Enabling AES password encryption for the server environment

You can enable Advanced Encryption Standard (AES) password encryption so that your passwords are more secure in your configuration files and properties files for the server environment. Currently, WebSphere® Application Server supports AES-128 encryption.

Before you begin

Complete the following actions.

For a list of files in an application server profile that contains navigation paths and passwords that can be encrypted, see the topic on encoding passwords in files.
Back up your configuration files by using the backupConfig command.
Before you enable AES password encryption for a cell, ensure that all nodes in the cell support AES password encryption.
Ensure that AES password encryption is not already enabled for the server environment. Otherwise, you receive a CWPKI0765E message, which indicates that the PasswordUtil.properties file exists, when you run the enablePasswordEncryption command.
If you receive this message, you have a few options. You can modify the password by running the modifyPasswordEncryption command. Alternatively, you can disable password encryption by running the disablePasswordEncryption command, and then enable password encryption by running the enablePasswordEncryption command.
Before you attempt to incorporate a stand-alone application server into a cell, ensure that both AES password encryption is disabled and that the PasswordUtil.properties file is deleted for the stand-alone application server. Otherwise, the stand-alone application server cannot be incorporated. Additionally, you receive a CWPKI0765E message, which indicates that the PasswordUtil.properties file exists.

Keep the following information in mind:

AES password encryption does not support the administrative agent and the nodes that the administrative agent manages.
The remove node operation in the administrative console is unsupported after AES password encryption is enabled for the federated environment. To remove a node, use the removeNode command at the node.

About this task

To enable AES password encryption for the server environment, run the enablePasswordEncryption command for the AdminTask object, save the configuration changes, and then restart the server.

The key for AES encryption is stored in the aesKey.jceks file. Various parameters that require password encryption are stored in the passwordUtil.properties file. By default, these files are in the ${CONFIG_ROOT}/cells/cell_name directory.

Procedure

Start the wsadmin scripting tool.
Generate the properties file and the AES key file that are needed for AES encryption, and save the configuration.
1. Generate the properties file and, if the AES key file was not generated by the aesKeystore parameter, the AES key file.
  Run the following command:
```
$AdminTask enablePasswordEncryption
```
2. Save the files in the configuration that you created and modified.
  Run the following command:
```
$AdminConfig save
```
Depending on the size and complexity of the configuration files in the node, this command can take a few minutes to complete.

The command puts the generated files in the ${CONFIG_ROOT}/cells/cell_name directory and then encrypts all the known passwords in the files that are in this directory.

Important: AES encryption requires the same key for encryption and decryption. Therefore, all nodes in the cell must use the same key. Ensure that the generated AES key file of aesKey.jceks and the generated properties file of passwordUtil.properties are in the default location of ${CONFIG_ROOT}/cells/cell_name even if you can alter the location. If the files are located outside of the default location, the product does not propagate the files to each node.
Exit the wsadmin tool.
Optional: If multi-node environments exist, synchronize the update to the nodes.
Restart the server.