WSAdmin security hardening

When you execute the wsadmin script you will have to pass the username and password for the user as command line parameter. But one of my client had this hardening requirement that we should not pass user name and password on command line because if someone is running ps at the same time they could see the command line parameters. Since i was writing automation script i could not prompt user for user name password. So i did set following things


  • Change \profiles\AppSrv01\properties\soap.client.properties file,
    set value of com.ibm.SOAP.loginUserid property to the userId of the admin user and value of com.ibm.SOAP.loginPassword property to the password of the admin user and then set value of com.ibm.SOAP.loginSource property to blank.

    com.ibm.SOAP.loginUserid=wasadmin
    com.ibm.SOAP.loginPassword=wasadmin

    #------------------------------------------------------------------------------
    # SOAP Login Prompt
    #
    # The auto prompting will happen only if all of the following are met:
    #
    # - Running from a SOAP client
    # - Server is reachable and server security is enabled
    # - Username and password are not provided either on command line or in this
    # file
    # - com.ibm.SOAP.loginSource below is set to either "stdin" or "prompt"
    #
    # stdin: prompt in command window
    # prompt: GUI dialog box; falls back to stdin if GUI not allowed
    #
    # (So to disable auto prompting, set loginSource to nothing)
    #------------------------------------------------------------------------------
    com.ibm.SOAP.loginSource=


  • Now the password is set in plain text which is a security problem so you can use the PropFilePasswordEncoder utility to encode the admin user password in the soap.client.properties file.

No comments: