Encoding passwords in files

The purpose of password encoding is to deter casual observation of passwords in server configuration and property files. Use the PropFilePasswordEncoder utility to encode passwords stored in properties files. WAS does not provide a utility for decoding the passwords. Encoding is not sufficient to fully protect passwords. Native security is the primary mechanism for protecting passwords used in WebSphere Application Server configuration and property files.

WebSphere Application Server contains several encoded passwords in files that are not encrypted. WebSphere Application Server provides the PropFilePasswordEncoder utility, which we can use to encode passwords. The purpose of password encoding is to deter casual observation of passwords in server configuration and property files. The PropFilePasswordEncoder utility does not encode passwords contained within XML or XMI files.

Important: The PropFilePasswordEncoder only updates existing property and XML files. If subsequent files are added, such as can occur after installing a new application, this procedure should be rerun for those new files.

and XMI files containing encoded passwords. Instead, WebSphere Application Server automatically encodes the passwords in these files. XML and XMI files

File name	Additional information	Navigation
(dist)(zos) profile_root/config/cells/cell_name/security.xml	The following fields contain encoded passwords: LTPA password JAAS authentication data User registry server password LDAP user registry bind password Keystore password Truststore password (dist) Cryptographic token device password	security > Global security > Apply.
(iseries) profile_root/config/cells/cell_name /security.xml	The following fields contain encoded passwords: LTPA password JAAS authentication data User registry server password LDAP user registry bind password Keystore password Truststore password Cryptographic token device password	security > Global security > Apply.
war/WEB-INF/ibm_web_bnd.xml	Passwords for the default basic authentication for the resource-ref bindings within all the descriptors, except in the Java cryptography architecture
ejb jar/META-INF/ibm_ejbjar_bnd.xml	Passwords for the default basic authentication for the resource-ref bindings within all the descriptors, except in the Java cryptography architecture
client jar/META-INF/ibm-appclient_bnd.xml	Passwords for the default basic authentication for the resource-ref bindings within all the descriptors, except in the Java cryptography architecture
ear/META-INF/ibm_application_bnd.xml	Passwords for the default basic authentication for the run as bindings within all the descriptors
(dist)(zos) profile_root/config/cells/cell_name /nodes/node/servers/ server_name/security.xml	The following fields contain encoded passwords: Keystore password Truststore password (dist) Cryptographic token device password Session persistence password DRS client data replication password
(iseries) profile_root/config/cells/cell_name /nodes/node/servers/security.xml	The following fields contain encoded passwords: Keystore password Truststore password Cryptographic token device password Session persistence password DRS client data replication password
(dist)(zos) profile_root/config/cells/cell_name /nodes/node/servers/ server_name/resources.xml	The following fields contain encoded passwords: WAS40Datasource password mailTransport password mailStore password MQQueue queue mgr password
(iseries) profile_root/config/cells/cell_name /nodes/node/servers/server1/resources.xml	The following fields contain encoded passwords: WAS40Datasource password mailTransport password mailStore password MQQueue queue mgr password
(dist) profile_root/config/cells/cell_name/ws-security.xml		servers > server types > websphere application servers > serverName >JAX-WS and JAX-RPC security runtime > Apply.
(iseries) profile_root/config/cells/cell_name /ws-security.xml		servers > server types > websphere application servers > serverName >JAX-WS and JAX-RPC security runtime > Apply.
ibm-webservices-bnd.xmi	This is a deployment descriptor included with JAX-RPC provider applications. The following fields contain encoded passwords: Keystore passwords Key passwords	Applications > Enterprise Applications > application name > Manage Modules > module name > Web services: Server security binding (under Web Services Security Properties) > Edit custom.
ibm-webservicesclient-bnd.xmi	This is a deployment descriptor included with JAX-RPC client applications. The following fields contain encoded passwords: Keystore passwords Key passwords Username token passwords	Applications > Enterprise Applications > application name > Manage Modules > module name > Web services: Client security binding (under Web Services Security Properties) > Edit custom.
profile_root/config/cells/cell_name/PolicyTyper/WSSecurity/bindings.xml	The following fields contain encoded passwords: Keystore passwords Key passwords Username token passwords	Services > Policy Sets > Default policy set bindings > Version 6.1 default policy set bindings > WS-Security > Custom properties > Apply.
profile_root/config/cells/cell_name/nodes/node/servers/server_name/server.xml	The following fields contain encoded passwords: Database administrator password	servers > server types > websphere application servers > serverName > session management > distributed environment > database > OK. If we are not using a database, choose: none.
profile_root/config/cells/cell_name/applications/(appName/.../WSSecurity/bindings.xml	WSSecurity/bindings.xml is a JAX-WS WS-Security policy binding file. When it is located in the cell_name/applications path, it is part of an application specific binding. The following fields contain encoded passwords: Keystore passwords Key passwords Username token passwords	Services > service providers or > service clients > resourceName > bindingName > WS-Security > Custom properties > Apply.
profile_root/config/cells/cell_name/ ./Client sample/PolicyTypes/WSSecurity/bindings.xml ./Client sample V2/PolicyTypes/WSSecurity/bindings.xml ./Provider sample/PolicyTypes/WSSecurity/bindings.xml ./Provider sample V2/PolicyTypes/WSSecurity/bindings.xml ./Saml Bearer Client sample/PolicyTypes/WSSecurity/bindings.xml ./Saml Bearer Provider sample/PolicyTypes/WSSecurity/bindings.xml ./Saml HoK Symmetric Client sample/PolicyTypes/WSSecurity/bindings.xml ./Saml HoK Symmetric Provider sample /PolicyTypes/WSSecurity/bindings.xml	The following fields contain encoded passwords: Keystore passwords Key passwords Username token passwords	Services > Policy Sets > General provider policy set bindings > bindingName > WS-Security > Custom properties > Apply.
profile_root/config/cells/cell_name/sts ./policy/TrustServiceSecurityDefault/PolicyTypes/WSSecurity/bindings.xml ./policy/TrustServiceSymmetricDefault/PolicyTypes/WSSecurity/bindings.xml	The following fields contain encoded passwords: Keystore passwords Key passwords Username token passwords	Services > Trust service >Trust service attachments > bindingName > WS-Security > Custom properties > Apply.

