Wednesday, July 12, 2006

Recovering passwords from WebSphere

WebSphere stores passwords for datasources, security aliassss, etc in an encrypted format in its configuration files. The format, called XOR (exclusive OR), is not a particularly strong encryption algorithm, probably designed just to stop casual snooping. (In contrast WebLogic uses triple-DES encryption.)

(To be precise IBM says WebSphere "encodes" paswords, not encrypts them.)

When you forget that password to your development database it can be useful to have the ability to decrypt XOR-encrypted passwords. Fortunately IBM have provided the means to encrypt and decrypt passwords in XOR format (although they probably didn't mean to leave the code around for general use).

So lets encrypt the password "secret":

WebSphere 5.x

> cd $WAS_INSTALL_DIR/lib
> ../java/bin/java -cp securityimpl.jar:iwsorb.jar com.ibm.ws.security.util.PasswordEncoder secret
decoded password == "secret", encoded password == "{xor}LDo8LTor"


WebSphere 6.0.x

> cd $WAS_INSTALL_DIR/lib
> ../java/bin/java -cp securityimpl.jar:iwsorb.jar::ras.jar:wsexception.jar:bootstrap.jar:emf.jar:ffdc.jar com.ibm.ws.security.util.PasswordEncoder secret
decoded password == "secret", encoded password == "{xor}LDo8LTor"


and to decrypt (don't forget to prefix the encoded password with "{xor}"):

WebSphere 5.x


> cd $WAS_INSTALL_DIR/lib
> ../java/bin/java -cp securityimpl.jar:iwsorb.jar com.ibm.ws.security.util.PasswordDecoder {xor}LDo8LTor
encoded password == "{xor}LDo8LTor", decoded password == "secret"


WebSphere 6.0.x

> cd $WAS_INSTALL_DIR/lib
> ../java/bin/java -cp securityimpl.jar:iwsorb.jar::ras.jar:wsexception.jar:bootstrap.jar:emf.jar:ffdc.jar com.ibm.ws.security.util.PasswordDecoder {xor}LDo8LTor
encoded password == "{xor}LDo8LTor", decoded password == "secret"


UPDATE: IBM have heard the cries about poor password security and have added hooks from WebSphere 6.0.2 onwards that allow you to write your own password encryption. One step forward...

23 comments:

Anonymous said...

That's awesome!!

WOuld like to keep watching your blog for any such further info.

Thanks

BP

Anonymous said...

It does not appear to work for 6.1 - any ideas?

Robert Maldon said...

I do not have access to a WAS 6.1 at the moment. Does the main() method not exist any more, or is a dependent class missing from the classpath? Got a stack trace?

Anonymous said...

For WAS 6.1, do the following:

To encode:

C:\IBM\WAS61\AppServer\bin\ProfileManagement\plugins\com.ibm.websphere.v61_6.1.200>C:\IBM\WAS61\AppServer\java\bin\java -cp ws_runtime.jar com.ibm.ws.security.util.PasswordEncoder secret
decoded password == "secret", encoded password == "{xor}LDo8LTor"

To decode:

C:\IBM\WAS61\AppServer\bin\ProfileManagement\plugins\com.ibm.websphere.v61_6.1.200>C:\IBM\WAS61\AppServer\java\bin\java -cp ws_runtime.jar com.ibm.ws.security.util.PasswordDecoder {xor}LDo8LTor
encoded password == "{xor}LDo8LTor", decoded password == "secret"

Change C:\IBM\WAS61 as needed.

Enjoy!

Anonymous said...

Full directory has been truncated. Here it is, splitted line by line:


C:\
IBM\
WAS61\
AppServer\
bin\
ProfileManagement\
plugins\
com.ibm.websphere.v61_6.1.200

Robert Maldon said...

Awesome, thanks for the WAS 6.1 example.

Anonymous said...

I do not see "com.ibm.websphere.v61_6.1.200" in plugins directory.

I use WAS ND 6.1.0.15.

So unable to use the was6.1 decode or encode methodology provided here.

Anonymous said...

ok there are two plugins directories.

The plugins directory under ${WAS_HOME} does not have "com.ibm.websphere.v61_6.1.200". When searched for "com.ibm.websphere.v61_6.1.200", i found it under ${WAS_HOME}/deploytool/itp/plugins directory.

So guess for different versions its at different location.
Anyways thanks guys...

Anonymous said...

Just wanted to share how it worked for me.

