I'm also working with an ex-work colleague to start another broader IT hints/tips blog at http://htfdidt.blogspot.co.uk.
The first joint article is Decrypting Websphere passwords. Enjoy it below or over on the new site.
By default, Websphere store passwords by XOR'ing by "_" which is possibly the IT industries worst kept secret. While passwords in files are often a necessary evil, the problem here is that they are easily and trivially decrypted.
This will show you how, and also how to encrypt your plain text password into the XOR'd format, the reason being my workplace still insert plaintext passwords and then run PropFilePasswordEncoder.sh on the updated files and I suspect we may not be the only place to do so.
So where can you find such files with these passwords?
Two such examples are:-
- /opt/IBM/WebSphere/AppServer/profiles/appsrv01/config/cells/appsrv01node01/security.xml
- /opt/IBM/WebSphere/AppServer/profiles/appsrv01/properties/soap.client.props
[root@wasadmin properties]# grep '^com.ibm.SOAP.login' ./soap.client.props
com.ibm.SOAP.loginUserid=wasadmin
com.ibm.SOAP.loginPassword=wasadmin
com.ibm.SOAP.loginSource=prompt
So first you can see I'm using trivial and nonsense passwords and my WAS install is as root. If this reflects your production environment you're doing it wrong.
Lets at least make things better by encrypting the password.
[root@wasadmin properties]# ../bin/PropFilePasswordEncoder.sh ./soap.client.props com.ibm.SOAP.loginPassword
You can now see that the password is encrypted and no longer plain text.
[root@wasadmin properties]# grep '^com.ibm.SOAP.login' ./soap.client.props
com.ibm.SOAP.loginUserid=wasadmin
com.ibm.SOAP.loginPassword={xor}KD4sPjsyNjE=
com.ibm.SOAP.loginSource=prompt
Now, what if you forget what that password is? Or what if you wanted to change it on a regular basis?
You could follow IBM advice here to switch off security.
You can even use Websphere itself to decode the passwords as detailed here.
Many of these don't appear to work for WAS 8 until I found this example that you can run from your plugins directory for your WAS installation, e.g. cd /opt/IBM/WebSphere/AppServer/plugins.
So using our ‘lost’ password from earlier..
[root@wasadmin plugins]# ../java/bin/java -Djava.ext.dirs=.:../lib com.ibm.ws.security.util.PasswordDecoder {xor}KD4sPjsyNjE=
encoded password == "{xor}KD4sPjsyNjE=", decoded password == "wasadmin"
Now, I did mention this article wasn't just about breaking in. What this does allow is to do is to pre-encrypt our passwords before we add them into the files. Lets say we wanted a default build password based on this ideology...
[root@wasadmin plugins]# ../java/bin/java -Djava.ext.dirs=.:../lib com.ibm.ws.security.util.PasswordEncoder "correct horse battery staple"
decoded password == "correct horse battery staple", encoded password == "{xor}PDAtLTo8K383MC0sOn89PisrOi0mfywrPi8zOg=="
No comments:
Post a Comment