Today's blog post is a gem from WAS Senior Software Engineer Fred Rowe. We often get questions related to malicious data source access. Some these include how users with wadmin can access be prevented from gathering or pulling datasource credentials for database access. How to segment the access from intentional and un-intential access to customer data.
There are two primary ways to secure WebSphere datasources, each method has a user name and password associated with it. In both cases, if displayed from either the admin console or wsadmin, the password value is either:
There are two primary ways to secure WebSphere datasources, each method has a user name and password associated with it. In both cases, if displayed from either the admin console or wsadmin, the password value is either:
- obscured by dots
- obscured by asterisks
- displayed in encoded form
1. Using datasource custom properties:
This method is vendor-specific based on the JDBC provider associated with the datasource. Typically, JDBC drivers support the custom properties userand password. If a custom property named password is created, it's value will be obscured in the WAS admin console Data sources > datasource_name > Custom properties list page as follows:
Note that the property named pwd is not obscured. Similarly, on the WAS admin console Data sources > datasource_name > Custom properties > password details page, the XOR-encoded version of the password is displayed:
And finally, if the password property is examined from wsadmin, the XOR-encoded version of the password is displayed:
Note that the property named pwd is not obscured. Similarly, on the WAS admin console Data sources > datasource_name > Custom properties > password details page, the XOR-encoded version of the password is displayed:
And finally, if the password property is examined from wsadmin, the XOR-encoded version of the password is displayed:
wsadmin>pwd = AdminConfig.getid("/DataSource:datasource_name/J2EEResourcePropertySet:/J2EEResourceProperty:password/")
wsadmin>print AdminConfig.showAttribute(pwd, "value")
{xor}MiYvPiwsKDAtOw==
2. Using JAAS - J2C authentication aliases:
If a JAAS auth alias is created for the datasource, the password of the alias is obscured on the WAS admin console Data sources > datasource_name > JAAS - J2C authentication data > myAlias details page:
Similarly, if the value of the password attribute of an auth alias object is examined from wsadmin:
wsadmin>print AdminConfig.getid("/JAASAuthData:/")
wsadmin>print AdminConfig.showAttribute(authAlias, "password")
*****
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.