WebSphere 6.1.x:

To Encrypt:

/opt/WebSphere/DeploymentManager/deploytool/itp/plugins>${WAS_HOME}/java/bin/java -cp ws_runtime.jar com.ibm.ws.security.util.PasswordEncoder secret
decoded password == "secret", encoded password == "{xor}LDo8LTor"

To Decrypt:

/opt/WebSphere/DeploymentManager/deploytool/itp/plugins>${WAS_HOME}/java/bin/java -cp ws_runtime.jar com.ibm.ws.security.util.PasswordDecoder {xor}LDo8LTor
encoded password == "{xor}LDo8LTor", decoded password == "secret"

Anonymous said...

did anyone try to break the password from the fileRegistry.xml file in WAS 6.1 (VMM)

Anonymous said...

For the curious, the file repository is stored under your profile in: $WAS_HOME\profiles\profileName\config\cells\cellName\fileRegistry.xml. This file contains user and group identifiers, including the encrypted passwords for the user entries. The passwords for a user is encrypted using a one way hash by applying the message digest algorithm specified in the VMM configuration file (wimconfig.xml). The default value for the message digest algorithm is SHA-1. The algorithm can be updated to a different value using the wsadmin command updateIdMgrFileRepository. One of the parameters you can use with this command is the messageDigest Algorithm.

from:http://www.ibm.com/developerworks/websphere/techjournal/0701_ilechko/0701_ilechko.html

Anonymous said...

Is there a way to encode and decode passwords programmatically as well?

Robert Maldon said...

The amount of code to encode/decode passwords is small, but it is proprietary IBM and therefore not in the public domain.

I won't mention tools like JAD...

Darshan Shroff said...

One of the best posts that i have ever read. This is just too much of priceless Websphere Security information in too small a packet. Kudos to the link that directed me here.
http://ecommunity.groupintelligence.com/websphere/forums/showthread.php?t=2000

Unknown said...

Hi All,


I have a basic question with regards to decrypting and encrypting WAS admin passwords in XOR format

_________________________________
My workstation information

RSA 7.5
Windows XP
________________________________

I know the user name for my
WAS 6.1 server as wasadmin
password to be identified.(I don't remember it )

Now I know the path to WAS 6.1 plugin as given in the blog as

C:\SDP75\runtimes\base_v61\bin\ProfileManagement\plugins\com.ibm.websphere.v61_6.1.200

I don't have the password nor the encrypted password.

Questions

How do I find it?

Where to find it?

What command should I use?

As per the blog

>C:\IBM\WAS61\AppServer\java\bin\java -cp ws_runtime.jar com.ibm.ws.security.util.PasswordDecoder {xor}LDo8LTor
encoded password == "{xor}LDo8LTor", decoded password == "secret"


Please let me know ASAP.

Any help would be greatly appreciated.


Thanks & Best Regards

Harish

Anonymous said...

WAS 6 actually has built in scripts for encoding the passwords for the ssl.client.props and soap.client.props... I'm assuming you can use it for other file names as well...

EX: cd /path/to/was/profile
EX: cd /apps/WebSphere/AppServer/profiles/someprofile/bin

Run: ../bin/PropFilePasswordEncoder.sh filename password_variable

EX: ../bin/PropFilePasswordEncoder.sh ssl.client.props com.ibm.ssl.keyStorePassword

Sai Hegde said...

awesome!!!

Anonymous said...

WebSphere 7: /usr/IBM/WebSphere/AppServer/java/jre/bin/java -Djava.ext.dirs=/WAS7/IBM/WebSphere/AppServer/deploytool/itp/plugins/com.ibm.websphere.v7_7.0.1.v20090422_1423/wasJars/ -cp securityimpl.jar:iwsorb.jar com.ibm.ws.security.util.PasswordDecoder {xor}encryptedpass=

Andy Jones said...

Here is a link to an online WebSphere password decoder:

http://www.poweredbywebsphere.com/decoder.html

Anonymous said...

This is great blog. It really helped me....... to find our forgotten password of production

Anonymous said...

really its works a lot.

Anonymous said...

There is an online decoder at this link:
http://www.poweredbywebsphere.com/decoder.html

Sha said...

Guyz - How to decode the WAS password in WAS8 ? I know abt the online decoder .but here im looking for command line
with ws_runtime.jar com.ibm.ws.security.util.PasswordEncoder ? Is anyone decoded in WAS8?