If custom password encryption fails or is no longer required,
perform this task to disable custom password encryption.
Before you begin
Enable custom password encryption.
About this task
Complete the following steps to disable custom password
encryption.
Procedure
- Change the com.ibm.wsspi.security.crypto.customPasswordEncryptionEnabled
property to be false in the security.xml file,
but leave the com.ibm.wsspi.security.crypto.customPasswordEncryptionClass
property configured. Any passwords in the model that still have the
{custom:alias} tag are decrypted by using the customer password
encryption class.
- If an encryption key is lost, any passwords that are encrypted
with that key cannot be retrieved. To recover a password, retype the
password in the password field in plaintext and save the document.
The new password must be written out using encoding with the {xor}
tag with scripting or from the administrative console.
com.ibm.wsspi.security.crypto.customPasswordEncryptionClass=
com.acme.myPasswordEncryptionClass
com.ibm.wsspi.security.crypto.customPasswordEncryptionEnabled=false
- Restart all processes to make the changes effective.
- Edit each configuration document that contains an encrypted
password and save the configuration. All password fields are then
run through the WSEncoderDecoder utility, which calls the plug
point in the presence of the {custom:alias} tag. The {xor}
tags display in the configuration documents again after the documents
are saved.
- Decrypt and encode any passwords that are in client-side
property files using the PropsFilePasswordEncoder (.bat or
.sh) utility. If the encryption class is specified, but custom encryption
is disabled, running this utility converts the encryption to encoding
and causes the {xor} tags to display again.
- Disable custom password encryption from the client Java™ virtual machines (JVMs) by adding the system
properties listed previously to all client scripts. This action enables
the code to decrypt passwords, but this action is not used to encrypt
them again. The {xor} algorithm becomes the default for encoding.
Leave the custom password encryption class defined for a time in case
any encrypted passwords still exist in the configuration.
Results
Custom password encryption is disabled.