+

Search Tips   |   Advanced Search

 

Encoding passwords in files

 

The purpose of password encoding is to deter casual observation of passwords in server configuration and property files. Use the PropFilePasswordEncoder utility to encode passwords stored in properties files. WAS does not provide a utility for decoding the passwords. Encoding is not sufficient to fully protect passwords. Native security is the primary mechanism for protecting passwords used in WAS configuration and property files.

 

Overview

WAS contains several encoded passwords in files that are not encrypted. WAS provides the PropFilePasswordEncoder utility, which you can use to encode passwords. The purpose of password encoding is to deter casual observation of passwords in server configuration and property files. The PropFilePasswordEncoder utility does not encode passwords that are contained within XML or XMI files. Instead, WebSphere Application Server automatically encodes the passwords in these files. XML and XMI files that contain encoded passwords include...

Table 1. XML and XMI files that contain encoded passwords
File name Additional information 

profile_root/config/cells/cell_name/security.xml
The following fields contain encoded passwords:

  • LTPA password

  • JAAS authentication data

  • User registry server password

  • LDAP user registry bind password

  • Keystore password

  • Truststore password

  • Cryptographic token device password 

war/WEB-INF/ibm_web_bnd.xml
Passwords for the default basic authentication for the resource-ref bindings within all the descriptors, except in the Java cryptography architecture 

ejb jar/META-INF/ibm_ejbjar_bnd.xml
Passwords for the default basic authentication for the resource-ref bindings within all the descriptors, except in the Java cryptography architecture 

client jar/META-INF/ibm-appclient_bnd.xml
Passwords for the default basic authentication for the resource-ref bindings within all the descriptors, except in the Java cryptography architecture 

ear/META-INF/ibm_application_bnd.xml
Passwords for the default basic authentication for the run as bindings within all the descriptors 

profile_root/config/cells/cell_name
/nodes/node_name/servers/ server_name/security.xml
The following fields contain encoded passwords:

  • Keystore password

  • Truststore password

  • Cryptographic token device password

  • Session persistence password

  • DRS client data replication password 

profile_root/config/cells/cell_name
/nodes/node_name/servers/ server_name/resources.xml
The following fields contain encoded passwords:

  • WAS40Datasource password

  • mailTransport password

  • mailStore password

  • MQQueue queue mgr password 

profile_root/config/cells/cell_name/ws-security.xml
  

ibm-webservices-bnd.xmi
  

ibm-webservicesclient-bnd.xmi
 

You use the PropFilePasswordEncoder utility to encode the passwords in properties files. These files include:

Table 2. The PropFilePasswordEncoder utility - Partial File List
File name Additional information 

profile_root /properties/sas.client.props
Passwords for the following files:

  • com.ibm.ssl.keyStorePassword

  • com.ibm.ssl.trustStorePassword

  • com.ibm.CORBA.loginPassword 

profile_root /properties/soap.client.props
Specifies passwords for:

  • com.ibm.ssl.keyStorePassword

  • com.ibm.ssl.trustStorePassword

  • com.ibm.SOAP.loginPassword 

profile_root /properties/sas.tools.properties
Specifies passwords for:

  • com.ibm.ssl.keyStorePassword

  • com.ibm.ssl.trustStorePassword

  • com.ibm.CORBA.loginPassword 

profile_root /properties/sas.stdclient.properties
Specifies passwords for:

  • com.ibm.ssl.keyStorePassword

  • com.ibm.ssl.trustStorePassword

  • com.ibm.CORBA.loginPassword 

profile_root /properties/wsserver.key
  

profile_root/profiles/AppSrvXX/properties/sib.client.ssl.properties
Specifies passwords for:

  • com.ibm.ssl.keyStorePassword

  • com.ibm.ssl.trustStorePassword 

profile_root/UDDIReg/scripts/UDDIUtilityTools.properties
Specifies passwords for:

  • trustStore.password

To encode a password again in one of the previous files, complete the following steps:

 

Procedure

  1. Access the file using a text editor and type over the encoded password. The new password is shown is no longer encoded and must be re-encoded.

  2. Use the PropFilePasswordEncoder.bat or the PropFilePasswordEncode.sh file in the profile_root/profiles/profile_name/bin directory to encode the password again.

    [This information applies to V6.0.x and previous servers only that are federated in a V6.1 cell.] If you are encoding the SAS properties files again, type: PropFilePasswordEncoder "file_name" -sas and the PropFilePasswordEncoder file encodes the known SAS properties.

    SAS is supported only between V6.0.x and previous version servers federated in a V6.1 cell.

    If you are encoding files that are not SAS properties files, type PropFilePasswordEncoder "file_name" password_properties_list

    where: "file_name" is the name of the z/SAS properties file, and password_properties_list is the name of the properties to encode within the file.

    Only the password should be encoded in this file using the PropFilePasswordEncoder tool.

    Use the PropFilePasswordEncoder utility to encode WebSphere Application Server password files only. The utility cannot encode passwords that are contained in XML files or other files that contain open and close tags.

 

Results

If you reopen the affected files, the passwords are encoded. WebSphere Application Server does not provide a utility for decoding the passwords.


PropFilePasswordEncoder command reference

 

Related tasks


Securing passwords in files