utility - Partial File List. Use PropFilePasswordEncoder utility

File name	Additional information
(dist)(zos) profile_root /properties/sas.client.props	Passwords for the following files: com.ibm.ssl.keyStorePassword com.ibm.ssl.trustStorePassword com.ibm.CORBA.loginPassword
(iseries) profile_root/properties/sas.client.props	Passwords for the following files: com.ibm.ssl.keyStorePassword com.ibm.ssl.trustStorePassword com.ibm.CORBA.loginPassword
(dist)(zos) profile_root /properties/sas.tools.properties	Specifies passwords for: com.ibm.ssl.keyStorePassword com.ibm.ssl.trustStorePassword com.ibm.CORBA.loginPassword
(iseries) profile_root/properties/sas.tools.properties	Specifies passwords for: com.ibm.ssl.keyStorePassword com.ibm.ssl.trustStorePassword com.ibm.CORBA.loginPassword
(dist)(zos) profile_root /properties/sas.stdclient.properties	Specifies passwords for: com.ibm.ssl.keyStorePassword com.ibm.ssl.trustStorePassword com.ibm.CORBA.loginPassword
(iseries) profile_root/properties/sas.stdclient.properties	Specifies passwords for: com.ibm.ssl.keyStorePassword com.ibm.ssl.trustStorePassword com.ibm.CORBA.loginPassword
(dist)(zos) profile_root /properties/wsserver.key
(iseries) profile_root/properties/wsserver.key
profile_root/profiles/AppSrvXX/properties/sib.client.ssl.properties	Specifies passwords for: com.ibm.ssl.keyStorePassword com.ibm.ssl.trustStorePassword
profile_root/UDDIReg/scripts/UDDIUtilityTools.properties	Specifies passwords for: trustStore.password
profile_root/config/cells/cell_name/sts/SAMLIssuerConfig.properties	The following fields contain encoded passwords: KeystorePassword KeyPasswords TrustStorePassword

To encode a password again in one of the previous files...

1. Access the file using a text editor and type over the encoded password. The new password is shown is no longer encoded and must be re-encoded.

2. (dist)(zos) Use the PropFilePasswordEncoder.bat or the PropFilePasswordEncode.sh file in the profile_root/bin directory to encode the password again.

