Migrate Java thin clients that use the password encoding algorithm

(iseries)
Migrate Java thin clients that use the password encoding algorithm

To migrate Java thin clients that are enabled for OS400 password encoding, use the following information to modify the Java client invocation so that the os400.security.password properties are no longer set on the invocation.
The password encoding feature offers the following encoding algorithms:

XOR, which is the default

OS400

In Version 5 and later, the value of the os400.security.password.validation.list.object property is dependant upon the property value passed to the thin client using the JAVA_FLAGS environment variable. The JAVA_FLAGS environment variable is set by the setupClient script. The setupClient script calls the setupCmdLine script, which is where the value for the os400.security.password.validation.list.object property is set. For example, if a Version 6.x Base Edition Java client is passed -profileName default, then the setupClient script calls the profile_root/default/bin/setupCmdLine file.
To migrate Java thin clients that are enabled for OS400 password encoding, modify the Java client invocation so that the os400.security.password properties are no longer set on the invocation. The following code sample does not contain the os400.security.password properties:
java -classpath $MY_CLIENT_CLASSES:app_server_root/classes/wsa400.jar:$WAS_CLASSPATH \
  $CLIENTSAS $JAVA_FLAGS \
  -Djava.naming.factory.initial=com.ibm.websphere.naming.WsnInitialContextFactory \
  -Djava.naming.provider.url=iiop://server1:10151 \
  MyClientClass $*
Perform the following steps if the following condition is true:

If the passwords in the sas.client.props file for that profile are encoded with the OS400 password encoding algorithm

Replace all of the OS400 encoded passwords, which have {OS400}) prefixes in the sas.client.props file for the Application Server profile, with the clear text values of the passwords.

Encode the passwords using the PropFilePasswordEncoder Qshell command.
For more information, see PropFilePasswordEncoder command reference.

Results

We can configure a WAS profile to encode passwords with the XOR algorithm even though the profile is enabled to decode passwords that were encoded with either the OS400 algorithm or the XOR algorithm. If we encode these passwords with the XOR algorithm, then the passwords in the sas.client.props file are encoded with the XOR algorithm.

Related tasks

Migrate, coexist, and interoperate - Security considerations