How to stop WAS + WPS without passing userId and password to stopserver

If admin security is enabled on the WAS server you will have to specify the user name and password when you want to stop the WAS server, You can run the following command to do that

./stopServer.sh server1 -username wasadmin -password wasadmin


For WebSphere Application Server running under a UNIX-based operating system (OS), the previously mentioned command (the UNIX equivalent) carries a serious security problem. Anybody who uses the command ps -ef while the stopServer process is running is able to see the user ID and the password.

In order to solve this problem you can follow these steps

  1. First open the /WebSphere/AppServer/profiles/AppSrv01/properties/soap.client.props file in the text editor and change value of following three properties

    com.ibm.SOAP.securityEnabled=true
    com.ibm.SOAP.loginUserid=wasadmin
    com.ibm.SOAP.loginPassword=wasadmin

    The value of com.ibm.SOAP.loginUserid should be equal to the name of the wasadmin user and the value of com.ibm.SOAP.loginPassword would be equal to password for the wasadmin


  2. Since your storing the password in plain text in the .properties file someone can read it to deal with that issue you should use the PropFilePasswordEncoder.sh command with the fully qualified file name and the name of the property that holds the password

    ./PropFilePasswordEncoder.sh /opt/IBM/WebSphere/AppServer/profiles/AppSrv01/properties/soap.client.props com.ibm.SOAP.loginPassword

    After running this command if you open the soap.client.props file in the text editor you will notice that value of the password is encoded

    com.ibm.SOAP.securityEnabled=true

    #------------------------------------------------------------------------------
    # - authenticationTarget ( BasicAuth[default], KRB5. These are the only supported selection
    # on a pure client for JMX SOAP Connector Client. )
    #------------------------------------------------------------------------------
    com.ibm.SOAP.authenticationTarget=BasicAuth

    com.ibm.SOAP.loginUserid=wasadmin

    com.ibm.SOAP.loginPassword={xor}KD4sPjsyNjE=



  3. Restart the server and after that you wont have to use the password on the command line to stop the server

7 comments:

  1. Dear Patil,

    Should we specify the username even if we specify the username in the property file?

    ReplyDelete
  2. If you go to this page,
    http://www.sysman.nl/wasdecoder/
    You can easly decode the password.
    So is´t so secure..

    ReplyDelete
  3. Thanks a lot...it worked!!

    ReplyDelete
  4. Hi sunil/team

    ./PropFilePasswordEncoder.sh /opt/IBM/WebSphere/AppServer/profiles/AppSrv01/properties/soap.client.props com.ibm.SOAP.loginPassword

    in above command should we
    run it as above is it didnt understand the last password


    thanks
    SAM

    ReplyDelete
  5. Gonniac,
    I would hope that file system access restricts access to the properties file so no one could get the encoded version to decode.
    Any good admin would ensure this.

    ReplyDelete
  6. Any way to stop WAS + WPS without passing userId and password to stopserver.
    Also need to keep admin security enabled and cannot TYPE user-id password in soap.client.props

    Thank you.

    ReplyDelete