   (dist) If we are encoding files that are not SAS properties files, type PropFilePasswordEncoder "file_name" password_properties_list

   (zos) If we are encoding files that are not z/SAS properties files, type PropFilePasswordEncoder "file_name" password_properties_list

   Important: When you use the PropFilePasswordEncoder utility, a prompt asks whether a backup version of the original file is required. If a backup version is required, a backup file (.bak), is created with the clear text password. Examine the results and then delete this backup file. It contains the unencrypted password. If we do not want to see this prompt, edit the PropFilePasswordEncoder utility and add the following Java system property as a parameter: -Dcom.ibm.websphere.security.util.createBackup=true or -Dcom.ibm.websphere.security.util.createBackup=false

   A true value for the Java system property creates a backup file and a false value disables the backup file.

   where:

   "file_name" is the name of the z/SAS properties file, and password_properties_list is the name of the properties to encode within the file.

   Only the password should be encoded in this file using the PropFilePasswordEncoder tool.

   Use the PropFilePasswordEncoder utility to encode WebSphere Application Server password files only. The utility cannot encode passwords contained in XML files or other files containing open and close tags. To change passwords in these files, use the console or an assembly tool such as the Rational Application Developer.

3. (iseries) Use the PropFilePasswordEncode script in the profile_root/bin/ directory to encode the password again.

   If we are encoding files that are not SAS properties files, type PropFilePasswordEncoder "file_name" password_properties_list

   "file_name" is the name of the SAS properties file and password_properties_list is the name of the properties to encode within the file.

   Only the password should be encoded in this file using the PropFilePasswordEncoder tool.

   Use the PropFilePasswordEncoder tool to encode WebSphere Application Server password files only. The utility cannot encode passwords contained in XML files or other files containing open and close tags. To change passwords in these files, use the console or an assembly tool such as the Rational Application Developer.

Results

If we reopen the affected files, the passwords are encoded. WAS does not provide a utility for decoding the passwords.

(zos) The reliance on passwords in configuration files can be minimized on WebSphere Application Server for z/OS by taking advantage of z/OS-specific features:

• Use a System Authorization Facility (SAF) registry to remove the requirement for a user registry server password.

• Select SAF authorization and delegation so role-to-user binding passwords are removed.

• Use a RACF keyring for all SSL repertoires, and trust and key file passwords are no longer required.

• Use native connectors, and configure sync-to-thread to possibly remove the need for JAAS authentication data.

Example

The following example shows how to use the PropFilePasswordEncoder tool:

PropFilePasswordEncoder C:\WASV8\WebSphere\AppServer\profiles\AppSrv\properties
\sas.client.props com.ibm.ssl.keyStorePassword,com.ibm.ssl.trustStorePassword

where:

PropFilePasswordEncoder is the name of the utility that you are running from the profile_root/profiles/profile_name/bin directory.

C:\WASV6\WebSphere\AppServer\profiles\AppSrv\properties\sas.client.props is the name of the file containing the passwords to encode.

com.ibm.ssl.keyStorePassword is a password to encode in the file.

com.ibm.ssl.trustStorePassword is a second password to encode in the file.

Subtopics

• (iseries) Manually encoding passwords in properties files
  To use password encoding with WebSphere Application Server administrative commands and Java clients, passwords must be manually encoded in the soap.client.props and sas.client.props files using the PropFilePasswordEncoder tool.

• PropFilePasswordEncoder command reference
  The PropFilePasswordEncoder command encodes passwords that are located in plain text property files. This command encodes both Secure Authentication Server (SAS) property files and non-SAS property files. After you encode the passwords, a decoding command does not exist.

• (iseries) Enable the non-default OS/400 password encoding algorithm
  The purpose of password encoding is to deter casual observation of passwords in server configuration and property files.

• (iseries) Change encoding algorithm from OS400 to XOR
  Use these steps to change the encoding algorithm from OS400 to XOR.

• (iseries) Restore or replacing damaged validation list objects
  Periodically, you should save the validation list objects with the other configuration data objects used by WebSphere Application Server. Use this task if we need to restore or replace a damaged validation list object.

Related tasks

Secure passwords in files

Enable custom password encryption