Migrate Java thin clients that use the OS400 password encoding algorithm
The password encoding feature was first supported in WebSphere Application Server version 4.0. This feature offers two encoding algorithms, XOR (the default) and OS400. Your version 4.x Java thin client is enabled to decode passwords that were encoded with the OS400 password encoding algorithm, if the Java system property os400.security.password.validation.list.object is set on the Java client invocation.
Here is an example of a version 4.x Java thin client that is enabled to decode passwords that were encoded using the OS400 password encoding algorithm:
java -classpath $MY_CLIENT_CLASSES:$WAS_INSTALL_ROOT/lib/wsa400.jar:$WAS_CLASSPATH \ $CLIENTSAS $JAVA_FLAGS \ -Dos400.security.password.validation.list.object=/QSYS.LIB/QUSRSYS.LIB/EJSADMIN.VLDL \ -Dos400.security.password.debug=false \ -Djava.naming.factory.initial=com.ibm.websphere.naming.WsnInitialContextFactory \ -Djava.naming.provider.url=iiop://server1:10151 \ MyClientClass $*In version 5.0 the value of the os400.security.password.validation.list.object property is WebSphere instance dependent and is passed to the thin client via the JAVA_FLAGS environment variable. The JAVA_FLAGS environment variable is set by the setupClient script (which is located in the /QIBM/ProdData/WebAS5/Base/bin directory). The setupClient script in turn calls the setupCmdLine script (which is located in the bin subdirectory of your instance), which is where the value for the os400.security.password.validation.list.object property is actually set. For example, if the Java client is passed -instance default, then setupClient calls /QIBM/UserData/WebAS5/base/default/bin/setupCmdLine.
To migrate Java thin clients that are enabled for OS400 password encoding, modify the Java client invocation so that the os400.security.password properties are no longer set on the invocation. For example:
java -classpath $MY_CLIENT_CLASSES:$WAS_INSTALL_ROOT/lib/wsa400.jar:$WAS_CLASSPATH \ $CLIENTSAS $JAVA_FLAGS \ -Djava.naming.factory.initial=com.ibm.websphere.naming.WsnInitialContextFactory \ -Djava.naming.provider.url=iiop://server1:10151 \ MyClientClass $*However, if any instance that is supported by the Java client is configured to set os400.security.password.validation.list.object to a value other than what is used on the version 4.x Java client invocation, and if the passwords in the sas.client.props file for that instance are encoded with the OS400 password encoding algorithm, perform the following steps:
Replace all OS400 encoded passwords (those prefixed with {OS400}) in the sas.client.props file for the instance with the clear text values of the passwords.
Encode the passwords using the PropFilePasswordEncoder Qshell command. See Password encoding for details.
Note: An instance may be configured to encode passwords with the XOR algorithm, even though the instance is enabled to decode passwords that were encoded with either the OS400 algorithm or the XOR algorithm. If such is the case, then the result of this step is that passwords in the sas.client.props file are encoded with the XOR algorithm.