Show data source / JAAS password in websphere 8.5? - websphere

I have a Data Source in a dev instance of WAS 8.5. I have no clue who knows this password. Can I show the password somehow on the websphere console?

No, you cannot. But you can look in the security.xml file in the %PROFILE_ROOT%\config...\ for jaas aliases and decode password if you really need it.

Related

WebSphere configuration file storage

I'm looking for information on where the JVM custom properties are stored and how they are protected. Are they encoded, encrypted, or something else?
In case of traditional WebSphere Application Server they are stored in the server.xml file in the following location (by default) /install_root/profiles/<profile_name>/config/cells/<cellname>/nodes/<nodename>/servers/server1/server.xml
In case of WebSphere Liberty or Open Liberty they are stored in jvm.options file in the server directory /wlp/usr/servers/<servername>
In both cases they are in plain text.
Why would you like to encode/encrypt them?
If you want to store for example database credentials, then you should create datasource and authentication alias. Password in authentication alias can be encoded (xor) or encrypted (aes).
Or use system environment variables to pass them during the runtime and not store in the configuration. You can pass environment variables to docker containers via -e or in Kubernetes via Secrets/ConfigMaps.

Kafka Connect - GET connector API exposes password in cleartext

I am using the latest confluent images (5.1.0) and externalized OracleDB passwords for Connect configurations in vault. I am able to successfully register the custom config provider for vault with following configuration.
"connection.password": "${vault:vault_path:vault_db_password_key}"
When I do a GET connector request, the connection.password in the response is the resolved password and it is shown as such and was not hidden. But in logs, I could see it as
connection.password = [hidden]
Please let me know if this issue is handled as part of KIP-297 or if I am missing something?
Not sure if this answers your question, but there is no such Credential provider for vault:, by default, there is only file:, so unless you've written your own (or found one elsewhere), then that won't work.

OpenDJ verify user's password option?

I know simply a LDAP bind can do user password verification. But the thing is that an application server usually uses admin user (cn=Directory Manager) to do all CRUD operations.
By a simple bind operation, we have to create a ldap connection binds with that specific user's dn , which is annoying.
As I know ldapcompare is another alternative, but looks like OpenDJ ldapcompare can not compare plain-text-password(OpenDJ userPassword is encrypted).
But from some ldap browser(Apache LDAP Studio), there's a "Vefiry Password" which works very well.
Any idea ?
Using cn=DirectoryManager from an application server is a security issue, pretty much like running applications as root in the unix world.
Have you tried using the proxyAuth control?
Here are a few relevant links:
https://marginnotes2.wordpress.com/2011/06/28/opendj-proxy-auth/
https://idmdude.com/2015/03/28/opendj-and-the-fine-art-of-impersonation/

How to create user and password in existing websphere app server

I have already installed Websphere Applcation Server 8.5.5 on my machine without username password.
But for some reason now after using it for several days without any problem, today I got a problem where I am asked to enter username and password in one of the applications which I deployed on WAS8.5.5.
Now how can I create a username and password in an already installed WAS 8.5.5?
If you want to disable application security,
in Security -> Global Security section, uncheck Enable application security
else you want to enable application security, configure User account repository with available realm definitions.

Websphere CWWIM6004E

I am trying to start an application in Websphere 8, and keep on getting the following error.
From the message, it means we are missing the bindPassword, but we never have to define in WAS 6.1
Currently we are using Standalone LDAP registry. Does anyone have any idea where I should start looking to fix this error?
UserManagemen E com.ibm.ws.wim.management.UserManagementProcess handleNo
tification CWWIM6004E Initialization of the dynamic reload manager failed.
com.ibm.websphere.wim.exception.MissingInitPropertyException: CWWIM0004E The initialization property 'bindPassword' is missing from the configuration.
at com.ibm.ws.wim.adapter.ldap.LdapConnection.initializeEnvironmentProperties(LdapConnection.java:194
7)
at com.ibm.ws.wim.adapter.ldap.LdapConnection.initializeServers(LdapConnection.java:1904)
at com.ibm.ws.wim.adapter.ldap.LdapConnection.initialize(LdapConnection.java:1832)
at com.ibm.ws.wim.adapter.ldap.LdapAdapter.initialize(LdapAdapter.java:235)
at com.ibm.ws.wim.RepositoryManager.initialize(RepositoryManager.java:610)
at com.ibm.ws.wim.RepositoryManager.<init>(RepositoryManager.java:131)
In regards to ".... never have to define in WAS 6.1"
The requirement for a LDAP bind password is enforced by the LDAP server, this is not a WAS requirement
If in fact you didn't define it in WAS v6.1, the LDAP server in use for WAS V6.1 didn't require it.
Based on the error, you've either changed LDAP servers or the LDAP server configuration has changed (or both)
As mentioned in the other post, you can troubleshoot this using a tool like ldapsearch
The technote at http://www-01.ibm.com/support/docview.wss?uid=swg21470063 discusses obtaining "must gather" and troubleshooting these types of issues (refer to the "collecting data manually" section)
You must check your ldap connection to the ldap server
User IBM WebSphere Console, Security settings, LDAP and take note about the LDAP connection settings.
Use a tool like ldapsearch in order to check the connection via shell command line.
It is possible that these bind password is not correct.
If you are using un Novell eDirectory Server you must take special attention in the bind user creation ( field password )

Resources