Thursday, January 5, 2012

IBM Connections WAS Security - not so secure after all?

Today I forget the wasadmin password for the Websphere Deployment Server in a IBM Connections environment.
I thought about removing the security for WAS, like the steps 1-5 describes here:
https://www-304.ibm.com/support/docview.wss?uid=swg21295051

But then I remembered seeing a Websphere Password Decoder somewhere.
So after a quick google, I found this:

http://www.sysman.nl/wasdecoder/

And opening up the file security.xml in a text-editor I found this:

authDataEntries xmi:id="JAASAuthData_1303920963452" alias="connectionsAdmin" userId="connadm" password="{xor}LStuOS4rLF==" description="JAAS Alias for Lotus Connections Administrator"/


I changed the encrypted password above, so the password you get from decrypting this won't mean a thing :-)

So the JAAS alias is listed here, with the password decrypted!! The JAAS alias UserID is the same as the WASAdmin userID in this environment.
So I copied out the password, and removed the {xor} part and pasted it in the Websphere Password Decoder page, and voila, there I had the password right in front of me and I could log in to the Connections Websphere Admin console again.....

Is this security for ya? This means that anyone that can get access to the server and the file system actually has access to all the passwords aswell??

Hmmm....

Please feel free to comment to get a discussion started.

4 comments:

Eirik Gulbrandsen said...

this is not ideal, but having physical access or file access to anything basically means to you own the system.. show the importance of having good tools to protect the server/os itself..

Unknown said...

Good point Eirik!

Andy Jones said...

There is an online decoder at this link:
http://www.poweredbywebsphere.com/decoder.html

Unknown said...

Thanks Andy.