+

Search Tips   |   Advanced Search

(iSeries)

Enable the non-default OS/400 password encoding algorithm

The purpose of password encoding is to deter casual observation of passwords in server configuration and property files.

Make sure all server profiles within the administration console reside on the same IBM i system.

By default, passwords are automatically encoded with a simple masking algorithm in various ASCII configuration files for WebSphere Application Server. We can manually encode passwords in properties files used by Java clients and by Application Server administrative commands.

For a description of the OS400 encoding algorithm, see Password encoding and encryption. To enable the OS400 password encoding algorithm for a WAS profile, complete these steps:


Tasks

  1. Set the os400.security.password properties to turn on the OS400 password encoding algorithm and to specify which the validation list object to use.

    Use the same validation list object for all WAS profiles. However, it is not recommended if we do not back up the objects and data for all profiles simultaneously. Consider the backup and restore policy when we decide what validation list object to use for each WAS profile.

    To set the properties, complete one of these steps:

    • Use the -os400passwords and -validationlist options for the manageprofiles -create utility, located in the app_server_root/bin directory, to set the properties when creating the profile. To create a WAS profile named prod, and to enable that profile for the OS400 encoding algorithm using the /QSYS.LIB/QUSRSYS.LIB/WAS.VLDL validation list object, we can complete the following steps:

      1. Run the Start Qshell (STRQSH) command on the IBM i command line.
      2. In Qshell,: 
        app_server_root/bin/manageprofiles 
-create -profileName prod -startingPort 10150 
-templatePath default -os400passwords 
-validationlist /QSYS.LIB/QUSRSYS.LIB/WAS.VLDL

        The previous command is on multiple lines for illustration purposes only.

    • Set the Java system properties in the setupCmdLine Qshell script of the WAS profile. To enable the OS400 password encoding algorithm, edit the profile_root/bin/setupCmdLine script using the following steps:

      1. Set the os400.security.password.encoding.algorithm property to OS400. The default setting is XOR.

      2. Set the os400.security.password.validation.list.object property to the absolute name of the validation list needed to use. The default setting is /QSYS.LIB/QUSRSYS.LIB/EJSADMIN.VLDL.

      3. Save the file.

  2. Grant the QEJB user profile run authority (*X) to the library containing the validation list. If QEJB already has the minimum required authority (*X) to access the library, then proceed to the next step.

    1. Use the Display Authority (DSPAUT) to check for the minimum required authority if the validation list is created in the /QSYS.LIB/WSADMIN.LIB file.

      For example: 

      DSPAUT OBJ('/QSYS.LIB/WSADMIN.LIB')

    2. Use the Change Authority (CHGAUT) command to grant run authority to the QEJB profile only if the QEJB profile does not already have this authority.

      For example: 

      CHGAUT OBJ('/QSYS.LIB/WSADMIN.LIB') USER(QEJB) DTAAUT(*X)

  3. Create a native validation list object (*VLDL). This step is optional for server profiles. The validation list object is created when the server is started. For remote profiles, create the validation list if the validation list does not already exist on the system that hosts the remote profile. Also, consider the backup and restore policy when we decide what validation list object to use with each remote profile.

    When we use the OS400 password encoding algorithm, the Java client is not required to reside on the same IBM i system as the WAS profile that the client accesses.

    To create a validation list object, perform the following steps with an IBM i user profile that has *ALLOBJ special authority:

    1. Sign on the server with a user profile that has the *ALLOBJ special authority.

    2. Use the Create Validation List (CRTVLDL) command to create the validation list object.

      For example, to create the WSVLIST validation list object in the WSADMIN.LIB library, use the following command: 

      CRTVLDL VLDL(WSADMIN/WSVLIST)
    3. Grant the QEJB user profile *RWX authority to the validation list object. For example, to grant *RWX authority to the WSVLIST validation list object in the WSADMIN library . 
      CHGAUT OBJ('/QSYS.LIB/WSADMIN.LIB/WSVLIST.VLDL') USER(QEJB) DTAAUT(*RWX)

  4. Use the Change System Value (CHGSYSVAL) command to set the QRETSVRSEC system value to 1. For example: 
    CHGSYSVAL SYSVAL(QRETSVRSEC) VALUE('1')

  5. For server profile, start or restart the server and wait until the server is ready for service before attempting to manually encode passwords in properties files that belong to the profile.

We have enabled the OS400 password encoding algorithm.


What to do next

After completing the previous steps and restarting the server, we can manually encode passwords in properties files. See Manually encoding passwords in properties files for more information.


Related:

  • Password encoding and encryption
  • Manually encoding passwords in properties files
  • Restore or replace damaged validation list objects
  • Password decoding troubleshooting tips for security
  • Change encoding algorithm from OS400 to XOR