Protecting plain text passwords

 

Overview

The WebSphere Application Server has several plain text passwords. These passwords are not encrypted, but are encoded. The following is a list of files with encoded passwords:

File name Additional information
security.xml

The following fields contain encoded passwords:

  • LTPA password

  • JAAS Auth Data

  • User Registry server password

  • LDAP User Registry bind password

  • Key file password

  • Trust file password

  • Crypto token device password

sas.client.props  
war/WEB-INF/ibm_web_bnd.xml Specify passwords for the default basic authentication for the "resource-ref" bindings within all descriptors (except in the Java crytography architecture)
ejb jar/META-INF/ibm_ejbjar_bnd.xml Specify passwords for the default basic authentication for the "resource-ref" bindings within all descriptors (except in the Java crytography architecture)
client jar/META-INF/ibm-appclient_bnd.xml Specify passwords for the default basic authentication for the "resource-ref" bindings within all descriptors (except in the Java crytography architecture)
ear/META-INF/ibm_application_bnd.xml Specify passwords for the default basic authentication for the "run as" bindings within all descriptors
server.xml

The following fields contain encoded passwords:

  • key file password

  • trust file password

  • crypto token device password

  • auth target password

  • Session persistence password

  • DRS Client data replication password (not available in WebSphere Application Server, V5

resource.xml (for cells, servers, and nodes)

The following fields contain encoded passwords:

  • WAS40Datasource password

  • mailTransport password

  • mailStore password

  • MQQueue queue mgr password

ws-security.xml  
ibm-webservices-bnd.xmi  
ibm-webservicesclient-bnd.xmi  
/properties/soap.client.props  
/properties/sas.tools.properties  
/properties/sas.stdclient.properties  
wsserver.key  


To re-encode a password in one of the previous files, complete the following steps:

  1. Access the file using a text editor and type over the encoded password in plain text.The new password is shown in plain text and must be encoded.

  2. Use the PropFilePasswordEncoder.bat or PropFilePasswordEncode.sh file in the install_dir/bin/ directory to re-encode the password.

    If you are re-encoding SAS properties files, type PropFilePasswordEncoder file_name -sas and the PropFilePasswordEncoder file encodes the known SAS properties.

    If you are encoding files that are not SAS properties files, type PropFilePasswordEncoder file_name password_properties_list

    file_name is the name of the z/SAS properties file. password_properties_list is the name of the properties to encode within the file.

    Use the PropFilePasswordEncoder utility to encode WebSphere Application Server password files only. The utility cannot encode passwords contained in XML files or other files that contain open and close tags.

 

Results

If you reopen the affected file or files, the passwords do not display in plain text. Instead, the passwords appear encoded. WebSphere Application Server does not provide a utility for decoding the passwords.