Encoding vs Encrypting
You might know that all sensitive information about security is entered into the
security.xml
document that can be found at [$WAS_HOME]/profiles/[profile
name]/config/cells/[cell name] folder. In Windows this might equate to:
C:\IBM\Websphere\AppServer\profiles\Dmgr01\config\cells\cell01\security.xml
Linux/AIX would likely be something like:
/usr/IBM/WebSphere/AppServer/profiles/Dmgr01/config/cells/cell01/security.xml
This document contains the name and password information for the
primary admin account for the WebSphere cell – in most cases that will
be the default account [wasadmin]. The password is, however, not
encrypted but rather encoded. Encryption would use an encryption key to
hash the password and without that key you would not be able to retrieve
it. Encoding however is a whole other deal – the coding/decoding
information is integral to WebSphere itself and is the same for any
install anywhere in the world. That means if you encode the same
password anywhere, the resulting hash will be exactly the same no matter
which server you do it on.
Now, this is not great security in and upon itself and I will not go
into details on this – other than it is really important to lock down
the physical access to to any WebSphere server you are in charge of, all
the way down to file rights …. or you might regret it at some later
time.
How to Decrypt:
I am not the first blogger out there that is writing about this, but
nobody every wrote it out for Windows servers so I am going to
concentrate on that OS right now, and most of the blog entries out there
are for older versions and the proces has changed since. Here some of
the articles that I have read over the last few years
Robert Farstad,
Robert Maldon, and a few more . . . . google the conent here and you will find them.
Here some basic details:
- WebSphere Version: 7.0.0.21 (the process is the same for any V 7.x server)
- $WAS_HOME=C:\IBM\WebSphere\AppServer
Step 1: find the wasadmin information
Open the
security.xml, find the entry for the encrypted password: it always starts with {xor}, in my case it is:
userId=”wasadmin” password=”{xor}LDo8LTor”
Step 2: Find your WAS Version Specific Java Plug-in Folder:
In my case it was:
C:\IBM\WebSphere\AppServer\deploytool\itp\plugins\com.ibm.websphere.v7_7.0.2.v20110524_2321\
Step 3: Find your java home and open a command prompt
In my case this equates to
C:\IBM\WebSphere\AppServer\java\bin\
Change to this folder in the command prompt you opened.
Step 4: Run the Password Encoder/Decoder:
This is where you need the folder location and the encoded password you looked up in the previous steps.
In C:\IBM\WebSphere\AppServer\java\bin\ run the following command
java – java.ext.dirs=C:\IBM\WebSphere\AppServer\deploytool\itp\plugins\com.ibm.websphere.v7_7.0.2.v20110524_2321\wasJars\ -cp securityimpl.jar:iwsorb.jar com.ibm.ws.security.util.PasswordDecoder {xor}LDo8LTor
This above command is one long command string (it might wrap
depending on your screen) and it will create the following output in the
command prompt:
encoded password == “{xor}LDo8LTor”, decoded password == “secret”
The process for Linux/AIX is basically the same, however the folder
structure will be different. The commands are about the same but
depending on which version of Linux you are running the Java switches
might need some fidlding – though the base does not change.
