Enabling AES password encryption for the server environment

You can enable Advanced Encryption Standard (AES) password encryption so that your passwords are more secure in your configuration files and properties files for the server environment. Currently, WebSphere® Application Server supports AES-128 and AES-256 encryption.

[9.0.5.24 or later]AES-256 encryption support is added.

Before you begin

Complete the following actions.

  • For a list of files in an application server profile that contains navigation paths and passwords that can be encrypted, see the topic on encoding passwords in files.
  • Back up your configuration files by using the backupConfig command.
  • Ensure that AES password encryption is not already enabled for the server environment. Otherwise, you receive a CWPKI0765E message, which indicates that the PasswordUtil.properties file exists, when you run the enablePasswordEncryption command.

    If you receive this message, you have a few options. You can modify the password by running the modifyPasswordEncryption command. Alternatively, you can disable password encryption by running the disablePasswordEncryption command, and then enable password encryption by running the enablePasswordEncryption command.

Keep the following information in mind:
  • AES password encryption does not support the administrative agent and the nodes that the administrative agent manages.
Important: Do not enable AES-256 encryption if your deployment includes nodes running fix pack versions older than 9.0.5.24 / 8.5.5.28. These nodes cannot support AES-256 encryption.

About this task

To enable AES password encryption for the server environment, run the enablePasswordEncryption command for the AdminTask object, save the configuration changes, and then restart the server.

The key for AES encryption is stored in the aesKey.jceks file. Various parameters that require password encryption are stored in the passwordUtil.properties file. By default, these files are in the ${CONFIG_ROOT}/cells/cell_name directory.

Procedure

  1. Start the wsadmin scripting tool.
  2. Generate the properties file and the AES key file that are needed for AES encryption, and save the configuration.
    1. Generate the properties file and, if the AES key file was not generated by the aesKeystore parameter, the AES key file.

      Run the following command:

      • Using Jacl:
        $AdminTask enablePasswordEncryption {-defaultAlgorithm aes-256}
      • Using Jython string:
        AdminTask.enablePasswordEncryption('[-defaultAlgorithm aes-256]')
    2. Save the files in the configuration that you created and modified.

      Run the following command:

      • Using Jacl:
        $AdminConfig save
      • Using Jython string:
        AdminConfig.save()

    Depending on the size and complexity of the configuration files in the node, this command can take a few minutes to complete.

    The command puts the generated files in the ${CONFIG_ROOT}/cells/cell_name directory and then encrypts all the known passwords in the files that are in this directory.

  3. Exit the wsadmin tool.
  4. Restart the server.