default basic authentication for the resource-ref bindings within all the descriptors, except in the Java cryptography architecture  
client jar/META-INF/ibm-appclient_bnd.xml
Specifies the passwords for the default basic authentication for the resource-ref bindings within all the descriptors, except in the Java cryptography architecture  
ear/META-INF/ibm_application_bnd.xml
Specifies the passwords for the default basic authentication for the run as bindings within all the descriptors  
[IBM i]
profile_root/config/cells/cell_name
/nodes/node_name/servers/security.xml
The following fields contain encoded passwords:
  • Keystore password
  • Truststore password
  • Cryptographic token device password
  • Session persistence password
 
[IBM i]
profile_root/config/cells/cell_name
/nodes/node_name/servers/server1/resources.xml 
The following fields contain encoded passwords:
  • WAS40Datasource password
  • mailTransport password
  • mailStore password
  • MQQueue queue mgr password
 
ibm-webservices-bnd.xmi
[Updated in January 2014]This is a deployment descriptor included with JAX-RPC provider applications. The following fields contain encoded passwords:
  • Keystore passwords
  • Key passwords
[Updated in January 2014]
[Updated in January 2014]Applications[Updated in January 2014] > Enterprise Applications > application name > Manage Modules > module name > Web services: Server security binding (under Web Services Security Properties on the right hand side) > Edit custom.
ibm-webservicesclient-bnd.xmi
[Updated in January 2014]This is a deployment descriptor included with JAX-RPC client applications. The following fields contain encoded passwords:
  • Keystore passwords
  • Key passwords
  • Username token passwords
[Updated in January 2014]
[Updated in January 2014]Applications[Updated in January 2014] > Enterprise Applications > application name > Manage Modules > module name > Web services: Client security binding (under Web Services Security Properties on the right hand side) > Edit custom.
[Updated in January 2014]
profile_root/config/cells/cell_name/PolicyTyper/WSSecurity/bindings.xml
[Updated in January 2014]
[Updated in January 2014]The following fields contain encoded passwords:
  • Keystore passwords
  • Key passwords
  • Username token passwords
[Updated in January 2014]
[Updated in January 2014]Services[Updated in January 2014] > Policy Sets > Default policy set bindings > Version 6.1 default policy set bindings > WS-Security > Custom properties > Apply.
[Updated in January 2014]
profile_root/config/cells/cell_name/nodes/node_name/servers/server_name/server.xml
[Updated in January 2014]
[Updated in January 2014]The following fields contain encoded passwords:
  • Database administrator password
[Updated in January 2014]
[Updated in January 2014]servers[Updated in January 2014] > server types > websphere application servers > serverName > session management > distributed environment > database > OK.
Note: If you are not using a database, choose: none.
[Updated in January 2014]
profile_root/config/cells/cell_name/applications/(appName/.../WSSecurity/bindings.xml
[Updated in January 2014]

[Updated in January 2014]WSSecurity/bindings.xml is a JAX-WS WS-Security policy binding file. When it is located in the cell_name/applications path, it is part of an application specific binding. [Updated in January 2014]

