+

Search Tips   |   Advanced Search

Encoding passwords in files

The purpose of password encoding is to deter casual observation of passwords in server configuration and property files. Use the PropFilePasswordEncoder utility to encode passwords stored in properties files. WebSphere Application Server does not provide a utility for decoding the passwords. Encoding is not sufficient to fully protect passwords. Native security is the primary mechanism for protecting passwords used in WAS configuration and property files.

WAS contains several encoded passwords in files that are not encrypted. WAS provides the PropFilePasswordEncoder utility, which we can use to encode passwords. The purpose of password encoding is to deter casual observation of passwords in server configuration and property files. The PropFilePasswordEncoder utility does not encode passwords contained within XML or XMI files.

Important: The PropFilePasswordEncoder only updates existing property and XML files. If subsequent files are added, such as can occur after installing a new application, this procedure should be rerun for those new files.

Configuration files

File name Fields with encoded passwords Navigation
profile_root/config/cells/cell/security.xml

  • LTPA password
  • JAAS authentication data
  • User registry server password Keystore password
  • Truststore password
  • Cryptographic token device password

Security > Global security > Apply.
war/WEB-INF/ibm_web_bnd.xml Passwords for the default basic authentication for the resource-ref bindings within all the descriptors, except in the Java cryptography architecture
ejb jar/META-INF/ibm_ejbjar_bnd.xml Passwords for the default basic authentication for the resource-ref bindings within all the descriptors, except in the Java cryptography architecture
client jar/META-INF/ibm-appclient_bnd.xml Passwords for the default basic authentication for the resource-ref bindings within all the descriptors, except in the Java cryptography architecture
ear/META-INF/ibm_application_bnd.xml Passwords for the default basic authentication for the run as bindings within all the descriptors
profile_root/config/cells/cell/nodes/node/servers/server/security.xml

  • Keystore password
  • Truststore password
  • Cryptographic token device password
  • Session persistence password
  • DRS client data replication password

profile_root/config/cells/cell/nodes/node/servers/server/resources.xml

  • WAS40Datasource password
  • mailTransport password
  • mailStore password
  • MQQueue queue mgr password

profile_root/config/cells/cell/ws-security.xml Servers > server types > websphere application servers > serverName >JAX-WS and JAX-RPC security runtime > Apply
ibm-webservicesclient-bnd.xmi

This is a deployment descriptor included with JAX-RPC client applications.

  • Keystore passwords
  • Key passwords
  • Username token passwords

Applications > Enterprise Applications > application name > Manage Modules > module name > Web services: Client security binding (under Web Services Security Properties) > Edit custom.
profile_root/config/cells/cell/PolicyTyper/WSSecurity/bindings.xml

  • Keystore passwords
  • Key passwords
  • Username token passwords

Services > Policy Sets > Default policy set bindings > Version 6.1 default policy set bindings > WS-Security > Custom properties > Apply.
profile_root/config/cells/cell/nodes/node/servers/server/server.xml

  • Database administrator password

Servers > server types > websphere application servers > serverName > session management > distributed environment > database > OK.

If we are not using a database, choose: none.

profile_root/config/cells/cell/applications/(appName/.../WSSecurity/bindings.xml

WSSecurity/bindings.xml is a JAX-WS WS-Security policy binding file. When it is located in the cell/applications path, it is part of an application specific binding.

  • Keystore passwords
  • Key passwords
  • Username token passwords

Services > service providers or > service clients > resourceName > bindingName > WS-Security > Custom properties > Apply.
profile_root/config/cells/cell/

  • ./Client sample/PolicyTypes/WSSecurity/bindings.xml
  • ./Client sample V2/PolicyTypes/WSSecurity/bindings.xml
  • ./Provider sample/PolicyTypes/WSSecurity/bindings.xml
  • ./Provider sample V2/PolicyTypes/WSSecurity/bindings.xml
  • ./Saml Bearer Client sample/PolicyTypes/WSSecurity/bindings.xml
  • ./Saml Bearer Provider sample/PolicyTypes/WSSecurity/bindings.xml
  • ./Saml HoK Symmetric Client sample/PolicyTypes/WSSecurity/bindings.xml
  • ./Saml HoK Symmetric Provider sample /PolicyTypes/WSSecurity/bindings.xml

  • Keystore passwords
  • Key passwords
  • Username token passwords

Services > Policy Sets > General provider policy set bindings > bindingName > WS-Security > Custom properties > Apply.
profile_root/config/cells/cell/sts

  • ./policy/TrustServiceSecurityDefault/PolicyTypes/WSSecurity/bindings.xml
  • ./policy/TrustServiceSymmetricDefault/PolicyTypes/WSSecurity/bindings.xml

  • Keystore passwords
  • Key passwords
  • Username token passwords

Services > Trust service >Trust service attachments > bindingName > WS-Security > Custom properties > Apply.

Property files

File name Additional information
profile_root/properties/sas.client.props

  • com.ibm.ssl.keyStorePassword
  • com.ibm.ssl.trustStorePassword
  • com.ibm.CORBA.loginPassword

profile_root/properties/sas.tools.properties

  • com.ibm.ssl.keyStorePassword
  • com.ibm.ssl.trustStorePassword
  • com.ibm.CORBA.loginPassword

profile_root/properties/sas.stdclient.properties

  • com.ibm.ssl.keyStorePassword
  • com.ibm.ssl.trustStorePassword
  • com.ibm.CORBA.loginPassword

profile_root/properties/wsserver.key
profile_root/UDDIReg/scripts/UDDIUtilityTools.properties

  • trustStore.password

profile_root/config/cells/cell/sts/SAMLIssuerConfig.properties

  • KeystorePassword
  • KeyPasswords
  • TrustStorePassword

To encode a password again in one of the previous files, complete the following steps:


Tasks

  1. Access the file using a text editor and type over the encoded password. The new password is shown is no longer encoded and must be re-encoded.

  2. To encode the password again use profile_root/bin/Prop/FilePasswordEncode.sh

    If we are encoding files that are not SAS properties files, type PropFilePasswordEncoder "file_name" password_properties_list

    Important: When we use the PropFilePasswordEncoder utility, a prompt asks whether a backup version of the original file is required. If a backup version is required, a backup file (.bak), is created with the clear text password. Examine the results and then delete this backup file. It contains the unencrypted password. If we do not want to see this prompt, edit the PropFilePasswordEncoder utility and add the following Java system property as a parameter: -Dcom.ibm.websphere.security.util.createBackup=true or -Dcom.ibm.websphere.security.util.createBackup=false

    A true value for the Java system property creates a backup file and a false value disables the backup file.

    where:

    "file_name" is the name of the properties file, and password_properties_list is the name of the properties to encode within the file.

    Only the password should be encoded in this file using the PropFilePasswordEncoder tool.

    Use the PropFilePasswordEncoder utility to encode WAS password files only. The utility cannot encode passwords contained in XML files or other files that contain open and close tags. To change passwords in these files, use the administrative console or an assembly tool such as the Rational Application Developer.

If we reopen the affected files, the passwords are encoded. WAS does not provide a utility for decoding the passwords.


Example

The following example shows how to use the PropFilePasswordEncoder tool:

...where com.ibm.ssl.keyStorePassword and com.ibm.ssl.trustStorePassword are passwords to encode in the file.


Subtopics

  • Secure passwords in files
  • Enable custom password encryption