From 38a54b82dd7791f911191e5497fcd89632ad4281 Mon Sep 17 00:00:00 2001 From: Ramkumar K Date: Fri, 23 Aug 2024 17:27:15 +0530 Subject: [PATCH] 7469-Custom-password-encryption-change-3 7469-Custom-password-encryption-change-3 #7469 --- .../pages/custom-password-encryption.adoc | 29 +++++++------------ 1 file changed, 10 insertions(+), 19 deletions(-) diff --git a/modules/ROOT/pages/custom-password-encryption.adoc b/modules/ROOT/pages/custom-password-encryption.adoc index 9c70a43e0..926a7d4c5 100644 --- a/modules/ROOT/pages/custom-password-encryption.adoc +++ b/modules/ROOT/pages/custom-password-encryption.adoc @@ -37,8 +37,9 @@ The server name in this example is `test`. | https://https//www.ibm.com/support/pages/system/files/inline-files/customEncryption.jar[customEncryption.jar] | This file instructs `securityUtility` to use the custom feature. |=== + NOTE: If your uploaded files have different names, rename them to match the names listed in the table. - + + 3. Update `server.xml`. + Edit the `server.xml` to include the custom encryption feature and configure the keystore. @@ -66,7 +67,6 @@ Edit the `server.xml` to include the custom encryption feature and configure the ---- - + 4. Start the server + Start the server using the following command. @@ -74,15 +74,14 @@ Start the server using the following command. ---- server start test ---- - + + Verify that the keystore (`key.p12`) is created in `wlp\usr\servers\test\resources\security` and can be accessed using the specified password. - + + [source,bash] ---- keytool -list -keystore key.p12 -storepass secret -storetype PKCS12 ---- - + 5. Verify custom password encryption service + Check the `messages.log` file to confirm that the custom password encryption service has started. Look for entries similar to the following. @@ -93,8 +92,7 @@ Check the `messages.log` file to confirm that the custom password encryption ser [2/11/21 16:56:52:776 EST] 0000002d com.ibm.ws.kernel.feature.internal.FeatureManager A CWWKF0012I: The server installed the following features: [appSecurity-2.0, appSecurity-3.0, beanValidation-2.0, cdi-2.0, distributedMap-1.0, ejbLite-3.2, el-3.0, jaspic-1.1, jaxrs-2.1, jaxrsClient-2.1, jdbc-4.2, jndi-1.0, jpa-2.2, jpaContainer-2.2, jsf-2.3, jsonb-1.0, jsonp-1.1, jsp-2.3, managedBeans-1.0, servlet-4.0, ssl-1.0, usr:customEncryption-1.0, webProfile-8.0, websocket-1.1]. ---- - + -6. Stop the server + +6. Stop the server. + Stop the server with the following command. [source,bash] @@ -102,12 +100,10 @@ Stop the server with the following command. server stop test ---- - + -7. Encrypt the password + +7. Encrypt the password. + Unlike traditional WebSphere, enabling custom password encryption in Open Liberty does not automatically encrypt passwords in `server.xml`. Use the `securityUtility` command to encrypt passwords manually. - + -8. Confirm custom encryption is enabled + +8. Confirm custom encryption is enabled. + Run the following command to list custom encryption encodings. [source,bash] @@ -116,28 +112,24 @@ securityUtility encode --listCustom [{"name":"custom","featurename":"usr:customEncryption-1.0","description":"%description"}] ---- - + + Ensure that `custom` is listed as an available encoding. - + -9. Encode and update password + +9. Encode and update password. + Encrypt the password using the following command. [source,bash] ---- securityUtility encode --encoding=custom secret - -{custom}OhT339Bw3wymUcP92Mkz+Q== ---- - Replace the plain text password in `server.xml` with the encrypted one. +Replace the plain text password in `server.xml` with the encrypted one. [source,xml] ---- ---- - + 10. Restart the server. + Start the server again to ensure that the keystore opens successfully with the encrypted password. @@ -147,4 +139,3 @@ Start the server again to ensure that the keystore opens successfully with the e ---- For more information on password encryption limitations, see the xref:password-encryption.adoc[Password encryption limitations]. -