(iSeries)
Password encoding and encryption
Password encoding deters the casual observation of passwords in server configuration and property files.
By default, passwords are automatically encoded with a simple masking algorithm in various WebSphere Application Server ASCII configuration files. Additionally, we can manually encode passwords in properties files used by Java clients and by administrative commands for WAS.
The default encoding algorithm is referred to as XOR. An alternate OS400 encoding algorithm can be used with WAS for IBM i that exploits native validation list (*VLDL) objects only. With the OS400 algorithm, passwords are stored in an encrypted form within a validation list. The configuration files contain indexes to the stored passwords instead of the masked passwords, as is done with the XOR algorithm.
Encoded passwords use the following syntax:
{algorithm}encoded_passwordwhere {algorithm} is a tag that specifies the algorithm used to encode the password, which is either XOR or OS400. The encoded_password variable is the encoded value of the password. When a server or client needs to decode a password, it uses the tag to determine what algorithm to use and then uses that algorithm to decode the encoded password.Java clients use passwords from the sas.client.props file, which is in the profile_root/properties directory.
To use password encoding with Java clients, the passwords must be manually encoded in the sas.client.props file using the PropFilePasswordEncoder tool.
The administrative commands for WAS use passwords from the soap.client.props file, which is also located in the profile_root/properties directory, for SOAP connections. Some administrative commands optionally use passwords from the sas.client.props file in the profile_root/properties for RMI connections. To use password encoding with administrative commands, we must manually encode the passwords in the soap.client.props and sas.client.props files using the PropFilePasswordEncoder tool.
Whether we select to use the OS400 encoding algorithm or the default encoding algorithm, encoding is not sufficient to fully protect passwords. Native security is the primary mechanism for protecting passwords used in the configuration and property files for WAS.
Issues to consider when using the OS400 password encoding algorithm
The following issues are important for you to consider before deciding to use the OS400 password encoding algorithm:
- We must set the QRETSVRSEC operating system value to 1 to use on the system that hosts the Java client application or WAS. With this setting, WAS can retrieve the encrypted passwords from the validation list.
The QRETSVRSEC system value affects access to the encrypted data in all of the validation lists on the operating system. Do not use the OS400 password encoding algorithm if this setting is not consistent with our security policy for our operating system.
- Use the OS400 algorithm with server instances only when all of the server instances within the administrative domain for WAS reside on the same IBM i system. Consider the following related issues:
- Administrative domains for WAS can extend across multiple IBM i systems. Use the OS400 password algorithm only when all of the servers within an administrative domain reside on the same IBM i system.
- Server configuration XML files contain encoded passwords. If the passwords contained in the XML files are encoded using the OS400 encoding algorithm, those encodings are valid only for the Application Server profiles on the same IBM i system on which the passwords were originally encoded. Copies of configuration files that contain passwords that are encoded using the OS400 encoding algorithm cannot be used to configure servers on other IBM i systems.
- All server instances within an administrative domain must be configured to use the same native validation list (*VLDL) object.
- For Java clients, we can use the OS400 password algorithm on any IBM i system. However, option 1 must be installed on the system that hosts the Java client.
- If an error occurs while a password is encoded using the OS400 encoding algorithm, the XOR encoding algorithm is used to encode the password. An error might occur if an administrator manually creates the validation list object and grants insufficient authority to the validation list object for the IBM i QEJB user profile.
Subtopics
- (iSeries) Object and file security
This topic discusses the various objects and files that contain sensitive information and need to be protected.
Secure passwords in files Enable the non-default OS/400 password encoding algorithm Manually encoding passwords in properties files Restore or replace damaged validation list objects Password decoding troubleshooting tips for security Change encoding algorithm from OS400 to XOR