Encoding passwords in files

The purpose of password encoding is to deter casual observation of passwords in server configuration and property files. Use the PropFilePasswordEncoder utility to encode passwords stored in properties files. WebSphere Application Server does not provide a utility for decoding the passwords. Encoding is not sufficient to fully protect passwords. Native security is the primary mechanism for protecting passwords used in WebSphere Application Server configuration and property files.

About this task

WebSphere Application Server contains several encoded passwords in files that are not encrypted. WebSphere Application Server provides the PropFilePasswordEncoder utility, which you can use to encode passwords. The purpose of password encoding is to deter casual observation of passwords in server configuration and property files. The PropFilePasswordEncoder utility does not encode passwords that are contained within XML or XMI files. Instead, WebSphere Application Server automatically encodes the passwords in these files. XML and XMI files that contain encoded passwords include the following:
Table 1. XML and XMI files that contain encoded passwords
File name Additional information
profile_root/config/cells/cell_name/security.xml
The following fields contain encoded passwords:
  • LTPA password
  • JAAS authentication data
  • User registry server password
  • LDAP user registry bind password
  • Keystore password
  • Truststore password
  • [AIX HP-UX Linux Solaris Windows] Cryptographic token device password
profile_root/config/cells/cell_name
/security.xml
The following fields contain encoded passwords:
  • LTPA password
  • JAAS authentication data
  • User registry server password
  • LDAP user registry bind password
  • Keystore password
  • Truststore password
  • Cryptographic token device password
war/WEB-INF/ibm_web_bnd.xml
Specifies the passwords for the default basic authentication for the resource-ref bindings within all the descriptors, except in the Java cryptography architecture
ejb jar/META-INF/ibm_ejbjar_bnd.xml
Specifies the passwords for the default basic authentication for the resource-ref bindings within all the descriptors, except in the Java cryptography architecture
client jar/META-INF/ibm-appclient_bnd.xml
Specifies the passwords for the default basic authentication for the resource-ref bindings within all the descriptors, except in the Java cryptography architecture
ear/META-INF/ibm_application_bnd.xml
Specifies the passwords for the default basic authentication for the run as bindings within all the descriptors
profile_root/config/cells/cell_name
/nodes/node_name/servers/
server_name/security.xml
The following fields contain encoded passwords:
  • Keystore password
  • Truststore password
  • [AIX HP-UX Linux Solaris Windows] Cryptographic token device password
  • Session persistence password
  • DRS client data replication password
profile_root/config/cells/cell_name
/nodes/node_name/servers/security.xml
The following fields contain encoded passwords:
  • Keystore password
  • Truststore password
  • Cryptographic token device password
  • Session persistence password
  • DRS client data replication password
profile_root/config/cells/cell_name
/nodes/node_name/servers/
server_name/resources.xml
The following fields contain encoded passwords:
  • WAS40Datasource password
  • mailTransport password
  • mailStore password
  • MQQueue queue mgr password
profile_root/config/cells/cell_name
/nodes/node_name/servers/server1/resources.xml 
The following fields contain encoded passwords:
  • WAS40Datasource password
  • mailTransport password
  • mailStore password
  • MQQueue queue mgr password
profile_root/config/cells/cell_name/ws-security.xml
 
profile_root/config/cells/cell_name
/ws-security.xml 
 
ibm-webservices-bnd.xmi
 
ibm-webservicesclient-bnd.xmi
 

You use the PropFilePasswordEncoder utility to encode the passwords in properties files. These files include:

Table 2. The PropFilePasswordEncoder utility - Partial File List
File name Additional information
profile_root
/properties/sas.client.props
Specifies the passwords for the following files:
  • com.ibm.ssl.keyStorePassword
  • com.ibm.ssl.trustStorePassword
  • com.ibm.CORBA.loginPassword
profile_root/properties/sas.client.props 
Specifies the passwords for the following files:
  • com.ibm.ssl.keyStorePassword
  • com.ibm.ssl.trustStorePassword
  • com.ibm.CORBA.loginPassword
profile_root
/properties/soap.client.props
Specifies passwords for:
  • com.ibm.SOAP.loginPassword
profile_root/properties/soap.client.props
Specifies passwords for:
  • com.ibm.SOAP.loginPassword
profile_root
/properties/ssl.client.props
Specifies passwords for:
  • com.ibm.ssl.keyStorePassword
  • com.ibm.ssl.trustStorePassword
profile_root/properties/ssl.client.props
Specifies passwords for:
  • com.ibm.ssl.keyStorePassword
  • com.ibm.ssl.trustStorePassword
profile_root
/properties/sas.tools.properties
Specifies passwords for:
  • com.ibm.ssl.keyStorePassword
  • com.ibm.ssl.trustStorePassword
  • com.ibm.CORBA.loginPassword
profile_root/properties/sas.tools.properties 
Specifies passwords for:
  • com.ibm.ssl.keyStorePassword
  • com.ibm.ssl.trustStorePassword
  • com.ibm.CORBA.loginPassword
profile_root
/properties/sas.stdclient.properties
Specifies passwords for:
  • com.ibm.ssl.keyStorePassword
  • com.ibm.ssl.trustStorePassword
  • com.ibm.CORBA.loginPassword
profile_root/properties/sas.stdclient.properties
Specifies passwords for:
  • com.ibm.ssl.keyStorePassword
  • com.ibm.ssl.trustStorePassword
  • com.ibm.CORBA.loginPassword
profile_root
/properties/wsserver.key
 
profile_root/properties/wsserver.key
 
profile_root/profiles/AppSrvXX/properties/sib.client.ssl.properties
Specifies passwords for:
  • com.ibm.ssl.keyStorePassword
  • com.ibm.ssl.trustStorePassword
profile_root/UDDIReg/scripts/UDDIUtilityTools.properties
Specifies passwords for:
  • trustStore.password
To encode a password again in one of the previous files, complete the following steps:

Procedure

  1. Access the file using a text editor and type over the encoded password. The new password is shown is no longer encoded and must be re-encoded.
  2. [AIX HP-UX Linux Solaris Windows] [z/OS] Use the PropFilePasswordEncoder.bat or the PropFilePasswordEncode.sh file in the profile_root/profiles/profile_name/bin directory to encode the password again.
    [AIX HP-UX Linux Solaris Windows] [This information applies to Version 6.0.x and previous servers only that are federated in a Version 6.1 cell.] If you are encoding the SAS properties files again, type: PropFilePasswordEncoder "file_name" -sas and the PropFilePasswordEncoder file encodes the known SAS properties.
    Important: SAS is supported only between Version 6.0.x and previous version servers that have been federated in a Version 6.1 cell.

    [AIX HP-UX Linux Solaris Windows] If you are encoding files that are not SAS properties files, type PropFilePasswordEncoder "file_name" password_properties_list

    [z/OS] [This information applies to Version 6.0.x and previous servers only that are federated in a Version 6.1 cell.] If you are encoding the z/SAS properties files again, type: PropFilePasswordEncoder "file_name" -sas. The PropFilePasswordEncoder.bat file encodes the known z/SAS properties.
    Important: z/SAS is supported only between Version 6.0.x and previous version servers that have been federated in a Version 6.1 cell.

    [z/OS] If you are encoding files that are not z/SAS properties files, type PropFilePasswordEncoder "file_name" password_properties_list

    Important: When you use the PropFilePasswordEncoder utility, a prompt asks whether a backup version of the original file is required. This prompt is available with APAR PK52709 in WebSphere Application Server Version 6.1.0.15 and later. If a backup version is required, a backup file (.bak), is created with the clear text password. Examine the results and then delete this backup file. It contains the unencrypted password. If you do not want to see this prompt, edit the PropFilePasswordEncoder utility and add the following Java system property as a parameter: -Dcom.ibm.websphere.security.util.createBackup=true or -Dcom.ibm.websphere.security.util.createBackup=false

    A true value for the Java system property creates a backup file and a false value disables the backup file.

    where:

    "file_name" is the name of the properties file, and password_properties_list is the name of the properties to encode within the file.
    Note: Only the password should be encoded in this file using the PropFilePasswordEncoder tool.

    Use the PropFilePasswordEncoder utility to encode WebSphere Application Server password files only. The utility cannot encode passwords that are contained in XML files or other files that contain open and close tags. To change passwords in these files, use the administrative console or an assembly tool such as the Rational Application Developer.

  3. [iSeries] Use the PropFilePasswordEncode script in the profile_root/bin/ directory to encode the password again.

    [This information applies to Version 6.0.x and previous servers only that are federated in a Version 6.1 cell.] If you are encoding the SAS properties files again, type: PropFilePasswordEncoder "file_name" -sas and the PropFilePasswordEncoder file encodes the known SAS properties.

    If you are encoding files that are not SAS properties files, type PropFilePasswordEncoder "file_name" password_properties_list

    "file_name" is the name of the SAS properties file and password_properties_list is the name of the properties to encode within the file.
    Note: Only the password should be encoded in this file by using the PropFilePasswordEncoder tool.

    Use the PropFilePasswordEncoder tool to encode WebSphere Application Server password files only. The utility cannot encode passwords that are contained in XML files or other files that contain open and close tags. To change passwords in these files, use the administrative console or an assembly tool such as the Rational Application Developer.

Results

If you reopen the affected files, the passwords are encoded. WebSphere Application Server does not provide a utility for decoding the passwords.
[z/OS] The reliance on passwords in configuration files can be minimized on WebSphere Application Server for z/OS by taking advantage of z/OS-specific features:
  • Use a System Authorization Facility (SAF) registry to remove the requirement for a user registry server password.
  • Select SAF authorization and delegation so role-to-user binding passwords are removed.
  • Use a RACF keyring for all SSL repertoires, and trust and key file passwords are no longer required.
  • Use native connectors, and configure sync-to-thread to possibly remove the need for Java Authentication and Authorization Service (JAAS) authentication data.

Example

The following example shows how to use the PropFilePasswordEncoder tool:
PropFilePasswordEncoder C:\WASV6\WebSphere\AppServer\profiles\AppSrv\properties
\sas.client.props com.ibm.ssl.keyStorePassword,com.ibm.ssl.trustStorePassword

where:

PropFilePasswordEncoder is the name of the utility that you are running from the profile_root/profiles/profile_name/bin directory.

C:\WASV6\WebSphere\AppServer\profiles\AppSrv\properties\sas.client.props is the name of the file that contains the passwords to encode.

com.ibm.ssl.keyStorePassword is a password to encode in the file.

com.ibm.ssl.trustStorePassword is a second password to encode in the file.




In this information ...


IBM Redbooks, demos, education, and more

(Index)

Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.

Task topic    

Terms of Use | Feedback

Last updated: Feb 19, 2011 5:25:36 AM CST
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=v610web&product=was-nd-mp&topic=tsec_protplaintxt
File name: tsec_protplaintxt.html