(To be precise IBM says WebSphere "encodes" paswords, not encrypts them.)
When you forget that password to your development database it can be useful to have the ability to decrypt XOR-encrypted passwords. Fortunately IBM have provided the means to encrypt and decrypt passwords in XOR format (although they probably didn't mean to leave the code around for general use).
So lets encrypt the password "secret":
WebSphere 5.x
> cd $WAS_INSTALL_DIR/lib
> ../java/bin/java -cp securityimpl.jar:iwsorb.jar com.ibm.ws.security.util.PasswordEncoder secret
decoded password == "secret", encoded password == "{xor}LDo8LTor"
WebSphere 6.0.x
> cd $WAS_INSTALL_DIR/lib
> ../java/bin/java -cp securityimpl.jar:iwsorb.jar::ras.jar:wsexception.jar:bootstrap.jar:emf.jar:ffdc.jar com.ibm.ws.security.util.PasswordEncoder secret
decoded password == "secret", encoded password == "{xor}LDo8LTor"
and to decrypt (don't forget to prefix the encoded password with "{xor}"):
WebSphere 5.x
> cd $WAS_INSTALL_DIR/lib
> ../java/bin/java -cp securityimpl.jar:iwsorb.jar com.ibm.ws.security.util.PasswordDecoder {xor}LDo8LTor
encoded password == "{xor}LDo8LTor", decoded password == "secret"
WebSphere 6.0.x
> cd $WAS_INSTALL_DIR/lib
> ../java/bin/java -cp securityimpl.jar:iwsorb.jar::ras.jar:wsexception.jar:bootstrap.jar:emf.jar:ffdc.jar com.ibm.ws.security.util.PasswordDecoder {xor}LDo8LTor
encoded password == "{xor}LDo8LTor", decoded password == "secret"
UPDATE: IBM have heard the cries about poor password security and have added hooks from WebSphere 6.0.2 onwards that allow you to write your own password encryption. One step forward...
That's awesome!!
ReplyDeleteWOuld like to keep watching your blog for any such further info.
Thanks
BP
It does not appear to work for 6.1 - any ideas?
ReplyDeleteI do not have access to a WAS 6.1 at the moment. Does the main() method not exist any more, or is a dependent class missing from the classpath? Got a stack trace?
ReplyDeleteFor WAS 6.1, do the following:
ReplyDeleteTo encode:
C:\IBM\WAS61\AppServer\bin\ProfileManagement\plugins\com.ibm.websphere.v61_6.1.200>C:\IBM\WAS61\AppServer\java\bin\java -cp ws_runtime.jar com.ibm.ws.security.util.PasswordEncoder secret
decoded password == "secret", encoded password == "{xor}LDo8LTor"
To decode:
C:\IBM\WAS61\AppServer\bin\ProfileManagement\plugins\com.ibm.websphere.v61_6.1.200>C:\IBM\WAS61\AppServer\java\bin\java -cp ws_runtime.jar com.ibm.ws.security.util.PasswordDecoder {xor}LDo8LTor
encoded password == "{xor}LDo8LTor", decoded password == "secret"
Change C:\IBM\WAS61 as needed.
Enjoy!
Full directory has been truncated. Here it is, splitted line by line:
ReplyDeleteC:\
IBM\
WAS61\
AppServer\
bin\
ProfileManagement\
plugins\
com.ibm.websphere.v61_6.1.200
Awesome, thanks for the WAS 6.1 example.
ReplyDeleteI do not see "com.ibm.websphere.v61_6.1.200" in plugins directory.
ReplyDeleteI use WAS ND 6.1.0.15.
So unable to use the was6.1 decode or encode methodology provided here.
ok there are two plugins directories.
ReplyDeleteThe plugins directory under ${WAS_HOME} does not have "com.ibm.websphere.v61_6.1.200". When searched for "com.ibm.websphere.v61_6.1.200", i found it under ${WAS_HOME}/deploytool/itp/plugins directory.
So guess for different versions its at different location.
Anyways thanks guys...
Just wanted to share how it worked for me.
