Stopping the application server when Administrative Security is enabled



While the command to start the application server is still the same when administrative security is enabled, stopping the server requires extra information.
You must specify a user ID with administrator role rights, or the primary administrative user name specified in the user account repository and its password, in the stopServer command:

\bin\stopServer.bat/sh -username -password

For WebSphere Application Server running under a UNIX-based operating system (OS), the previously mentioned command (the UNIX equivalent) carries a serious security problem. Anyone who uses the ps -ef command while the stopServer process is running can see the user ID and the password.
To avoid this problem:

1. If you are using the SOAP connection type (default) to stop the server, edit the \profiles\\properties\soap.client.props file. Then, change the values of the following properties:

com.ibm.SOAP.securityEnabled=true
com.ibm.SOAP.loginUserid=
com.ibm.SOAP.loginPassword=

with administrator role rights or the primary administrative user name defined in the user account repository.

2. Encode the com.ibm.SOAP.loginPassword property value as follows:

\bin\PropFilePasswordEncoder.bat/sh soap.client.props
com.ibm.SOAP.loginPassword

Examine the result and remove the soap.client.props.bak backup file, that was created by the previous command. This file contains the unencrypted password.

3. Make sure that proper file access rights for sensitive WebSphere Application Server files, such as properties files and executable files, are set. At a minimum, ensure that permissions prevent general users from accessing these files. WebSphere administrators must be the only users that are granted access to these files. For optimal security, access to the entire WebSphere directory tree must be removed for general users.
Whether administrative security is enabled or disabled, stop the WebSphere Application Server as follows:

\bin\stopServer.bat/sh