BPM, Workflow, and Case

Encrypting credentials in IBM Business Automation Workflow - part 2

By Jens Engelke posted Fri February 19, 2021 11:15 AM

Focus of part 1 was configuration of a custom encryption key for IBM Business Automation Workflow when persisting credentials in its database.
It is important to note that some of the features in IBM Business Automation Workflow use WebSphere Application Server's password utility when persisting credentials.

I briefly mentioned "authentication aliases" managed by WebSphere Application Server, which are XOR encoded by default, but can use encryption. Customers have done that by implementing a plug-point that is available for many releases.

With WebSphere Application Server V8.5.5.18 built-in AES encryption comes to the 8.5.5 stream of the application server that is the base underneath all supported traditional IBM Business Automation Workflow servers today.

With IFPH34028 (Thanks @Hiroko Takamiya) installed, you can run

in a wsadmin session (jython). These two commands will
- create an encryption key and a passwordUtil.properties file
- update many configuration files to include encrypted passwords instead of XOR encoded passwords

Because of the size of BAW profiles, you will need to increase SOAP timeout in <PROFILE_ROOT>/properties/soap.client.props significantly to allow these commands to complete:

Once completed, you need to synchronize nodes and restart. Browsing the configuration directory, you'll find encrypted credentials like
<authDataEntries xmi:id="JAASAuthData_1612951171441" alias="CellAdminAlias" userId="celladmin" password="{aes:pccell1/1613747729239}EOd/Wp15EjZM+dzGDRdX4xv4+qos45/nlUOCD7wwMvaGSavf22fQ0cjkvi3UCtbtpg==" description="BPM Cell Administrator Alias"/>​

When you create a REST server and specify username and password directly in Web Process Designer (instead of the recommended way of using an invocation credential stored as an authentication alias), it will use WebSphere's Password encryption.
Of course, credentials that are already in the database are not updated when running the command. They will need to be updated by setting a password in Process Admin Console for each snapshot.
And of course, the generated encryption key is environment specific. When you enable password encryption on Workflow Center, credentials in twx files will not be understood by other Workflow Center servers - or by Workflow Servers when deploying a snapshot.