Disable custom password encryption

If custom password encryption fails or is no longer required, perform this task to disable custom password encryption.

Enable custom password encryption.

Complete the following steps to disable custom password encryption.


  1. Change the com.ibm.wsspi.security.crypto.customPasswordEncryptionEnabled property to be false in security.xml, but leave the com.ibm.wsspi.security.crypto.customPasswordEncryptionClass property configured. Any passwords in the model that still have the {custom:alias} tag are decrypted by using the customer password encryption class.

  2. If an encryption key is lost, any passwords that are encrypted with that key cannot be retrieved. To recover a password, retype the password in the password field in plaintext and save the document. The new password must be written out using encoding with the {xor} tag with scripting or from the admin console.

           com.acme.myPasswordEncryptionClass com.ibm.wsspi.security.crypto.customPasswordEncryptionEnabled=false

  3. Restart all processes to make the changes effective.

  4. Edit each configuration document that contains an encrypted password and save the configuration. All password fields are then run through the WSEncoderDecoder utility, which calls the plug point in the presence of the {custom:alias} tag. The {xor} tags display in the configuration documents again after the documents are saved.

  5. Decrypt and encode any passwords that are in client-side property files using the PropsFilePasswordEncoder (.bat or .sh) utility. If the encryption class is specified, but custom encryption is disabled, running this utility converts the encryption to encoding and causes the {xor} tags to display again.

  6. Disable custom password encryption from the client Java virtual machines (JVMs) by adding the system properties listed previously to all client scripts. This action enables the code to decrypt passwords, but this action is not used to encrypt them again. The {xor} algorithm becomes the default for encoding. Leave the custom password encryption class defined for a time in case any encrypted passwords still exist in the configuration.



Custom password encryption is disabled.


Related concepts

Plug point for custom password encryption


Related tasks

Enable custom password encryption