Password encoding and encryption
Password encoding deters the casual observation of passwords in server configuration and property files.
By default, passwords are automatically encoded with a simple masking algorithm in various WebSphere® Application Server ASCII configuration files. Additionally, you can manually encode passwords in properties files that are used by Java™ clients and by administrative commands for WebSphere Application Server.
{algorithm}encoded_password
where {algorithm} is a tag
that specifies the algorithm that is used to encode the password. The
encoded_password variable is the encoded value of the password. When a server or
client needs to decode a password, it uses the tag to determine what algorithm to use and then uses
that algorithm to decode the encoded password.Java clients use passwords from the sas.client.props file, which is in the profile_root/properties directory.
To use password encoding with Java clients, the passwords must be manually encoded in the sas.client.props file using the PropFilePasswordEncoder tool.
The administrative commands for WebSphere Application Server use passwords from the soap.client.props file, which is also located in the profile_root/properties directory, for SOAP connections. Some administrative commands optionally use passwords from the sas.client.props file in the profile_root/properties for Remote Method Invocation (RMI) connections. To use password encoding with administrative commands, you must manually encode the passwords in the soap.client.props and sas.client.props files using the PropFilePasswordEncoder tool.
Issues to consider when you use the password encoding algorithm
- You must set the QRETSVRSEC operating system value to 1 to use on the
system that hosts the Java client application or WebSphere Application Server. With this setting, WebSphere
Application Server can retrieve the encrypted passwords from the validation list. Attention: The QRETSVRSEC system value affects access to the encrypted data in all of the validation lists on your operating system. Do not use the password encoding algorithm if this setting is not consistent with your security policy for your operating system.
- You can use the password encoding algorithm with server instances only when all of the server
instances within the administrative domain for WebSphere Application Server reside on the same IBM® i system. Consider the
following related issues:
- Administrative domains for WebSphere Application Server can extend across multiple IBM i systems. You can use the password algorithm only when all of the servers within an administrative domain reside on the same IBM i system.
- Server configuration XML files contain encoded passwords. If the passwords that are contained in the XML files are encoded using the encoding algorithm, those encodings are valid only for the Application Server profiles on the same IBM i system on which the passwords were originally encoded. Copies of configuration files that contain passwords that are encoded using the encoding algorithm cannot be used to configure servers on other IBM i systems.
- All server instances within an administrative domain must be configured to use the same native validation list (*VLDL) object.
- If an error occurs while a password is encoded, the XOR encoding algorithm is used to encode the password. An error might occur if an administrator manually creates the validation list object and grants insufficient authority to the validation list object for the IBM i QEJB user profile.