Protecting plain text passwords
The WAS has several plain text passwords. These passwords are not encrypted, but are encoded. The following is a list of files with encoded passwords...
File name Additional information security.xml The following fields contain encoded passwords...
- LTPA password
- JAAS Auth Data
- User Registry server password
- LDAP User Registry bind password
- Key file password
- Trust file password
- Crypto token device password
sas.client.props war/WEB-INF/ibm_web_bnd.xml Specify passwords for the default basic authentication for the "resource-ref" bindings within all descriptors (except in the Java crytography architecture) ejb jar/META-INF/ibm_ejbjar_bnd.xml Specify passwords for the default basic authentication for the "resource-ref" bindings within all descriptors (except in the Java crytography architecture) client jar/META-INF/ibm-appclient_bnd.xml Specify passwords for the default basic authentication for the "resource-ref" bindings within all descriptors (except in the Java crytography architecture) ear/META-INF/ibm_application_bnd.xml Specify passwords for the default basic authentication for the "run as" bindings within all descriptors server.xml The following fields contain encoded passwords...
- key file password
- trust file password
- crypto token device password
- auth target password
- Session persistence password
- DRS Client data replication password (not available in WebSphere Application Server, Version 5
resource.xml (for cells, servers, and nodes) The following fields contain encoded passwords...
- WAS40Datasource password
- mailTransport password
- mailStore password
- MQQueue queue mgr password
ws-security.xml ibm-webservices-bnd.xmi ibm-webservicesclient-bnd.xmi /properties/soap.client.props /properties/sas.tools.properties /properties/sas.stdclient.properties wsserver.key To re-encode a password in one of the previous files, complete the following steps...
- Access the file using a text editor and type over the encoded password in plain text.The new password is shown in plain text and must be encoded.
- Use the PropFilePasswordEncoder.bat file in the $WAS_HOME/bin/ directory to re-encode the password.
- If you are re-encoding sas properties files, type <file_name> -sas and the PropFilePasswordEncoder.bat file encodes the known sas properties.
- If you are encoding files that are not sas properties files, type <file_name> -sas <password properties_list>
<file_name> is the name of the sas properties file. <password properties_list> is the name of the properties to encode within the file.
If you reopen the affected file or files, the passwords do not display in plain text. Instead, the passwords appear encoded.