If custom password encryption
fails or is no longer required, perform
this task to disable custom password encryption.
Before you begin
Enable custom password
encryption.
About this task
Complete the following steps to disable
custom password encryption.
Procedure
- Change the
com.ibm.wsspi.security.crypto.customPasswordEncryptionEnabled
property to be false in the security.xml file,
but leave
the com.ibm.wsspi.security.crypto.customPasswordEncryptionClass property
configured.
Any passwords in the model that still have the {custom:alias}
tag
are decrypted by using the customer password encryption class.
- If an encryption key is lost, any passwords that
are encrypted
with that key cannot be retrieved. To recover a password, retype the
password
in the password field in plaintext and save the document. The new
password
must be written out using encoding with the {xor} tag with scripting
or from
the administrative console.
com.ibm.wsspi.security.crypto.customPasswordEncryptionClass=
com.acme.myPasswordEncryptionClass
com.ibm.wsspi.security.crypto.customPasswordEncryptionEnabled=false
- Restart all processes to make the changes effective.
- Edit each configuration document that contains an
encrypted password
and save the configuration. All password fields are then run through
the WSEncoderDecoder utility,
which calls the plug point in the presence of the {custom:alias}
tag. The {xor} tags display in the configuration documents
again
after the documents are saved.
- Decrypt and
encode any passwords that are in client-side property
files using the PropsFilePasswordEncoder (.bat or .sh) utility.
If
the encryption class is specified, but custom encryption is disabled,
running
this utility converts the encryption to encoding and causes the {xor}
tags to display again.
- Disable custom password
encryption from the client Java™ virtual
machines (JVMs) by adding the system properties listed previously
to all client
scripts. This action enables the code to decrypt passwords, but this
action
is not used to encrypt them again. The {xor} algorithm becomes
the
default for encoding. Leave the custom password encryption class defined
for
a time in case any encrypted passwords still exist in the configuration.
Results
Custom password encryption is disabled.