Encoding passwords in files
The purpose of password encoding is to deter casual observation of passwords in server configuration and property files. Use the PropFilePasswordEncoder utility to encode passwords stored in properties files. WebSphere® Application Server does not provide a utility for decoding the passwords. Encoding is not sufficient to fully protect passwords. Native security is the primary mechanism for protecting passwords used in WebSphere Application Server configuration and property files.
About this task
File name | Additional information | Navigation |
---|---|---|
profile_root/config/cells/cell_name/security.xml |
The following fields contain encoded passwords:
|
security > Global security > Apply. |
profile_root/config/cells/cell_name /security.xml |
The following fields contain encoded passwords:
|
security > Global security > Apply. |
war/WEB-INF/ibm_web_bnd.xml | Specifies the passwords for the default basic authentication for the resource-ref bindings within all the descriptors, except in the Java™ cryptography architecture | |
ejb jar/META-INF/ibm_ejbjar_bnd.xml | Specifies the passwords for the default basic authentication for the resource-ref bindings within all the descriptors, except in the Java cryptography architecture | |
client jar/META-INF/ibm-appclient_bnd.xml | Specifies the passwords for the default basic authentication for the resource-ref bindings within all the descriptors, except in the Java cryptography architecture | |
ear/META-INF/ibm_application_bnd.xml | Specifies the passwords for the default basic authentication for the run as bindings within all the descriptors | |
profile_root/config/cells/cell_name /nodes/node_name/servers/ server_name/security.xml |
The following fields contain encoded passwords:
|
|
profile_root/config/cells/cell_name /nodes/node_name/servers/security.xml |
The following fields contain encoded passwords:
|
|
profile_root/config/cells/cell_name /nodes/node_name/servers/ server_name/resources.xml |
The following fields contain encoded passwords:
|
|
profile_root/config/cells/cell_name /nodes/node_name/servers/server1/resources.xml |
The following fields contain encoded passwords:
|
|
profile_root/config/cells/cell_name/ws-security.xml | servers > server types > websphere application servers > serverName >JAX-WS and JAX-RPC security runtime > Apply. | |
profile_root/config/cells/cell_name /ws-security.xml | servers > server types > websphere application servers > serverName >JAX-WS and JAX-RPC security runtime > Apply. | |
ibm-webservices-bnd.xmi |
This is a deployment descriptor included with JAX-RPC provider applications. The following fields
contain encoded passwords:
|
Applications > Enterprise Applications > application name > Manage Modules > module name > Web services: Server security binding (under Web Services Security Properties) > Edit custom. |
ibm-webservicesclient-bnd.xmi |
This is a deployment descriptor included with JAX-RPC client applications. The following fields
contain encoded passwords:
|
Applications > Enterprise Applications > application name > Manage Modules > module name > Web services: Client security binding (under Web Services Security Properties) > Edit custom. |
profile_root/config/cells/cell_name/bindings/PolicyTyper/WSSecurity/bindings.xml |
The following fields contain encoded passwords:
|
Services > Policy Sets > Default policy set bindings > Version 6.1 default policy set bindings > WS-Security > Custom properties > Apply. |
profile_root/config/cells/cell_name/nodes/node_name/servers/server_name/server.xml |
The following fields contain encoded passwords:
|
servers > server
types > websphere application servers >
serverName > session management >
distributed environment > database >
OK. Note: If you are not using a database, choose: none.
|
profile_root/config/cells/cell_name/applications/(appName/.../WSSecurity/bindings.xml |
WSSecurity/bindings.xml is a JAX-WS WS-Security policy binding file. When it is located in the cell_name/applications path, it is part of an application specific binding. The following fields contain encoded passwords:
|
Services > service providers or > service clients > resourceName > bindingName > WS-Security > Custom properties > Apply. |
profile_root/config/cells/cell_name/bindings/
|
The following fields contain encoded passwords:
|
Services > Policy Sets > General provider policy set bindings > bindingName > WS-Security > Custom properties > Apply. |
profile_root/config/cells/cell_name/sts
|
The following fields contain encoded passwords:
|
Services > Trust service >Trust service attachments > bindingName > WS-Security > Custom properties > Apply. |
File name | Additional information |
---|---|
profile_root /properties/sas.client.props |
Specifies the passwords for the following files:
|
profile_root/properties/sas.client.props |
Specifies the passwords for the following files:
|
profile_root /properties/sas.tools.properties |
Specifies passwords for:
|
profile_root/properties/sas.tools.properties |
Specifies passwords for:
|
profile_root /properties/sas.stdclient.properties |
Specifies passwords for:
|
profile_root/properties/sas.stdclient.properties |
Specifies passwords for:
|
profile_root /properties/wsserver.key |
|
profile_root/properties/wsserver.key |
|
profile_root/profiles/AppSrvXX/properties/sib.client.ssl.properties |
Specifies passwords for:
|
profile_root/UDDIReg/scripts/UDDIUtilityTools.properties |
Specifies passwords for:
|
profile_root/config/cells/cell_name/sts/SAMLIssuerConfig.properties |
The following fields contain encoded passwords:
|
Procedure
Results
- Use a System Authorization Facility (SAF) registry to remove the requirement for a user registry server password.
- Select SAF authorization and delegation so role-to-user binding passwords are removed.
- Use a RACF® keyring for all SSL repertoires, and trust and key file passwords are no longer required.
- Use native connectors, and configure sync-to-thread to possibly remove the need for Java Authentication and Authorization Service (JAAS) authentication data.
Example
PropFilePasswordEncoder C:\WASV8\WebSphere\AppServer\profiles\AppSrv\properties
\sas.client.props com.ibm.ssl.keyStorePassword,com.ibm.ssl.trustStorePassword
where:
PropFilePasswordEncoder is the name of the utility that you are running from the profile_root/profiles/profile_name/bin directory.
C:\WASV6\WebSphere\AppServer\profiles\AppSrv\properties\sas.client.props is the name of the file that contains the passwords to encode.
com.ibm.ssl.keyStorePassword is a password to encode in the file.
com.ibm.ssl.trustStorePassword is a second password to encode in the file.