Disable custom password encryption

If custom password encryption fails or is no longer required, perform this task to disable custom password encryption.

 

Before you begin

Enable custom password encryption.

 

About this task

Complete the following steps to disable custom password encryption.

 

Procedure

  1. Change the com.ibm.wsspi.security.crypto.customPasswordEncryptionEnabled property to be false in the security.xml file, but leave the com.ibm.wsspi.security.crypto.customPasswordEncryptionClass property configured. Any passwords in the model that still have the {custom:alias} tag are decrypted by using the customer password encryption class.
  2. If an encryption key is lost, any passwords that are encrypted with that key cannot be retrieved. To recover a password, retype the password in the password field in plaintext and save the document. The new password must be written out using encoding with the {xor} tag with scripting or from the administrative console. 
    com.ibm.wsspi.security.crypto.customPasswordEncryptionClass=
       com.acme.myPasswordEncryptionClass
com.ibm.wsspi.security.crypto.customPasswordEncryptionEnabled=false
  3. Restart all processes to make the changes effective.
  4. Edit each configuration document that contains an encrypted password and save the configuration. All password fields are then run through the WSEncoderDecoder utility, which calls the plug point in the presence of the {custom:alias} tag. The {xor} tags display in the configuration documents again after the documents are saved.
  5. Decrypt and encode any passwords that are in client-side property files using the PropsFilePasswordEncoder (.bat or .sh) utility. If the encryption class is specified, but custom encryption is disabled, running this utility converts the encryption to encoding and causes the {xor} tags to display again.
  6. Disable custom password encryption from the client Java virtual machines (JVMs) by adding the system properties listed previously to all client scripts. This action enables the code to decrypt passwords, but this action is not used to encrypt them again. The {xor} algorithm becomes the default for encoding. Leave the custom password encryption class defined for a time in case any encrypted passwords still exist in the configuration.

 

Results

Custom password encryption is disabled.

Related concepts
Plug point for custom password encryption
Related tasks
Enabling custom password encryption

 


 

 

IBM is a trademark of the IBM Corporation in the United States, other countries, or both.