The purpose of password encoding is to deter casual observation
of passwords in server configuration and property files.
Before you begin
Make sure all server profiles within the administration console
reside on the same IBM® i system.
About this task
By default, passwords are automatically encoded with a simple
masking algorithm in various ASCII configuration files for WebSphere® Application Server. You can manually
encode passwords in properties files that are used by Java™ clients and by Application Server administrative
commands.For a description of the OS400 encoding algorithm, see Password encoding and encryption. To enable the OS400
password encoding algorithm for a WebSphere Application
Server profile, complete these steps:
Procedure
- Set the os400.security.password properties to turn on the
OS400 password encoding algorithm and to specify which the validation
list object to use.
Use the same validation list object
for all WebSphere Application Server profiles.
However, it is not recommended if you do not back up the objects and
data for all profiles simultaneously. Consider your backup and restore
policy when you decide what validation list object to use for each WebSphere Application Server profile.
To
set the properties, complete one of these steps:
- Use the -os400passwords and -validationlist options
for the manageprofiles -create utility, which is located in the app_server_root/bin directory,
to set the properties when creating the profile. To create a WebSphere Application Server profile named
prod, and to enable that profile for the OS400 encoding algorithm
using the /QSYS.LIB/QUSRSYS.LIB/WAS.VLDL validation list
object, you can complete the following steps:
- Run the Start Qshell (STRQSH) command on the IBM i
command line.
- In Qshell, run the following command:
app_server_root/bin/manageprofiles
-create -profileName prod -startingPort 10150
-templatePath default -os400passwords
-validationlist /QSYS.LIB/QUSRSYS.LIB/WAS.VLDL
The previous
command is on multiple lines for illustration purposes only.
- Set the Java system properties in the setupCmdLine Qshell
script of the WebSphere Application Server profile. To
enable the OS400 password encoding algorithm, edit the profile_root/bin/setupCmdLine script
using the following steps:
- Set the os400.security.password.encoding.algorithm property to OS400.
The default setting is XOR.
- Set the os400.security.password.validation.list.object property
to the absolute name of the validation list that you need to use.
The default setting is /QSYS.LIB/QUSRSYS.LIB/EJSADMIN.VLDL.
- Save the file.
- Grant the QEJB user profile run authority (*X) to the library
that contains the validation list.
If QEJB already has
the minimum required authority (*X) to access the library, then proceed
to the next step.
- Use the Display Authority (DSPAUT) to check for the
minimum required authority if the validation list is created in the /QSYS.LIB/WSADMIN.LIB file.
For example:
DSPAUT OBJ('/QSYS.LIB/WSADMIN.LIB')
- Use the Change Authority (CHGAUT) command to grant run
authority to the QEJB profile only if the QEJB profile does not already
have this authority.
For example:
CHGAUT OBJ('/QSYS.LIB/WSADMIN.LIB') USER(QEJB) DTAAUT(*X)
- Create a native validation list object (*VLDL).
This
step is optional for server profiles. The validation list object is
created when the server is started. For remote profiles, create the
validation list if the validation list does not already exist on the
system that hosts the remote profile. Also, consider your backup and
restore policy when you decide what validation list object to use
with each remote profile.
Attention: When you use the OS400
password encoding algorithm, the Java client
is not required to reside on the same IBM i
system as the WebSphere Application Server profile that
the client accesses.
To create a validation list object,
perform the following steps with an IBM i
user profile that has *ALLOBJ special authority:
- Sign on the server with a user profile that has the
*ALLOBJ special authority.
- Use the Create Validation List (CRTVLDL) command
to create the validation list object.
For example, to
create the WSVLIST validation list object in the WSADMIN.LIB library,
use the following command:
CRTVLDL VLDL(WSADMIN/WSVLIST)
- Grant the QEJB user profile *RWX authority to the validation
list object.
For example, to grant *RWX authority to the
WSVLIST validation list object in the WSADMIN library , use the following
command:
CHGAUT OBJ('/QSYS.LIB/WSADMIN.LIB/WSVLIST.VLDL') USER(QEJB) DTAAUT(*RWX)
- Use the Change System Value (CHGSYSVAL) command
to set the QRETSVRSEC system value to 1.
For example:
CHGSYSVAL SYSVAL(QRETSVRSEC) VALUE('1')
- For server profile, start or restart the server and wait
until the server is ready for service before attempting to manually
encode passwords in properties files that belong to the profile.
Results
You have enabled the OS400 password encoding algorithm.
What to do next
After completing the previous steps and restarting the server,
you can manually encode passwords in properties files. See Manually encoding passwords in properties files for more information.