Encode passwords in files

Overview

WAS contains several encoded passwords in files that are not encrypted. WAS provides the PropFilePasswordEncoder utility for encoding these passwords.

The PropFilePasswordEncoder utility does not encode passwords that are contained within XML or XMI files. WAS automatically encodes the passwords in these files.

XML and XMI files that contain encoded passwords include the following:

• PROFILE/config/cells/cell_name/security.xml
  • LTPA password
  • JAAS authentication data
  • User registry server password
  • LDAP user registry bind password
  • Keystore password
  • Truststore password
  • Cryptographic token device password

• war/WEB-INF/ibm_web_bnd.xml

  Passwords for the default basic authentication for the resource-ref bindings within all the descriptors, except in the JCA

• ejb jar/META-INF/ibm_ejbjar_bnd.xml

  Passwords for the default basic authentication for the resource-ref bindings within all the descriptors, except in the JCA.

• client jar/META-INF/ibm-appclient_bnd.xml

  Passwords for the default basic authentication for the resource-ref bindings within all the descriptors, except in the Java cryptography architecture

• ear/META-INF/ibm_application_bnd.xml

  Passwords for the default basic authentication for the run as bindings within all the descriptors

• PROFILE/config/cells/cell_name/nodes/node_name/servers/ server_name/security.xml
  • Keystore password
  • Truststore password
  • Cryptographic token device password
  • Session persistence password
  • DRS client data replication password

• PROFILE/config/cells/cell_name/nodes/node_name/servers/ server_name/resources.xml
  • WAS40Datasource password
  • mailTransport password
  • mailStore password
  • MQQueue queue mgr password

• PROFILE/config/cells/cell_name/ws-security.xml

• ibm-webservices-bnd.xmi

• ibm-webservicesclient-bnd.xmi

PropFilePasswordEncoder utility

Encode the passwords in properties files. These files include:

• PROFILE/properties/sas.client.props
  • com.ibm.ssl.keyStorePassword
  • com.ibm.ssl.trustStorePassword
  • com.ibm.CORBA.loginPassword

• PROFILE/properties/sas.tools.properties
  • com.ibm.ssl.keyStorePassword
  • com.ibm.ssl.trustStorePassword
  • com.ibm.CORBA.loginPassword

• PROFILE/properties/sas.stdclient.properties
  • com.ibm.ssl.keyStorePassword
  • com.ibm.ssl.trustStorePassword
  • com.ibm.CORBA.loginPassword

• PROFILE/properties/wsserver.key

• PROFILE/profiles/AppSrvXX/properties/sib.client.ssl.properties
  • com.ibm.ssl.keyStorePassword
  • com.ibm.ssl.trustStorePassword

• PROFILE/UDDIReg/scripts/UDDIUtilityTools.properties
  • trustStore.password

Encode a password again in one of the previous files

1. Edit file and type over existing password. The new password shown is no longer encoded and must be re-encoded.

2. Run...

   PROFILE/bin/PropFilePasswordEncode.sh

   If we are encoding files that are not SAS properties files, type PropFilePasswordEncoder "file_name" password_properties_list

   When you use the PropFilePasswordEncoder utility, a prompt asks whether a backup version of the original file is required. If a backup version is required, a backup file (.bak), is created with the clear text password. Examine the results and then delete this backup file. It contains the unencrypted password. If we do not want to see this prompt, edit the PropFilePasswordEncoder utility and add the following Java system property as a parameter: -Dcom.ibm.websphere.security.util.createBackup=true or -Dcom.ibm.websphere.security.util.createBackup=false

   A true value for the Java system property creates a backup file and a false value disables the backup file.

   where: "file_name" is the name of the z/SAS properties file, and password_properties_list is the name of the properties to encode within the file.

   Only the password should be encoded in this file using the PropFilePasswordEncoder tool.

   Use the PropFilePasswordEncoder utility to encode WAS password files only. The utility cannot encode passwords that are contained in XML files or other files that contain open and close tags.

 

Results

If we reopen the affected files, the passwords are encoded. WAS does not provide a utility for decoding the passwords.

PropFilePasswordEncoder command reference

 

Related tasks

Secure passwords in files