Protecting plain text passwords

 

Overview

WebSphere Application Server contains several plain text passwords. These passwords are not encrypted, but are encoded. WebSphere Application Server provides the PropFilePasswordEncoder utility, which use to encode these passwords. However, the utility does not encode passwords that are contained within XML or XMI files. Instead, WebSphere Application Server automatically encodes the passwords in the following XML or XMI files as the files are modified by the administrative console.

Table 1. XML and XMI files the contain plain text passwords
File name Additional information
WAS_INSTALL_ROOT/profiles/profile/config/
cells/cell/security.xml

The following fields contain encoded passwords:

war/WEB-INF/ibm_web_bnd.xml
Specifies the passwords for the default basic authentication for the "resource-ref" bindings within all the descriptors (except in the Java cryptography architecture).
Specifies the passwords for the default basic authentication for the "resource-ref" bindings within all the descriptors (except in the Java cryptography architecture).
Specifies the passwords for the default basic authentication for the "resource-ref" bindings within all the descriptors (except in the Java cryptography architecture).
Specifies the passwords for the default basic authentication for the "run as" bindings within all the descriptors.
WAS_INSTALL_ROOT /profiles/profile/config/
cells/cell/nodes/node/servers/
servername/server.xml

The following fields contain encoded passwords:

  • Key store password

  • Trust store password

  • Cryptographic token device password

  • Authentication target password

  • Session persistence password

  • DRS Client data replication password

WAS_INSTALL_ROOT/profiles/profile/config/
cells/cell/nodes/node/servers/
servername/resources.xml

The following fields contain encoded passwords:

  • WAS40Datasource password

  • mailTransport password

  • mailStore password

  • MQQueue queue mgr password

For Network Deployment

WAS_INSTALL_ROOT/profiles/profile/config
/cells/cell/ws-security.xml
 
ibm-webservices-bnd.xmi
 
ibm-webservicesclient-bnd.xmi
 

Use the PropFilePasswordEncoder utility to encode the passwords that are found in the following files.

Table 2. Files that one can encode using the PropFilePasswordEncoder utility
File name Additional information
WAS_INSTALL_ROOT/profiles/profile
/properties/sas.client.props

Specifies the passwords for the following files:

  • com.ibm.ssl.keyStorePassword

  • com.ibm.ssl.trustStorePassword

  • com.ibm.CORBA.loginPassword

WAS_INSTALL_ROOT/profiles/profile
/properties/soap.client.props

Specifies passwords for:

  • com.ibm.ssl.keyStorePassword

  • com.ibm.ssl.trustStorePassword

  • com.ibm.SOAP.loginPassword

WAS_INSTALL_ROOT/profiles/profile
/properties/sas.tools.properties

Specifies passwords for:

  • com.ibm.ssl.keyStorePassword

  • com.ibm.ssl.trustStorePassword

  • com.ibm.CORBA.loginPassword

WAS_INSTALL_ROOT/profiles/profile
/properties/sas.stdclient.properties

Specifies passwords for:

  • com.ibm.ssl.keyStorePassword

  • com.ibm.ssl.trustStorePassword

  • com.ibm.CORBA.loginPassword

WAS_INSTALL_ROOT/profiles/profile
/properties/wsserver.key
 
To re-encode a password in one of the previous files, complete the following steps:

 

Procedure

  1. Access the file using a text editor and type over the encoded password in plain text. The new password is shown in plain text and must be encoded.

  2. Use the PropFilePasswordEncoder.bat or PropFilePasswordEncode.sh file in the WAS_INSTALL_ROOT/profiles/profile/bin/ directory to re-encode the password.

    If you are re-encoding SAS properties files, type PropFilePasswordEncoder file_name -sas and the PropFilePasswordEncoder file encodes the known SAS properties.

    If you are encoding files that are not SAS properties files, type PropFilePasswordEncoder file_name password_properties_list

    file_name is the name of the z/SAS properties file. password_properties_list is the name of the properties to encode within the file.

    Use the PropFilePasswordEncoder utility to encode WAS password files only. The utility cannot encode passwords contained in XML files or other files that contain open and close tags.

 

Result

If you reopen the affected file or files, the passwords do not display in plain text. Instead, the passwords appear encoded. WebSphere Application Server does not provide a utility for decoding the passwords.

 



 

 

WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.
IBM is a trademark of the IBM Corporation in the United States, other countries, or both.