The following fields contain encoded passwords:
  • Keystore passwords
  • Key passwords
  • Username token passwords
[Updated in January 2014]Services[Updated in January 2014] > service providers or > service clients > resourceName > bindingName > WS-Security > Custom properties > Apply.
[Updated in January 2014]
profile_root/config/cells/cell_name/
[Updated in January 2014]
  • ./Client sample/PolicyTypes/WSSecurity/bindings.xml
  • ./Client sample V2/PolicyTypes/WSSecurity/bindings.xml
  • ./Provider sample/PolicyTypes/WSSecurity/bindings.xml
  • ./Provider sample V2/PolicyTypes/WSSecurity/bindings.xml
  • ./Saml Bearer Client sample/PolicyTypes/WSSecurity/bindings.xml
  • ./Saml Bearer Provider sample/PolicyTypes/WSSecurity/bindings.xml
  • ./Saml HoK Symmetric Client sample/PolicyTypes/WSSecurity/bindings.xml
  • ./Saml HoK Symmetric Provider sample /PolicyTypes/WSSecurity/bindings.xml
[Updated in January 2014]The following fields contain encoded passwords:
  • Keystore passwords
  • Key passwords
  • Username token passwords
[Updated in January 2014]
[Updated in January 2014]Services[Updated in January 2014] > Policy Sets > General provider policy set bindings > bindingName > WS-Security > Custom properties > Apply.
[Updated in January 2014]
profile_root/config/cells/cell_name/sts
[Updated in January 2014]
  • ./policy/TrustServiceSecurityDefault/PolicyTypes/WSSecurity/bindings.xml
  • ./policy/TrustServiceSymmetricDefault/PolicyTypes/WSSecurity/bindings.xml
[Updated in January 2014]The following fields contain encoded passwords:
  • Keystore passwords
  • Key passwords
  • Username token passwords
[Updated in January 2014]
[Updated in January 2014]services[Updated in January 2014] > trust service attachments > bindingName > WS-Security > Custom properties > Apply.
Table 2. The PropFilePasswordEncoder utility - Partial File List. You use the PropFilePasswordEncoder utility to encode the passwords in properties files. These files include:
File name Additional information
[IBM i]
profile_root/properties/sas.client.props 
Specifies the passwords for the following files:
  • com.ibm.ssl.keyStorePassword
  • com.ibm.ssl.trustStorePassword
  • com.ibm.CORBA.loginPassword
[IBM i]
profile_root/properties/sas.tools.properties 
Specifies passwords for:
  • com.ibm.ssl.keyStorePassword
  • com.ibm.ssl.trustStorePassword
  • com.ibm.CORBA.loginPassword
[IBM i]
profile_root/properties/sas.stdclient.properties
Specifies passwords for:
  • com.ibm.ssl.keyStorePassword
  • com.ibm.ssl.trustStorePassword
  • com.ibm.CORBA.loginPassword
[IBM i]
profile_root/properties/wsserver.key
 
profile_root/profiles/AppSrvXX/properties/sib.client.ssl.properties
Specifies passwords for:
  • com.ibm.ssl.keyStorePassword
  • com.ibm.ssl.trustStorePassword
profile_root/UDDIReg/scripts/UDDIUtilityTools.properties
Specifies passwords for:
  • trustStore.password
[Updated in January 2014]
profile_root/config/cells/cell_name/sts/SAMLIssuerConfig.properties
[Updated in January 2014]
[Updated in January 2014]The following fields contain encoded passwords:
  • KeystorePassword
  • KeyPasswords
  • TrustStorePassword
[Updated in January 2014]
To encode a password again in one of the previous files, complete the following steps:

Procedure

  1. Access the file using a text editor and type over the encoded password. The new password is shown is no longer encoded and must be re-encoded.
  2. [IBM i] Use the PropFilePasswordEncode script in the profile_root/bin/ directory to encode the password again.

    If you are encoding files that are not SAS properties files, type PropFilePasswordEncoder "file_name" password_properties_list

    "file_name" is the name of the SAS properties file and password_properties_list is the name of the properties to encode within the file.
    Note: Only the password should be encoded in this file by using the PropFilePasswordEncoder tool.

    Use the PropFilePasswordEncoder tool to encode WebSphere Application Server password files only. The utility cannot encode passwords that are contained in XML files or other files that contain open and close tags. To change passwords in these files, use the administrative console or an assembly tool such as the Rational® Application Developer.

Results

If you reopen the affected files, the passwords are encoded. WebSphere Application Server does not provide a utility for decoding the passwords.

Example

The following example shows how to use the PropFilePasswordEncoder tool:
PropFilePasswordEncoder C:\WASV8\WebSphere\AppServer\profiles\AppSrv\properties
\sas.client.props com.ibm.ssl.keyStorePassword,com.ibm.ssl.trustStorePassword

where:

PropFilePasswordEncoder is the name of the utility that you are running from the profile_root/profiles/profile_name/bin directory.

C:\WASV6\WebSphere\AppServer\profiles\AppSrv\properties\sas.client.props is the name of the file that contains the passwords to encode.

com.ibm.ssl.keyStorePassword is a password to encode in the file.

com.ibm.ssl.trustStorePassword is a second password to encode in the file.

Task topic    

Terms and conditions for information centers | Feedback

Last updated: April 17, 2014 10:32 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=phil&product=was-express-iseries&topic=tsec_protplaintxt
File name: tsec_protplaintxt.html