Password masking in External Security Manager property files

 

+

Search Tips   |   Advanced Search

 

Overview

WAS has an encoding mechanism to mask the passwords and remove all comments from the production versions of properties files.

Masking passwords is optional, and is only valid for the following scenarios:

  • Configuring IBM TAM for e-business to perform authorization
  • Configuring the Credential Vault adapter for Tivoli Access Manager
  • Configuring CA eTrust SiteMinder to perform authorization for WebSphere Portal

 

Masking Passwords in WAS

Use the WAS encoding mechanism to mask passwords and remove all comments from the production version of External Access Control Service. If you are using Tivoli Access Manager, you will have additional processing in Credential Vault Service.

  1. Complete all edits to the two Services.

  2. Save the edits.

  3. Run the encoding batch file...

    ...where filename is the name of the target properties file for password encoding, and property_name is the name of the specific property to be encoded. If no property name is specified, all properties in the file will be encoded.

The following three properties, found in External Access Control Service, are likely to contain secure information:

  • ExternalAccessControl.pdpw (policy director password)
  • ExternalAccessControl.password
  • ExternalAccessControl.Agentsecret

You should also secure the pdpw property, found in the Credential Vault Service.

 

Change masked passwords

To change a password that has been masked, do the following:

  1. Use the WAS encoding mechanism to enter the new password in clear text in the production version of External Access Control Service

  2. Run the WAS encoding batch file on the new production file. The backup copy still exists with no password but with the comments preserved.

 

Related Information

 

Parent Topic

External security managers