WebSphere Application Server & Liberty

 View Only
Expand all | Collapse all

Obfuscating or protecting passwords in files when building WebSphere

  • 1.  Obfuscating or protecting passwords in files when building WebSphere

    IBM Champion
    Posted Thu June 03, 2021 11:52 AM
    Hi,

    I am using wsadmin (I know I just said in another thread I would avoid it if possible but it's not possible here) and I am looking to script the security configuration. So the command is:

    wsadmin -f security.py

    In Security.py there is a line:

    AdminTask.addIdMgrLDAPServer('[-id ToyTown -host ToyTown.com -bindAuthMechanism simple -bindDN me@ToyTown.com -bindPassword password -referal ignore -sslEnabled true -ldapServerType AD -sslConfiguration -certificateMapMode exactdn -certificateFilter -authentication simple -port 636]')

    Since this is stored in scripts is there anyway to protect, hide or obfuscate the password value?

    Thanks,

    Paul

    ------------------------------
    Paul Fearon
    ------------------------------


  • 2.  RE: Obfuscating or protecting passwords in files when building WebSphere

    Posted Thu June 03, 2021 02:10 PM
    Hi, Paul  

    There is an password encoder tool under {profile}\bin directory called PropFilePasswordEncoder. 
    It will encode a plain text password using the encoding configured with the WebSphere.  ({xor} by default) 
    You could specify the encoded password in the script. 

    Steps to encode a plain text password

    The tool needs a file that contains the password in following format (property=password) 
    For example, I created "paulspwd.txt" as follows, that contains "pauls-secret" as the password to obfuscate. 

    C:\WAS855ND\profiles\Dmgr01\bin>type paulspwd.txt
    password=pauls-secret

    Then run the command on the file specifying the property associated with the password. 

    C:\WAS855ND\profiles\Dmgr01\bin>PropFilePasswordEncoder.bat paulspwd.txt password

    After the command finishes, please open the file again. It is encoded as follows. 

    C:\WAS855ND\profiles\Dmgr01\bin>type paulspwd.txt
                password={xor}Lz4qMyxyLDo8LTor      <= Encoded! 

    The password should work in the configuration xml files where password is specified. 

    For more information, please check out the following page.  
    Securing passwords in files

    Thanks! 


    ------------------------------
    Hiroko Takamiya
    IBM
    ------------------------------



  • 3.  RE: Obfuscating or protecting passwords in files when building WebSphere

    IBM Champion
    Posted Fri June 04, 2021 02:39 AM
    Hello Paul,
    as @Hiroko Takamiya pointed out encoding is an option to obfuscate the password before. However encodes passwords can easily be decoded. If that's sufficient and ok you are done.

    Otherwise you might consider not to add the password to the script be retrieve it at runtime from for example an environment variable you set before calling the script (or you use a vault to get the password). In the script you retrieve the password from the environment variable and feed it in.

    Hope that helps .. Hermann

    ------------------------------
    Hermann Huebler
    2innovate IT Consulting GmbH
    Austria

    #IBMChampion
    ------------------------------



  • 4.  RE: Obfuscating or protecting passwords in files when building WebSphere

    Posted Tue June 08, 2021 07:06 PM
    How do you "feed [the environment variable] in" to connect to the cell manager *after* starting wsadmin? I can get the environment variables. But how do you connect to the cell manager after starting wsadmin with wsadmin -conn NONE?

    ------------------------------
    Blessings,
    Jason Uppenborn
    Sr. Technical Maximo Consultant
    Ontracks Consulting
    ------------------------------



  • 5.  RE: Obfuscating or protecting passwords in files when building WebSphere

    Posted Wed June 09, 2021 06:16 AM
    Hi, if you are using -connType NONE, then you are not connecting to the Cell Manager.

    Brian

    ------------------------------
    Brian S Paskin
    Sr. WebSphere, Liberty and MQ Architecture
    Cloud Automation
    IBM Expert Labs
    ------------------------------



  • 6.  RE: Obfuscating or protecting passwords in files when building WebSphere

    Posted Wed June 09, 2021 08:16 AM
    Edited by Joey Cote Wed June 09, 2021 08:17 AM
    The format of the wsadmin command to connect to a cell that has security enabled looks like this on Linux (assuming you are using Jython commands):

    [WAS_HOME]/bin/wsadmin.sh -lang jython -conntype SOAP -port <soap_port> -host <cell_hostname> -user <username> -password <password><o:p></o:p>

    i.e. 
    /opt/IBM/WebSphere/AppServer/bin/wsadmin.sh -lang jython -conntype SOAP -port 8879 -host my-dmgr.example.com -user wsadmin -password password



    ------------------------------
    Joey Cote
    ------------------------------



  • 7.  RE: Obfuscating or protecting passwords in files when building WebSphere

    Posted Wed June 09, 2021 10:55 AM
    Thank you, Joey and others, for reminding me of the correct syntax for specifying the connection type to wsadmin. In your reminder, you put the password in clear text on the command line. Any user could then do a `ps -ef | grep password` and find it. This is *very* bad.

