d8888 888 888      88888888888 888      d8b                                 888       888          888       .d8888b.           888                               
      d88888 888 888          888     888      Y8P                                 888   o   888          888      d88P  Y88b          888                               
     d88P888 888 888          888     888                                          888  d8b  888          888      Y88b.               888                               
    d88P 888 888 888          888     88888b.  888 88888b.   .d88b.  .d8888b       888 d888b 888  .d88b.  88888b.   "Y888b.   88888b.  88888b.   .d88b.  888d888 .d88b.  
   d88P  888 888 888          888     888 "88b 888 888 "88b d88P"88b 88K           888d88888b888 d8P  Y8b 888 "88b     "Y88b. 888 "88b 888 "88b d8P  Y8b 888P"  d8P  Y8b 
  d88P   888 888 888          888     888  888 888 888  888 888  888 "Y8888b.      88888P Y88888 88888888 888  888       "888 888  888 888  888 88888888 888    88888888 
 d8888888888 888 888          888     888  888 888 888  888 Y88b 888      X88      8888P   Y8888 Y8b.     888 d88P Y88b  d88P 888 d88P 888  888 Y8b.     888    Y8b.     
d88P     888 888 888          888     888  888 888 888  888  "Y88888  88888P'      888P     Y888  "Y8888  88888P"   "Y8888P"  88888P"  888  888  "Y8888  888     "Y8888  
                                                                 888                                                          888                                        
                                                            Y8b d88P                                                          888                                        
                                                             "Y88P"                                                           888   

All Things WebSphere

Concerns and issues relating to all versions of WebSphere Application Server

Tuesday, September 13, 2011

 

IBM WebSphere security questions

Today's blog post is a gem from WAS Senior Software Engineer Fred Rowe. We often get questions related to malicious data source access. Some these include how  users with wadmin can access be prevented from gathering or pulling datasource credentials for database access. How to  segment the access from intentional and un-intential access to customer data.

There are two primary ways to secure WebSphere datasources, each method has a user name and password associated with it.  In both cases, if displayed from either the admin console or wsadmin, the password value is either:
  • obscured by dots
  • obscured by asterisks
  • displayed in encoded form
1. Using datasource custom properties: 
This method is vendor-specific based on the JDBC provider associated with the datasource.  Typically, JDBC drivers support the custom properties userand password. If a custom property named password is created, it's value will be obscured in the WAS admin console Data sources > datasource_name > Custom properties list page as follows:




Note that the property named pwd is not obscured.  Similarly, on the  WAS admin console Data sources > datasource_name > Custom properties > password details page, the XOR-encoded version of the password is displayed:









And finally, if the password property is examined from wsadmin, the XOR-encoded version of the password is displayed:
wsadmin>pwd = AdminConfig.getid("/DataSource:datasource_name/J2EEResourcePropertySet:/J2EEResourceProperty:password/")
wsadmin>print AdminConfig.showAttribute(pwd, "value")
{xor}MiYvPiwsKDAtOw==

2. Using JAAS - J2C authentication aliases:
If a JAAS auth alias is created for the datasource, the password of the alias is obscured on the WAS admin console Data sources >  datasource_name > JAAS - J2C authentication data > myAlias details page:










Similarly, if the value of the password attribute of an auth alias object is examined from wsadmin:
wsadmin>print AdminConfig.getid("/JAASAuthData:/")
wsadmin>print AdminConfig.showAttribute(authAlias, "password")
*****

Labels:


Comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Subscribe to Post Comments [Atom]





<< Home

Archives

December 2006   September 2008   January 2009   February 2009   March 2009   September 2009   October 2009   November 2009   December 2009   January 2010   February 2010   March 2010   April 2010   October 2010   January 2011   February 2011   April 2011   May 2011   June 2011   July 2011   August 2011   September 2011   October 2011   November 2011   December 2011   January 2012   February 2012   March 2012   April 2012   May 2012   June 2012   July 2012   August 2012   September 2012   October 2012   November 2012   January 2013   May 2013   June 2013   July 2013   September 2013   October 2013   June 2014   August 2014  

This page is powered by Blogger. Isn't yours?

Subscribe to Posts [Atom]