You need to protect passwords that are contained in your WebSphere® Application Server configuration.
After creating your server profile, you can add protection by creating
a custom class for encrypting the passwords.
About this task
Complete the following steps to enable custom password encryption. For a list of files in
an application server profile that contain passwords that should be encrypted and their navigation
paths, see Encoding passwords in files.
Procedure
- Add the following system properties for every server and
client process. For server processes, update the server.xml file
for each process. Add these properties as a genericJvmArgument argument
preceded by a -D prefix.
com.ibm.wsspi.security.crypto.customPasswordEncryptionClass=
com.acme.myPasswordEncryptionClass
com.ibm.wsspi.security.crypto.customPasswordEncryptionEnabled=true
Important: Regarding the wsadmin client, if you use wsadmin in connected mode, this
property must be set in the deployment manager or server connected by using
AdminTask.setJVMSystemProperties
command or through the console. If you use wsadmin
in local mode (
conntype=NONE), you can set the property with a
javaoption
command option, as shown
here:
wsadmin -conntype none -lang jython -javaoption
-Dcom.ibm.wsspi.security.crypto.customPasswordEncryptionClass=<encryptionClassToUse>
Tip: If the custom encryption class name is com.ibm.wsspi.security.crypto.CustomPasswordEncryptionImpl,
it is automatically enabled when this class is present in the classpath.
Do not define the system properties that are listed previously when
the custom implementation has this package and class name. To disable
encryption for this class, you must specify com.ibm.wsspi.security.crypto.customPasswordEncryptionEnabled=false as
a system property.
- Choose one of the following methods to configure the WebSphere Application Server runtime to load
the custom encryption implementation class:
- Restart all server processes.
- Edit each configuration document that contains a password
and save the configuration.
All password fields are then
run through the WSEncoderDecoder utility, which calls the plug
point when it is enabled. The {custom:alias} tags are displayed
in the configuration documents. The passwords, even though they
are encrypted, are still Base64-encoded. They seem similar to encoded
passwords, except for the tags different.
- Encrypt any passwords that are in client-side property
files by using the PropsFilePasswordEncoder (.bat or .sh) utility.
This utility requires that the properties listed previously are defined as system properties
in the script to encrypt new passwords instead of encoding them. You will need to edit the script to
add the properties to the java command line. For
instance:
%JAVA_EXE% -Dcom.ibm.wsspi.security.crypto.customPasswordEncryptionEnabled=true
-Dcom.ibm.wsspi.security.crypto.customPasswordEncryptionClass=mysample.MySampleEncryption
-Dcmd.properties.file=%TMPJAVAPROPFILE%
"-Dwas.install.root=%WAS_HOME%" com.ibm.ws.bootstrap.WSLauncher com.ibm.ws.security.util.PropFilePasswordEncoder %*
For
the list of files that need to be run through the PropsFilePasswordEncoder, refer to table two in
Encoding passwords in files.
- To decrypt passwords from client Java virtual
machines (JVMs), add the properties listed previously as system properties
for each client utility.
- Ensure that all nodes have the custom encryption classes
in their class paths before enabling this function.
Results
Custom password encryption is enabled.
What to do next
If custom password encryption fails or is no longer required, see Disabling custom password encryption.