Enabling AES password encryption for the client environment

You can enable Advanced Encryption Standard (AES) password encryption so that your passwords are more secure in the properties files for the client environment.

Before you begin

  • For a list of files in an application server profile that contains navigation paths and passwords that can be encrypted, see the topic on encoding passwords in files.
  • Back up your properties files.

About this task

To enable AES password encryption for the client environment, first run the enablePasswordEncryption command for the AdminTask object to generate the files that are needed for encryption.

The generated files are the aesKey.jceks file and the passwordUtil.properties file. The key for AES encryption is stored in the aesKey.jceks file. Various parameters that are required for password encryption are stored in the passwordUtil.properties file. These files are stored in the directory that you specify when you run the enablePasswordEncryption command with the clientPropsLocation parameter.

After you enable AES password encryption, make the files available to the client environment and encrypt the passwords in the properties files.

Procedure

  1. Start the wsadmin scripting tool.
  2. Generate the properties file and the AES key file that are needed for AES encryption.

    Run the following command to generate the properties file and, if the AES key file was not generated by the aesKeystore parameter, the AES key file.

    $AdminTask enablePasswordEncryption {[-clientPropsLocation absolute_pathname]}
    Remember:
    • The command generates the passwordUtil.properties file and the default key file of aesKey.jceks in the location that you specify.
    • The command does not change any server-side configuration files.
    • If the location is outside of the ${CONFIG_ROOT} directory, you do not need to save the generated files.
    Avoid trouble: AES encryption requires that you use the same key for both encryption and decryption. Store the key file and the properties file in a safe place as a backup.
  3. Copy the generated files to a location that the client environment can access.

    You might, for example, put the generated files in the WAS_HOME/properties/ directory where other configuration files are located.

  4. Set the appropriate Java™ virtual machine (JVM) system property to the directory that contains the properties files so that the client environment can find them.
    Choose one of the following options. They both produce the same results.
    • Set the value of the com.ibm.websphere.crypto.passwordutil.ConfigPathURL JVM system, for example:
      
      -Dcom.ibm.websphere.crypto.passwordutil.ConfigPathURL=file:/usr/WAS/AppClient/properties
      The client environment can use the /user/WAS/AppClient/properties/passwordUtil.properties file.
    • Set the value of the user.install.root JVM system property and then append the properties directory.
      -Duser.install.root=/user/WAS/AppServer/profiles/SomeProfile
      The client environment can use the /user/WAS/AppServer/profiles/SomeProfile/properties/passwordUtil.properties file.

      This property is set for most of the product commands.

      Avoid trouble: The following commands encrypt or decrypt passwords. You must modify these commands to set the location of the configuration files so that they can do the encryption or decryption:
      • PropFilePasswordEncoder
      • ResponseFilePasswordEncoder
      • wve_encodePassword
      For example, begin with the following line. (The line is split on multiple lines for publishing purposes.)
      
      "${JAVA_EXE}" "-Djava.ext.dirs=$WAS_JAVA_EXT_DIRS" 
      "-Djava.endorsed.dirs=$WAS_ENDORSED_DIRS" "-Dwas.install.root=$WAS_HOME" 
      "-Dws.ext.dirs=$WAS_EXT_DIRS:$WAS_USER_DIRS" $JVM_EXTRA_CMD_ARGS -classpath 
      "$WAS_CLASSPATH" com.ibm.ws.bootstrap.WSLauncher com.ibm.ws.security.util.PropFilePasswordEncoder "$@"
      Modify the example so that the result is as follows:
      
      "${JAVA_EXE}" "-Djava.ext.dirs=$WAS_JAVA_EXT_DIRS" 
      "-Djava.endorsed.dirs=$WAS_ENDORSED_DIRS" "-Dwas.install.root=$WAS_HOME" 
      "-Dws.ext.dirs=$WAS_EXT_DIRS:$WAS_USER_DIRS" $JVM_EXTRA_CMD_ARGS -classpath "$WAS_CLASSPATH" 
      -Dcom.ibm.websphere.crypto.passwordutil.ConfigPathURL=file:$USER_INSTALL_ROOT/properties com.ibm.ws.bootstrap.WSLauncher com.ibm.ws.security.util.PropFilePasswordEncoder "$@"
  5. Encrypt the passwords in the properties file.
    Use commands to replace the existing password strings in the properties file. Refer to the description of the commands for detailed steps. The utilities that encrypt the passwords are as follows:
    • PropFilePasswordEncoder
    • ResponseFilePasswordEncoder
    • wve_encodePassword
    The encrypted password string starts with {aes:, for example:
    "{aes:host1cell2/1488975017938}EP86McwI5/EVZub3dNayL0YXNl1O28sapEimbPEiPZYIquMnLo9B3FCend+4paKUfQ==" 

Results

You have encrypted passwords for the client environment by using AES encryption.

What to do next

You can now use these encrypted passwords so that you have a more secure client environment. You can also read encrypted passwords or decrypt them.