I thought about removing the security for WAS, like the steps 1-5 describes here:
https://www-304.ibm.com/support/docview.wss?uid=swg21295051
But then I remembered seeing a Websphere Password Decoder somewhere.
So after a quick google, I found this:
http://www.sysman.nl/wasdecoder/
And opening up the file security.xml in a text-editor I found this:
authDataEntries xmi:id="JAASAuthData_1303920963452" alias="connectionsAdmin" userId="connadm" password="{xor}LStuOS4rLF==" description="JAAS Alias for Lotus Connections Administrator"/
I changed the encrypted password above, so the password you get from decrypting this won't mean a thing :-)
So the JAAS alias is listed here, with the password decrypted!! The JAAS alias UserID is the same as the WASAdmin userID in this environment.
So I copied out the password, and removed the {xor} part and pasted it in the Websphere Password Decoder page, and voila, there I had the password right in front of me and I could log in to the Connections Websphere Admin console again.....
Is this security for ya? This means that anyone that can get access to the server and the file system actually has access to all the passwords aswell??
Hmmm....
Please feel free to comment to get a discussion started.
4 comments:
this is not ideal, but having physical access or file access to anything basically means to you own the system.. show the importance of having good tools to protect the server/os itself..
Good point Eirik!
There is an online decoder at this link:
http://www.poweredbywebsphere.com/decoder.html
Thanks Andy.
Post a Comment