Taking Notez – Island Pond Consulting

Ever since version 6.0.2 (I think) WebSphere has supported a capacity to enhance the security of passwords that are stored in the configuration files.  These passwords include, among other things, those used for various JAAS credentials. The configuration files most commonly subjected to greater security are sever.xml and security.xml.

In addition there are other files such as client.soap.props that contain plain text or simple encoded passwords.  It is with regard to files such as this that I have encountered an issue.

At this time I have successfully implemented a class to perform custom encryption of various passwords in server.xml and security.xml. I am attempting to configure PropFilePasswordEncoder.bat to perform custom encryption of the sas.client.props file.

The documentation is not precisely consistent with the state of the batch file. In the documentation found at: http://pic.dhe.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=%2Fcom.ibm.websphere.express.doc%2Finfo%2Fexp%2Fae%2Ftsec_pwencrypt.html I am led to expect a line beginning with JAVA_HOME where I can add the arguments for loading my custom class. However, I find that the file is constructed somewhat differently. The line for JAVA_HOME is stated as a condition and a new variable, JAVA_EXE, is used to load the PropFilePasswordEncoder utility. Ergo I have inferred the following implementation:

%JAVA_EXE% -Dcom.ibm.wsspi.security.crypto.customPasswordEncryptionEnabled=true -Dcom.ibm.wsspi.security.crypto.customPasswordEncryptionClass=com.ibm.wsspi.security.crypto.CustomPasswordEncryptionImpl -Dcmd.properties.file=%TMPJAVAPROPFILE% “-Dwas.install.root=%WAS_HOME%” com.ibm.ws.bootstrap.WSLauncher com.ibm.ws.security.util.PropFilePasswordEncoder %*
set RC=%ERRORLEVEL%

I execute the script with the outcome that passwords in soap.client.props are XOR encoded and not labeled {custom:XXX} where “XXX” is the name passed by my class.

The version of WAS is 7.0.0.11