Enabling the non-default OS/400® password encoding algorithm

The purpose of password encoding is to deter casual observation of passwords in server configuration and property files.

1. Set the os400.security.password properties to turn on the OS400 password encoding algorithm and to specify which the validation list object to use.

   Use the same validation list object for all WebSphere Application Server profiles. However, it is not recommended if you do not back up the objects and data for all profiles simultaneously. Consider your backup and restore policy when you decide what validation list object to use for each WebSphere Application Server profile.

   To set the properties, complete one of these steps:

   • Use the -os400passwords and -validationlist options for the manageprofiles -create utility, which is located in the app_server_root/bin directory, to set the properties when creating the profile. To create a WebSphere Application Server profile named prod, and to enable that profile for the OS400 encoding algorithm using the /QSYS.LIB/QUSRSYS.LIB/WAS.VLDL validation list object, you can complete the following steps:
     1. Run the Start Qshell (STRQSH) command on the IBM i command line.
     2. In Qshell, run the following command:

        app_server_root/bin/manageprofiles 
        -create -profileName prod -startingPort 10150 
        -templatePath default -os400passwords 
        -validationlist /QSYS.LIB/QUSRSYS.LIB/WAS.VLDL

        The previous command is on multiple lines for illustration purposes only.

   • Set the Java system properties in the setupCmdLine Qshell script of the WebSphere Application Server profile. To enable the OS400 password encoding algorithm, edit the profile_root/bin/setupCmdLine script using the following steps:
     1. Set the os400.security.password.encoding.algorithm property to OS400. The default setting is XOR.
     2. Set the os400.security.password.validation.list.object property to the absolute name of the validation list that you need to use. The default setting is /QSYS.LIB/QUSRSYS.LIB/EJSADMIN.VLDL.
     3. Save the file.
2. Grant the QEJB user profile run authority (*X) to the library that contains the validation list.
   If QEJB already has the minimum required authority (*X) to access the library, then proceed to the next step.
   1. Use the Display Authority (DSPAUT) to check for the minimum required authority if the validation list is created in the /QSYS.LIB/WSADMIN.LIB file.
      For example:

      DSPAUT OBJ('/QSYS.LIB/WSADMIN.LIB')

   2. Use the Change Authority (CHGAUT) command to grant run authority to the QEJB profile only if the QEJB profile does not already have this authority.
      For example:

      CHGAUT OBJ('/QSYS.LIB/WSADMIN.LIB') USER(QEJB) DTAAUT(*X)

3. Create a native validation list object (*VLDL).
   This step is optional for server profiles. The validation list object is created when the server is started. For remote profiles, create the validation list if the validation list does not already exist on the system that hosts the remote profile. Also, consider your backup and restore policy when you decide what validation list object to use with each remote profile.

   Attention: When you use the OS400 password encoding algorithm, the Java client is not required to reside on the same IBM i system as the WebSphere Application Server profile that the client accesses.

   To create a validation list object, perform the following steps with an IBM i user profile that has *ALLOBJ special authority:

   1. Sign on the server with a user profile that has the *ALLOBJ special authority.
   2. Use the Create Validation List (CRTVLDL) command to create the validation list object.
      For example, to create the WSVLIST validation list object in the WSADMIN.LIB library, use the following command:

      CRTVLDL VLDL(WSADMIN/WSVLIST)

   3. Grant the QEJB user profile *RWX authority to the validation list object.
      For example, to grant *RWX authority to the WSVLIST validation list object in the WSADMIN library , use the following command:

      CHGAUT OBJ('/QSYS.LIB/WSADMIN.LIB/WSVLIST.VLDL') USER(QEJB) DTAAUT(*RWX)

4. Use the Change System Value (CHGSYSVAL) command to set the QRETSVRSEC system value to 1.
   For example:

   CHGSYSVAL SYSVAL(QRETSVRSEC) VALUE('1')

5. For server profile, start or restart the server and wait until the server is ready for service before attempting to manually encode passwords in properties files that belong to the profile.