The purpose of password encoding is to deter casual observation
of passwords in server configuration and property files. Use the PropFilePasswordEncoder utility
to encode passwords stored in properties files. WebSphere Application
Server does not provide a utility for decoding the passwords. Encoding
is not sufficient to fully protect passwords. Native security is the
primary mechanism for protecting passwords used in WebSphere Application
Server configuration and property files.
About this task
WebSphere Application Server contains several encoded passwords
in files that are not encrypted. WebSphere Application Server provides
the
PropFilePasswordEncoder utility, which you can use to encode
passwords. The purpose of password encoding is to deter casual observation
of passwords in server configuration and property files. The
PropFilePasswordEncoder utility
does not encode passwords that are contained within XML or XMI files.
Instead, WebSphere Application Server automatically encodes the passwords
in these files. XML and XMI files that contain encoded passwords include
the following:
Table 1. XML and XMI files that contain encoded
passwords
File name |
Additional information |
profile_root/config/cells/cell_name/security.xml
|
The following fields contain encoded
passwords:
- LTPA password
- JAAS authentication data
- User registry server password
- LDAP user registry bind password
- Keystore password
- Truststore password
- Cryptographic token device password
|
war/WEB-INF/ibm_web_bnd.xml
|
Specifies the passwords for the default
basic authentication for the resource-ref bindings within all the
descriptors, except in the Java cryptography architecture |
ejb jar/META-INF/ibm_ejbjar_bnd.xml
|
Specifies the passwords for the default
basic authentication for the resource-ref bindings within all the
descriptors, except in the Java cryptography architecture |
client jar/META-INF/ibm-appclient_bnd.xml
|
Specifies the passwords
for the default basic authentication for the resource-ref bindings
within all the descriptors, except in the Java cryptography architecture |
ear/META-INF/ibm_application_bnd.xml
|
Specifies the passwords
for the default basic authentication for the run as bindings within
all the descriptors |
profile_root/config/cells/cell_name
/nodes/node_name/servers/
server_name/security.xml
|
The following fields
contain encoded passwords:
- Keystore password
- Truststore password
- Cryptographic token device password
- Session persistence password
|
profile_root/config/cells/cell_name
/nodes/node_name/servers/
server_name/resources.xml
|
The following fields
contain encoded passwords:
- WAS40Datasource password
- mailTransport password
- mailStore password
- MQQueue queue mgr password
|
|
|
ibm-webservices-bnd.xmi
|
|
ibm-webservicesclient-bnd.xmi
|
|
You use the PropFilePasswordEncoder utility to encode
the passwords in properties files. These files include:
Table 2. The PropFilePasswordEncoder utility - Partial File List
File name |
Additional information |
profile_root
/properties/sas.client.props
|
Specifies the passwords for the
following files:
- com.ibm.ssl.keyStorePassword
- com.ibm.ssl.trustStorePassword
- com.ibm.CORBA.loginPassword
|
profile_root
/properties/soap.client.props
|
Specifies passwords
for:
- com.ibm.SOAP.loginPassword
|
profile_root
/properties/ssl.client.props
|
Specifies passwords
for:
- com.ibm.ssl.keyStorePassword
- com.ibm.ssl.trustStorePassword
|
profile_root
/properties/sas.tools.properties
|
Specifies passwords
for:
- com.ibm.ssl.keyStorePassword
- com.ibm.ssl.trustStorePassword
- com.ibm.CORBA.loginPassword
|
profile_root
/properties/sas.stdclient.properties
|
Specifies passwords
for:
- com.ibm.ssl.keyStorePassword
- com.ibm.ssl.trustStorePassword
- com.ibm.CORBA.loginPassword
|
profile_root
/properties/wsserver.key
|
|
profile_root/profiles/AppSrvXX/properties/sib.client.ssl.properties
|
Specifies passwords for:
- com.ibm.ssl.keyStorePassword
- com.ibm.ssl.trustStorePassword
|
profile_root/UDDIReg/scripts/UDDIUtilityTools.properties
|
|
To encode a password again in one of the previous files, complete
the following steps:
Procedure
- Access the file using a text editor and type over the encoded
password. The new password is shown is no longer
encoded and must be re-encoded.
- Use the PropFilePasswordEncoder.bat or
the PropFilePasswordEncode.sh file in the profile_root/profiles/profile_name/bin directory
to encode the password again.
![[This information applies to Version 6.0.x and previous servers only that are federated in a Version 6.1 cell.]](../../v6app.gif)
If
you are encoding the SAS properties files again, type:
PropFilePasswordEncoder "file_name" -sas and
the
PropFilePasswordEncoder file encodes the known SAS properties.
Important: SAS is supported only between Version 6.0.x and previous version servers that have been federated in a Version 6.1 cell.
If
you are encoding files that are not SAS properties files, type PropFilePasswordEncoder "file_name" password_properties_list
Important: When you use the
PropFilePasswordEncoder utility,
a prompt asks whether a backup version of the original file is required.
This prompt is available with APAR PK52709 in WebSphere Application
Server Version 6.1.0.15 and later. If a backup version is required,
a backup file (.bak), is created with the clear text password. Examine
the results and then delete this backup file. It contains the unencrypted
password. If you do not want to see this prompt, edit the PropFilePasswordEncoder
utility and add the following Java system property as a parameter:
-Dcom.ibm.websphere.security.util.createBackup=true or
-Dcom.ibm.websphere.security.util.createBackup=falseA true value
for the Java system property creates a backup file and a false value
disables the backup file.
where:
"file_name" is
the name of the properties file, and
password_properties_list is
the name of the properties to encode within the file.
Note: Only the
password should be encoded in this file using the PropFilePasswordEncoder tool.
Use
the PropFilePasswordEncoder utility to encode WebSphere Application
Server password files only. The utility cannot encode passwords that
are contained in XML files or other files that contain open and close
tags. To change passwords in these files, use the administrative console
or an assembly tool such as the Rational Application Developer.
Results
If you reopen the affected files, the passwords are encoded.
WebSphere Application Server does not provide a utility for decoding
the passwords.
Example
The following example shows how to use the
PropFilePasswordEncoder tool:
PropFilePasswordEncoder C:\WASV6\WebSphere\AppServer\profiles\AppSrv\properties
\sas.client.props com.ibm.ssl.keyStorePassword,com.ibm.ssl.trustStorePassword
where:
PropFilePasswordEncoder is
the name of the utility that you are running from the profile_root/profiles/profile_name/bin directory.
C:\WASV6\WebSphere\AppServer\profiles\AppSrv\properties\sas.client.props is
the name of the file that contains the passwords to encode.
com.ibm.ssl.keyStorePassword is
a password to encode in the file.
com.ibm.ssl.trustStorePassword is
a second password to encode in the file.