How do I  implement a different encryption algortihgm for WAS install ? For EG: If I  create a J2C authentiation alias, its password will be saved with an xor encryption something like this{xor}jfakfjajfsa  adn we all know how easy to decrypt that. How do I implement my custom encryption for my WAS cell and what are the steps should I follow to safely do this wiht out breaking the integrity for already established cells

Thanks in Advance !

In general you have to create a plug point for custom password encryption in order to encrypt and decrypt all passwords in WebSphere® Application Server that are currently encoded or decoded using Base64-encoding

For more information, you can check the following topic:

http://www.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/csec_plugpoint_custpass_encrypt.html

Just be aware that whether you set up the plug point or leave it as an XOR encoding that the number one step is to protect access to the file (and any other files on the server). If someone can hack into the server and gain access to the files then all bets are off. They can just as easily decompile the Java code and figure out what encryption was used and still decrypt the passwords because they would also have access to the key files used because those need to be stored on the server too. So, again, make sure the servers are secured and protected and all logins are routinely audited regardless of what method is used to obfuscate the passwords.

Thanks for the suggestions and support. One thing I am unclear on the content in the link is, where do I enable the following custom properties for a network deployment install, only at the cell level or all the nodes ?

• com.ibm.wsspi.security.crypto.customPasswordEncryptionClass
• com.ibm.wsspi.security.crypto.customPasswordEncryptionEnabled

Hi,

  Enabling custom password encryption
  http://www.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/tsec_enable_custpass_encrypt.html
 

  1. Add the following system properties for every server and client process. For server processes, update the server.xml file for each process. Add these properties as a genericJvmArgument argument preceded by a -D prefix.

com.ibm.wsspi.security.crypto.customPasswordEncryptionClass=
       com.acme.myPasswordEncryptionClass
com.ibm.wsspi.security.crypto.customPasswordEncryptionEnabled=true
 
  7. Ensure that all nodes have the custom encryption classes in their class paths before enabling this function. The order in which enablement occurs is important. When adding a new node to a cell that contains password encryption, the new node must contain the custom encryption classes prior to using the addNode command. Consider the following WebSphere Application Server Network Deployment enablement scenarios
    c. If enabling custom password encryption in a cell with multiple nodes present, update the correct configuration properties and have the custom password encryption implementation class that is located on all nodes. Stop all processes in the cell, and then start the deployment manager. Use the administrative console to edit the security configuration and then save it. Verify that the passwords are encrypted by looking at the security.xml file to see if the passwords are preceded by {custom:alias} tags.
    
    d. Run the syncNode command on each node, and start each one individually. If any nodes fail to start, make sure that they have custom password encryption enabled properly in each security.xml file and that the implementation class is in the appropriate /classes directory for the platform.

     
      Enabling a plugpoint for custom password encryption
      http://www.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/tsec_plugpoint_custpass_encrypt.html

  2. [AIX Solaris HP-UX Linux Windows] To configure custom password encryption, configure both of these properties in the server.xml file. How you perform this configuration is dependent on your existing directory structure. Choose one of the following ways to perform this configuration:

     So seems that you need to enable properties in all your servers and clients.
 
  Hope this helps.
 
Regard

Thanks Gabriel, it sure helps