Enabling custom password encryption

You need to protect passwords that are contained in your WebSphere Application Server configuration. After creating your server profile, you can added protection by creating a custom class for encrypting the passwords.

Before you begin

Create your custom class for encrypting passwords. For more information, see Plug point for custom password encryption.

About this task

Complete the following steps to enable custom password encryption.

Procedure

  1. Add the following system properties for every server and client process. For server processes, update the server.xml file for each process. Add these properties as a genericJvmArgument argument preceded by a -D prefix.
    com.ibm.wsspi.security.crypto.customPasswordEncryptionClass=
           com.acme.myPasswordEncryptionClass
    com.ibm.wsspi.security.crypto.customPasswordEncryptionEnabled=true
    Tip: If the custom encryption class name is com.ibm.wsspi.security.crypto.CustomPasswordEncryptionImpl, it is automatically enabled when this class is present in the classpath. Do not define the system properties that are listed previously when the custom implementation has this package and class name. To disable encryption for this class, you must specify com.ibm.wsspi.security.crypto.customPasswordEncryptionEnabled=false as a system property.
  2. Choose one of the following methods to configure the WebSphere®Application Server runtime to load the custom encryption implementation class:
    • Place the custom encryption class in a Java archive (JAR) file that resides in the ${WAS_INSTALL_ROOT}/classes directory, which you have created.
      Avoid trouble Avoid trouble: WebSphere Application Server does not create the ${WAS_INSTALL_ROOT}/classes directory. For more information on the classes directory, see the topic, "Creating a classes subdirectory in your profile for custom classes".gotcha
    • Place the custom encryption class in a Java archive (JAR) file that resides in the ${WAS_HOME}/lib/ext directory.
  3. Restart all server processes.
  4. Edit each configuration document that contains a password and save the configuration. All password fields are then run through the WSEncoderDecoder utility, which calls the plug point when it is enabled. The {custom:alias} tags are displayed in the configuration documents. The passwords, even though they are encrypted, are still Base64-encoded. They seem similar to encoded passwords, except for the tags difference.
  5. Encrypt any passwords that are in client-side property files using the PropsFilePasswordEncoder (.bat or .sh) utility. This utility requires that the properties listed previously are defined as system properties in the script to encrypt new passwords instead of encoding them.
  6. To decrypt passwords from client Java virtual machines (JVMs), add the properties listed previously as system properties for each client utility.
  7. Ensure that all nodes have the custom encryption classes in their class paths prior to enabling this function.

Results

Custom password encryption is enabled.

What to do next

If custom password encryption fails or is no longer required, see Disabling custom password encryption.



In this information ...


IBM Redbooks, demos, education, and more

(Index)

Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.

Task topic Task topic    

Terms and conditions for information centers | Feedback

Last updatedLast updated: Aug 30, 2013 6:03:36 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=pix&product=was-base-iseries&topic=tsec_enable_custpass_encrypt
File name: tsec_enable_custpass_encrypt.html