Enable custom password encryption


we need to protect passwords that are contained in the WAS configuration. After creating the server profile, we can added protection by creating a custom class for encrypting the passwords.

Create the custom class for encrypting passwords.

See Plug point for custom password encryption.

Complete the following steps to enable custom password encryption.

 

  1. Add the following system properties for every server and client process. For server processes, update the server.xml file for each process. Add these properties as a genericJvmArgument argument preceded by a -D prefix.

    com.ibm.wsspi.security.crypto.customPasswordEncryptionClass=
           com.acme.myPasswordEncryptionClass com.ibm.wsspi.security.crypto.customPasswordEncryptionEnabled=true
    

    Tip: If the custom encryption class name is com.ibm.wsspi.security.crypto.CustomPasswordEncryptionImpl, it is automatically enabled when this class is present in the classpath. Do not define the system properties that are listed previously when the custom implementation has this package and class name. To disable encryption for this class, specify com.ibm.wsspi.security.crypto.customPasswordEncryptionEnabled=false as a system property.

  2. Add the JAR file containing the implementation class to the APP_ROOT/classes directory so that the WAS runtime can load the file.

  3. Restart all server processes.

  4. Edit each configuration document that contains a password and save the configuration. All password fields are then run through the WSEncoderDecoder utility, which calls the plug point when it is enabled. The {custom:alias} tags are displayed in the configuration documents. The passwords, even though they are encrypted, are still Base64-encoded. They seem similar to encoded passwords, except for the tags difference.

  5. Encrypt any passwords that are in client-side property files using the PropsFilePasswordEncoder (.bat or .sh) utility. This utility requires that the properties listed previously are defined as system properties in the script to encrypt new passwords instead of encoding them.

  6. To decrypt passwords from client Java virtual machines (JVMs), add the properties listed previously as system properties for each client utility.

  7. Ensure that all nodes have the custom encryption classes in their class paths prior to enabling this function. The order in which enablement occurs is important. When adding a new node to a cell that contains password encryption, the new node must contain the custom encryption classes prior to using addNode command. Consider the following ND enablement scenarios:

    1. The StandAloneProfile profile is encrypting passwords with a different key prior to federation to a dmgr cell. For this scenario, uninstall custom password encryption to verify the configuration has {xor} tags preceding the passwords prior to running the addNode command.

      The same implementation of the plug point must be in the /classes directory prior to running the addNode command, and the proper configuration properties are set so that the new node can recognize the encrypted password format of security.xml after federation completes.

    2. The StandAloneProfile profile does not have password encryption configured prior to federation to a dmgr cell. The same implementation of the plug point must be in the /classes directory prior to running the addNode command, and the proper configuration properties are set so that the new node can recognize the encrypted password format of security.xml after federation completes.

    3. If enabling custom password encryption in a cell with multiple nodes present, update the correct configuration properties and have the custom password encryption implementation class located on all nodes. Stop all processes in the cell, and then start the dmgr. Use the admin console to edit the security configuration and then save it. Verify that the passwords are encrypted by looking at security.xml to see if the passwords are preceded by {custom:alias} tags.

    4. Run the syncNode command on each node, and start each one individually. If any nodes fail to start, make sure that they have custom password encryption enabled properly in each security.xml file and that the implementation class is in the appropriate /classes directory for the platform.

 

Results

Custom password encryption is enabled.

 

Next steps

If custom password encryption fails or is no longer required, see Disable custom password encryption.


Disable custom password encryption

 

Related concepts


Plug point for custom password encryption

 

Related tasks


Secure passwords in files