Sunil's Notes: How to stop WAS + WPS without passing userId and password to stopserver

If admin security is enabled on the WAS server you will have to specify the user name and password when you want to stop the WAS server, You can run the following command to do that


./stopServer.sh server1 -username wasadmin -password wasadmin

For WebSphere Application Server running under a UNIX-based operating system (OS), the previously mentioned command (the UNIX equivalent) carries a serious security problem. Anybody who uses the command ps -ef while the stopServer process is running is able to see the user ID and the password.

In order to solve this problem you can follow these steps

First open the /WebSphere/AppServer/profiles/AppSrv01/properties/soap.client.props file in the text editor and change value of following three properties
com.ibm.SOAP.securityEnabled=true com.ibm.SOAP.loginUserid=wasadmin com.ibm.SOAP.loginPassword=wasadmin
The value of com.ibm.SOAP.loginUserid should be equal to the name of the wasadmin user and the value of com.ibm.SOAP.loginPassword would be equal to password for the wasadmin

Since your storing the password in plain text in the .properties file someone can read it to deal with that issue you should use the PropFilePasswordEncoder.sh command with the fully qualified file name and the name of the property that holds the password
./PropFilePasswordEncoder.sh /opt/IBM/WebSphere/AppServer/profiles/AppSrv01/properties/soap.client.props com.ibm.SOAP.loginPassword
After running this command if you open the soap.client.props file in the text editor you will notice that value of the password is encoded
com.ibm.SOAP.securityEnabled=true #------------------------------------------------------------------------------ # - authenticationTarget ( BasicAuth[default], KRB5. These are the only supported selection # on a pure client for JMX SOAP Connector Client. ) #------------------------------------------------------------------------------ com.ibm.SOAP.authenticationTarget=BasicAuth com.ibm.SOAP.loginUserid=wasadmin com.ibm.SOAP.loginPassword={xor}KD4sPjsyNjE=

Restart the server and after that you wont have to use the password on the command line to stop the server

7 comments:

Unknown said...: Dear Patil,

Should we specify the username even if we specify the username in the property file?; March 30, 2011 at 12:09 AM
Gonniac said...: If you go to this page,
http://www.sysman.nl/wasdecoder/
You can easly decode the password.
So is´t so secure..; March 31, 2011 at 6:21 PM
Anonymous said...: Thanks a lot...it worked!!; March 28, 2012 at 7:25 AM
Anonymous said...: Hi sunil/team

./PropFilePasswordEncoder.sh /opt/IBM/WebSphere/AppServer/profiles/AppSrv01/properties/soap.client.props com.ibm.SOAP.loginPassword

in above command should we
run it as above is it didnt understand the last password

thanks
SAM; July 6, 2012 at 11:02 AM
Anonymous said...: Gonniac,
I would hope that file system access restricts access to the properties file so no one could get the encoded version to decode.
Any good admin would ensure this.; July 19, 2012 at 4:00 PM
Anonymous said...: Any way to stop WAS + WPS without passing userId and password to stopserver.
Also need to keep admin security enabled and cannot TYPE user-id password in soap.client.props

Thank you.; December 18, 2014 at 12:58 AM
Abhi said...: Thanks for info
Web Design Company in Bangalore
Website development in Bangalore; June 25, 2019 at 10:20 PM