Protecting passwords

When your executing the administrative task you should make sure that your not passing the admin user id and password on the command line. Because if someone else looks at the process view that time then he/she would be able to get the password.

We mainly use following three tools while working on Portal Administration

  • ConfigEngine: When your working with ConfigEngine, you will need Portal and WAS Admin password. SO instead of passing that information on command line you can set, password of WAS Admin as value of WasPassword property and password of portal admin as value of PortalAdminPwd password. Once your done executing your script dont forget to remove the password from the config files using two steps process.

    1. First clean up the work directories created during the config process by executing ConfigEngine.bat cleanup-work-dir command

    2. Remove password from wkplc.properties and wkplc_comp.properties file using ConfigEngine.sh delete-passwords command

    The ConfigEngine gets executed few times during the installation process and it creates some work directory, it is possible that user's password is there in one of the files so it is highly recommended that you execute these two config task after installation

  • XMLAccess: YOu will need password of Portal Admin User to execute xmlaccess script so instead of passing them on command line using -user and -password command line parameter, use askForCredential command line parameter and xmlacces will prompt you for password

  • wpscript: The wpscript also requires admin user name and password but if you dont set it as command line parameter then it will prompt you at the time of connecting to server. So use that option

  • stopServer: Dont pass the user name password as command line parameters instead let the stopServer.sh prompt you for the password.



In addition to this the password might be stored in some of the WAS server related files such as sas.client.props and soap.client.props. You can use the PropFilePasswordEncoder command to XOR encode these passwords. But it is possible to decode XOR encoded password so you can create your own password encoder for full proof solution

No comments: