WebSphere stores passwords for datasources, security aliassss, etc in an encrypted format in its configuration files. The format, called XOR (exclusive OR), is not a particularly strong encryption algorithm, probably designed just to stop casual snooping. (In contrast WebLogic uses triple-DES encryption.)
(To be precise IBM says WebSphere “encodes” paswords, not encrypts them.)
When you forget that password to your development database it can be useful to have the ability to decrypt XOR-encrypted passwords. Fortunately IBM have provided the means to encrypt and decrypt passwords in XOR format (although they probably didn’t mean to leave the code around for general use).
So lets encrypt the password “secret”:
WebSphere 5.x
> cd $WAS_INSTALL_DIR/lib
> ../java/bin/java -cp securityimpl.jar:iwsorb.jar com.ibm.ws.security.util.PasswordEncoder secret
decoded password == “secret”, encoded password == “{xor}LDo8LTor”
WebSphere 6.0.x
> cd $WAS_INSTALL_DIR/lib
> ../java/bin/java -cp securityimpl.jar:iwsorb.jar::ras.jar:wsexception.jar:bootstrap.jar:emf.jar:ffdc.jar com.ibm.ws.security.util.PasswordEncoder secret
decoded password == “secret”, encoded password == “{xor}LDo8LTor”
and to decrypt (don’t forget to prefix the encoded password with “{xor}”):
WebSphere 5.x
> cd $WAS_INSTALL_DIR/lib
> ../java/bin/java -cp securityimpl.jar:iwsorb.jar com.ibm.ws.security.util.PasswordDecoder {xor}LDo8LTor
encoded password == “{xor}LDo8LTor”, decoded password == “secret”
WebSphere 6.0.x
> cd $WAS_INSTALL_DIR/lib
> ../java/bin/java -cp securityimpl.jar:iwsorb.jar::ras.jar:wsexception.jar:bootstrap.jar:emf.jar:ffdc.jar com.ibm.ws.security.util.PasswordDecoder {xor}LDo8LTor
encoded password == “{xor}LDo8LTor”, decoded password == “secret”
UPDATE: IBM have heard the cries about poor password security and have added hooks from WebSphere 6.0.2 onwards that allow you to write your own password encryption. One step forward…
Recent Comments