So, into IBM WebSphere stuff?

Me too... or rather that is what I am working with. Mostly WebSphere Partner Gateway (WPG) and WebSphere Transformation Extender (WTX) but also some MQ of course and a little WebSphere Message Broker (WMB) from time to time.

This would serve as my repository for neat tricks and stuff I need to remember...

 

As horrible as can be, but unfortunately IBM does not really hash their passwords in, for example, Security.xml.

Did you forget your keystore or DB password?

Don't sweat it, just copy the {xor} string and head over to:

http://www.sysman.nl/wasdecoder/

You can also do it on the server with the WAS installation.

/opt/ibm/AppServer/java/bin> ./java -cp ../../bin/ProfileManagement/plugins/com.ibm.websphere.v61_6.1.200/ws_runtime.jar com.ibm.ws.security.util.PasswordDecoder {xor}CDo9Hgw=

Result:
encoded password == "{xor}CDo9Hgw=", decoded password == "WebAS"

Stopping the application server when Administrative Security is enabled



While the command to start the application server is still the same when administrative security is enabled, stopping the server requires extra information.
You must specify a user ID with administrator role rights, or the primary administrative user name specified in the user account repository and its password, in the stopServer command:

\bin\stopServer.bat/sh -username -password

For WebSphere Application Server running under a UNIX-based operating system (OS), the previously mentioned command (the UNIX equivalent) carries a serious security problem. Anyone who uses the ps -ef command while the stopServer process is running can see the user ID and the password.
To avoid this problem:

1. If you are using the SOAP connection type (default) to stop the server, edit the \profiles\\properties\soap.client.props file. Then, change the values of the following properties:

com.ibm.SOAP.securityEnabled=true
com.ibm.SOAP.loginUserid=
com.ibm.SOAP.loginPassword=

with administrator role rights or the primary administrative user name defined in the user account repository.

2. Encode the com.ibm.SOAP.loginPassword property value as follows:

\bin\PropFilePasswordEncoder.bat/sh soap.client.props
com.ibm.SOAP.loginPassword

Examine the result and remove the soap.client.props.bak backup file, that was created by the previous command. This file contains the unencrypted password.

3. Make sure that proper file access rights for sensitive WebSphere Application Server files, such as properties files and executable files, are set. At a minimum, ensure that permissions prevent general users from accessing these files. WebSphere administrators must be the only users that are granted access to these files. For optimal security, access to the entire WebSphere directory tree must be removed for general users.
Whether administrative security is enabled or disabled, stop the WebSphere Application Server as follows:

\bin\stopServer.bat/sh

 

Please consider supporting my efforts.

Amount: 

Thursday the 2nd. Wasen.net.