Skip to content

Commit

Permalink
Merge pull request #7485 from OpenLiberty/7469-custom-password-encryp…
Browse files Browse the repository at this point in the history
…tion-feature

7469-Custom-password-encryption-change-3
  • Loading branch information
ramkumar-k-9286 authored Aug 23, 2024
2 parents 5a9057c + 38a54b8 commit 3f9c4a0
Showing 1 changed file with 10 additions and 19 deletions.
29 changes: 10 additions & 19 deletions modules/ROOT/pages/custom-password-encryption.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -37,8 +37,9 @@ The server name in this example is `test`.
| https://https//www.ibm.com/support/pages/system/files/inline-files/customEncryption.jar[customEncryption.jar]
| This file instructs `securityUtility` to use the custom feature.
|===

NOTE: If your uploaded files have different names, rename them to match the names listed in the table.
+

3. Update `server.xml`. +
Edit the `server.xml` to include the custom encryption feature and configure the keystore.

Expand Down Expand Up @@ -66,23 +67,21 @@ Edit the `server.xml` to include the custom encryption feature and configure the
</server>
----

+
4. Start the server +
Start the server using the following command.

[source,bash]
----
server start test
----
+

Verify that the keystore (`key.p12`) is created in `wlp\usr\servers\test\resources\security` and can be accessed using the specified password.
+

[source,bash]
----
keytool -list -keystore key.p12 -storepass secret -storetype PKCS12
----

+
5. Verify custom password encryption service +
Check the `messages.log` file to confirm that the custom password encryption service has started. Look for entries similar to the following.

Expand All @@ -93,21 +92,18 @@ Check the `messages.log` file to confirm that the custom password encryption ser
[2/11/21 16:56:52:776 EST] 0000002d com.ibm.ws.kernel.feature.internal.FeatureManager A CWWKF0012I: The server installed the following features: [appSecurity-2.0, appSecurity-3.0, beanValidation-2.0, cdi-2.0, distributedMap-1.0, ejbLite-3.2, el-3.0, jaspic-1.1, jaxrs-2.1, jaxrsClient-2.1, jdbc-4.2, jndi-1.0, jpa-2.2, jpaContainer-2.2, jsf-2.3, jsonb-1.0, jsonp-1.1, jsp-2.3, managedBeans-1.0, servlet-4.0, ssl-1.0, usr:customEncryption-1.0, webProfile-8.0, websocket-1.1].
----

+
6. Stop the server +
6. Stop the server. +
Stop the server with the following command.

[source,bash]
----
server stop test
----

+
7. Encrypt the password +
7. Encrypt the password. +
Unlike traditional WebSphere, enabling custom password encryption in Open Liberty does not automatically encrypt passwords in `server.xml`. Use the `securityUtility` command to encrypt passwords manually.

+
8. Confirm custom encryption is enabled +
8. Confirm custom encryption is enabled. +
Run the following command to list custom encryption encodings.

[source,bash]
Expand All @@ -116,28 +112,24 @@ securityUtility encode --listCustom
[{"name":"custom","featurename":"usr:customEncryption-1.0","description":"%description"}]
----
+

Ensure that `custom` is listed as an available encoding.

+
9. Encode and update password +
9. Encode and update password. +
Encrypt the password using the following command.

[source,bash]
----
securityUtility encode --encoding=custom secret
{custom}OhT339Bw3wymUcP92Mkz+Q==
----

Replace the plain text password in `server.xml` with the encrypted one.
Replace the plain text password in `server.xml` with the encrypted one.

[source,xml]
----
<keyStore id="defaultKeyStore" password="{custom}OhT339Bw3wymUcP92Mkz+Q==" />
----

+
10. Restart the server. +
Start the server again to ensure that the keystore opens successfully with the encrypted password.

Expand All @@ -147,4 +139,3 @@ Start the server again to ensure that the keystore opens successfully with the e
----

For more information on password encryption limitations, see the xref:password-encryption.adoc[Password encryption limitations].

0 comments on commit 3f9c4a0

Please sign in to comment.