    To avoid passing the password in clear text on the command line, for everyone to see, wsadmin lets you put the password in clear text in, for example, soap.client.props. Then, you can optionally run PropFilePasswordEncoder on your soap.client.props to encrypt your com.ibm.SOAP.loginPassword. However, multiple posters pointed out that ​PropFilePasswordEncoder merely encodes passwords, e.g. in base 64 or something, but it doesn't actually encrypt it. Storing the password in clear text with full context in a file is a no-go. Encoding isn't super, but it's better than clear text. And making the file only readable by the user that starts WebSphere services helps.

    What I understood @Hermann Huebler to say was that you could store the password in an environment variable, possibly after extracting it from a vault, and "feed it in". If he was suggesting that I could start wsadmin with -connType NONE and then connect / feed the password in, like you can do with Oracle's sqlplus utility, then I would like to know how that is done.

    ------------------------------
    Blessings,
    Jason Uppenborn
    Sr. Technical Maximo Consultant
    Ontracks Consulting
    ------------------------------



  • 8.  RE: Obfuscating or protecting passwords in files when building WebSphere

    Posted Wed June 09, 2021 11:13 AM
    If you look at my sample code (see thread for link), I connect to HashiCorp Vault.  No passwords are entered on the command line or in the web interface.  What you enter is the key name to get the password that is stored  in Vault.


    ------------------------------
    Brian S Paskin
    Sr. WebSphere, Liberty and MQ Architecture
    Cloud Automation
    IBM Expert Labs
    ------------------------------



  • 9.  RE: Obfuscating or protecting passwords in files when building WebSphere

    IBM Champion
    Posted Thu June 10, 2021 02:25 AM
    Hello @Jason Uppenborn,
    the idea with the password was related to the original question namly how to avoid the password in the scripts
    AdminTask.addIdMgrLDAPServer('[-id ToyTown -host ToyTown.com -bindAuthMechanism simple -bindDN me@ToyTown.com -bindPassword password -referal ignore -sslEnabled true -ldapServerType AD -sslConfiguration -certificateMapMode exactdn -certificateFilter -authentication simple -port 636]')​

    command. Here you can add code in the script to get the password from the environment variable using standard Python code like for example:

    import os
    if os.environ.keys().count("LDAP_BIND_PWD") == 1:
    	ldapBindPwd=os.environ["LDAP_BIND_PWD"]
    else:
    #### Error handling

    So you check if the env. var is set and get it if it is set ... if it is not set .. you need to do some error handling ...

    Hope this helps .. Hermann



    ------------------------------
    Hermann Huebler
    2innovate IT Consulting GmbH
    Vienna
    Austria

    #IBMChampion
    ------------------------------



  • 10.  RE: Obfuscating or protecting passwords in files when building WebSphere

    Posted Thu June 10, 2021 09:48 AM
    Thank you @Hermann Huebler. I had lost sight of the original requirement. Your comment makes perfect sense, now.​

    ------------------------------
    Blessings,
    Jason Uppenborn
    Sr. Technical Maximo Consultant
    Ontracks Consulting
    ------------------------------



  • 11.  RE: Obfuscating or protecting passwords in files when building WebSphere

    Posted Fri June 04, 2021 08:15 AM
    Hi Paul,

    If you don't want to use the {xor} encoded passwords (which are easily decryptable for anyone having access to your XML file values), you can implement a custom encryption/decryption class as stated here: https://www.ibm.com/docs/en/was/8.5.5?topic=encryption-plug-point-custom-password 

    You can drop the resulting .jar in [WAS_HOME]/lib/ext and the custom encryption will apply when configuring password values.

    After implementing a custom encryption class, the values in the XML will look like {custom:alias} , instead of {xor} .

    Joey

    ------------------------------
    Joey Cote
    ------------------------------



  • 12.  RE: Obfuscating or protecting passwords in files when building WebSphere

    Posted Mon June 07, 2021 08:05 AM
    I have an example of using HashiCorp Vault.  You can use this as a basis for encrypting passwords, like Joey mentioned. https://github.com/bpaskin/WASLibertyScriptsAndStuff/tree/master/WASHashiCorpVaultPassword

    Brian

    ------------------------------
    Brian S Paskin
    Sr. WebSphere, Liberty and MQ Architecture
    Cloud Automation
    IBM Expert Labs
    ------------------------------