Network Deployment (Distributed operating systems), v8.0 > Tune performance > Tune security > Tune, hardening, and maintaining security configurations > Secure passwords in files
Encode passwords in files
The purpose of password encoding is to deter casual observation of passwords in server configuration and property files. Use the PropFilePasswordEncoder utility to encode passwords stored in properties files. WAS does not provide a utility for decoding the passwords. Encoding is not sufficient to fully protect passwords. Native security is the primary mechanism for protecting passwords used in WAS configuration and property files. WAS contains several encoded passwords in files that are not encrypted. WAS provides the PropFilePasswordEncoder utility, which you can use to encode passwords. The purpose of password encoding is to deter casual observation of passwords in server configuration and property files. The PropFilePasswordEncoder utility does not encode passwords that are contained within XML or XMI files.
XML and XMI files that contain encoded passwords. Instead, WAS automatically encodes the passwords in these files. XML and XMI files that contain encoded passwords include the following:
File name Additional information The following fields contain encoded passwords:
- LTPA password
- JAAS authentication data
- User registry server password
- LDAP user registry bind password
- Keystore password
- Truststore password
- Cryptographic token device password
Passwords for the default basic authentication for the resource-ref bindings within all the descriptors, except in the Java cryptography architecture Passwords for the default basic authentication for the resource-ref bindings within all the descriptors, except in the Java cryptography architecture Passwords for the default basic authentication for the resource-ref bindings within all the descriptors, except in the Java cryptography architecture Passwords for the default basic authentication for the run as bindings within all the descriptors security.xml
The following fields contain encoded passwords:
- Keystore password
- Truststore password
- Cryptographic token device password
- Session persistence password
- DRS client data replication password
resources.xml
The following fields contain encoded passwords:
- WAS40Datasource password
- mailTransport password
- mailStore password
- MQQueue queue mgr password
To encode a password again in one of the previous files...
The PropFilePasswordEncoder utility - Partial File List. You use the PropFilePasswordEncoder utility to encode the passwords in properties files. These files include:
File name Additional information Passwords for the following files:
- com.ibm.ssl.keyStorePassword
- com.ibm.ssl.trustStorePassword
- com.ibm.CORBA.loginPassword
Specifies passwords for:
- com.ibm.ssl.keyStorePassword
- com.ibm.ssl.trustStorePassword
- com.ibm.CORBA.loginPassword
Specifies passwords for:
- com.ibm.ssl.keyStorePassword
- com.ibm.ssl.trustStorePassword
- com.ibm.CORBA.loginPassword
Specifies passwords for:
- com.ibm.ssl.keyStorePassword
- com.ibm.ssl.trustStorePassword
Specifies passwords for:
- trustStore.password
Procedure
- Access the file using a text editor and type over the encoded password. The new password is shown is no longer encoded and must be re-encoded.
- Use the PropFilePasswordEncoder.bat or the PropFilePasswordEncode.sh file in the $PROFILE_ROOT/bin directory to encode the password again.
If you are encoding files that are not SAS properties files, type PropFilePasswordEncoder "file_name" password_properties_list
When you use the PropFilePasswordEncoder utility, a prompt asks whether a backup version of the original file is required. If a backup version is required, a backup file (.bak), is created with the clear text password. Examine the results and then delete this backup file. It contains the unencrypted password. If you do not want to see this prompt, edit the PropFilePasswordEncoder utility and add the following Java system property as a parameter: -Dcom.ibm.websphere.security.util.createBackup=true or -Dcom.ibm.websphere.security.util.createBackup=false
A true value for the Java system property creates a backup file and a false value disables the backup file.
where:
"file_name" is the name of the z/SAS properties file, and password_properties_list is the name of the properties to encode within the file.
Only the password should be encoded in this file using the PropFilePasswordEncoder tool.
Use the PropFilePasswordEncoder utility to encode WAS password files only. The utility cannot encode passwords that are contained in XML files or other files that contain open and close tags.
To change passwords in these files, use the admin console or an assembly tool such as the Rational Application Developer.
Results
If you reopen the affected files, the passwords are encoded. WAS does not provide a utility for decoding the passwords.
Example
The following example shows how to use the PropFilePasswordEncoder tool:
PropFilePasswordEncoder C:\WASV8\WebSphere\AppServer\profiles\AppSrv\properties \sas.client.props com.ibm.ssl.keyStorePassword,com.ibm.ssl.trustStorePasswordwhere:
PropFilePasswordEncoder is the name of the utility that you are running from the PROFILE_ROOT/profiles/profile_name/bin directory.
C:\WASV6\WebSphere\AppServer\profiles\AppSrv\properties\sas.client.props is the name of the file that contains the passwords to encode.
com.ibm.ssl.keyStorePassword is a password to encode in the file.
com.ibm.ssl.trustStorePassword is a second password to encode in the file.
Related
PropFilePasswordEncoder command reference
Secure passwords in files