ReplyDeleteWebSphere 6.1.x:
To Encrypt:
/opt/WebSphere/DeploymentManager/deploytool/itp/plugins>${WAS_HOME}/java/bin/java -cp ws_runtime.jar com.ibm.ws.security.util.PasswordEncoder secret
decoded password == "secret", encoded password == "{xor}LDo8LTor"
To Decrypt:
/opt/WebSphere/DeploymentManager/deploytool/itp/plugins>${WAS_HOME}/java/bin/java -cp ws_runtime.jar com.ibm.ws.security.util.PasswordDecoder {xor}LDo8LTor
encoded password == "{xor}LDo8LTor", decoded password == "secret"
did anyone try to break the password from the fileRegistry.xml file in WAS 6.1 (VMM)
ReplyDeleteFor the curious, the file repository is stored under your profile in: $WAS_HOME\profiles\profileName\config\cells\cellName\fileRegistry.xml. This file contains user and group identifiers, including the encrypted passwords for the user entries. The passwords for a user is encrypted using a one way hash by applying the message digest algorithm specified in the VMM configuration file (wimconfig.xml). The default value for the message digest algorithm is SHA-1. The algorithm can be updated to a different value using the wsadmin command updateIdMgrFileRepository. One of the parameters you can use with this command is the messageDigest Algorithm.
ReplyDeletefrom:http://www.ibm.com/developerworks/websphere/techjournal/0701_ilechko/0701_ilechko.html
Is there a way to encode and decode passwords programmatically as well?
ReplyDeleteThe amount of code to encode/decode passwords is small, but it is proprietary IBM and therefore not in the public domain.
ReplyDeleteI won't mention tools like JAD...
One of the best posts that i have ever read. This is just too much of priceless Websphere Security information in too small a packet. Kudos to the link that directed me here.
ReplyDeletehttp://ecommunity.groupintelligence.com/websphere/forums/showthread.php?t=2000
Hi All,
ReplyDeleteI have a basic question with regards to decrypting and encrypting WAS admin passwords in XOR format
_________________________________
My workstation information
RSA 7.5
Windows XP
________________________________
I know the user name for my
WAS 6.1 server as wasadmin
password to be identified.(I don't remember it )
Now I know the path to WAS 6.1 plugin as given in the blog as
C:\SDP75\runtimes\base_v61\bin\ProfileManagement\plugins\com.ibm.websphere.v61_6.1.200
I don't have the password nor the encrypted password.
Questions
How do I find it?
Where to find it?
What command should I use?
As per the blog
>C:\IBM\WAS61\AppServer\java\bin\java -cp ws_runtime.jar com.ibm.ws.security.util.PasswordDecoder {xor}LDo8LTor
encoded password == "{xor}LDo8LTor", decoded password == "secret"
Please let me know ASAP.
Any help would be greatly appreciated.
Thanks & Best Regards
Harish
WAS 6 actually has built in scripts for encoding the passwords for the ssl.client.props and soap.client.props... I'm assuming you can use it for other file names as well...
ReplyDeleteEX: cd /path/to/was/profile
EX: cd /apps/WebSphere/AppServer/profiles/someprofile/bin
Run: ../bin/PropFilePasswordEncoder.sh filename password_variable
EX: ../bin/PropFilePasswordEncoder.sh ssl.client.props com.ibm.ssl.keyStorePassword
awesome!!!
ReplyDeleteWebSphere 7: /usr/IBM/WebSphere/AppServer/java/jre/bin/java -Djava.ext.dirs=/WAS7/IBM/WebSphere/AppServer/deploytool/itp/plugins/com.ibm.websphere.v7_7.0.1.v20090422_1423/wasJars/ -cp securityimpl.jar:iwsorb.jar com.ibm.ws.security.util.PasswordDecoder {xor}encryptedpass=
ReplyDeleteHere is a link to an online WebSphere password decoder:
ReplyDeletehttp://www.poweredbywebsphere.com/decoder.html
This is great blog. It really helped me....... to find our forgotten password of production
ReplyDeletereally its works a lot.
ReplyDeleteThere is an online decoder at this link:
ReplyDeletehttp://www.poweredbywebsphere.com/decoder.html
Guyz - How to decode the WAS password in WAS8 ? I know abt the online decoder .but here im looking for command line
ReplyDeletewith ws_runtime.jar com.ibm.ws.security.util.PasswordEncoder ? Is anyone decoded in WAS8?