198 Lotus blogs updated hourly. Who will post next? Home | Blogs | Search | About 
 
Latest 7 Posts
Exchange integration into WebSphere Portal (SSO – Kerberos)
Tue, Sep 26th 2017 6
User provisioning for IBM Connections Cloud – You have the choice
Mon, Aug 28th 2017 8
SAML & IBM Connections 5.5 – not a dream team
Fri, Aug 18th 2017 8
IBM Docs – Migration from DB2 –> ORACLE
Fri, Jul 7th 2017 5
IBM Connections – trouble adding additional nodes
Wed, May 31st 2017 2
SNOUG 2017 Presentation – SikaConnect goes External
Thu, Mar 23rd 2017 0
Whiteboard in IBM Sametime Meeting 9.0.1 removed
Fri, Mar 17th 2017 3
Top 10
Configuration of secret key storage in WebSphere Application Server
Thu, Mar 12th 2015 15
SAML – Enterprise SSO in the WebSphere world
Mon, Jul 20th 2015 11
HTTP Outbound authentication via SAML
Tue, Oct 6th 2015 10
Automatic modification of WebSphere Plugin (Primary / BackupServers) to maintain two-line concept
Wed, Jul 6th 2016 10
Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182) (2016.06.28)
Tue, Sep 13th 2016 10
IBM Connections 5.5 – Problem with ibm_upload_module and NFS
Mon, Jul 4th 2016 9
DB2 Instance autostart does not work on SLES 12 / RHEL 7
Tue, Jul 12th 2016 9
Critical vulnerability in WebSphere Application Server (CVE-2015-7450)
Thu, Nov 19th 2015 8
IBM Open Batch program – IBM Champion
Tue, Mar 22nd 2016 8
SAML & IBM Connections 5.5 – not a dream team
Fri, Aug 18th 2017 8


Configuration of secret key storage in WebSphere Application Server
Twitter Google+ Facebook LinkedIn Addthis Email Gmail Flipboard Reddit Tumblr WhatsApp StumbleUpon Yammer Evernote Delicious
Julius Schwarzweller    

Configuration of secret key storage in WebSphere Application Server

Hi all,

this time I want to introduce a more development related blog post. Anyway this is a very interesting topic for an IBM Connections / WebSphere Administrator!!!

We have a self-registration application for IBM Connections / WebSphere Portal that stores configuration data (e.g. password of a LDAP bind User) in a property file. This password should not be stored unencrypted! My colleague Konstantin thought about the possibilities how to encrypt those passwords.

There is either the possibility to do it the „WebSphere Way“:

WebSphere Application Server encodes passwords for e.g. JDBC resources only by „XORing“ them. You can find a lot of those passwords in the security.xml file in the cell-root:

Bildschirmfoto 2015-03-12 um 09.44.03

When you now goto:

http://www.sysman.nl/wasdecoder/

you can decode the password easily:

Bildschirmfoto 2015-03-12 um 09.45.23

So not really safe the whole thing…

But we are Administrators and Developers so we can find another smarter solution for this ;-)

Konstantin had the great idea to encrypt and decrypt passwords and configuration data using a shared secret. The shared secret is stored in a WebSphere key store… Yep, where you normally store SSL Certificates you can also store other things. The big advantage using a WebSphere key store is that you do not need to take care about passwords (think about a p12 key store file – you need to have a password to read the content). WebSphere takes care of this and you do not need to provide passwords when reading such a key store.

Konstantin did change his code so that one can enter a plaintext password in the property file with the prefix „encrypt:“ … When starting the application, the password gets encrypted. This is a very similar procedure used by IBM when configuring the TDI AssemblyLine (profiles_tdi.properties):

Bildschirmfoto 2015-03-12 um 10.29.34

Here you enter “{protect}-“ in front of the property and enter a plaintext password. When running the assembly line the password gets encoded.

And here is how you need to setup the keystore:

1. generate a secret key and save it in a keystore

cd /ibm/WebSphere/AppServer/java/bin
./keytool -genseckey -alias mykey -keystore /ibm/config/myKeystore.jsk -storepass mypassword -storetype JCEKS

2. Go to the WebSphere administration console, “SSL certeficate and key management” -> “Key stores and certificates” , select “Key set keystores” in the dropdown and click “New…”.

key1

3. Enter the path to the keystore you have just created in the command line and the password you used when creating the keystore. The type should be “JCEKS” and the readonly checkbox checked.

key2

4. create new key set:
Enter “userManager” as the key set name.
Select the newly created keystore and uncheck the “Generates key pair” checkbox. Click “Apply”

key3

5. go to the “Active key history” and click the “Add key reference” button.
As “alias reference” enter the name of the key you have created in the command line. Enter the key password you entered when creating the key.

key4

6. “Ok” and “save”. The key is ready to use.

That`s it. You now need to recode your application to encrypt / decrypt values in the property file. Furthermore you need to read the shared secred from the keystore.

It is rather easy to get the keys from the key store using the WebSphere API:

com.ibm.websphere.crypto.KeySetHelper ksh = KeySetHelper.getInstance();
SecretKey key = (SecretKey) ksh.getLatestKeyForKeySet(keySetName);

If you are interested in some more details regarding how to use the crypt service, just use the comment function – I will post some more code examples.



---------------------
http://techblog.gis-ag.info/2015/03/12/configuration-of-secret-key-storage-in-websphere-application-server/
Mar 12, 2015
16 hits



Recent Blog Posts
6
Exchange integration into WebSphere Portal (SSO – Kerberos)
Tue, Sep 26th 2017 12:03p   GIS Techblog
Exchange integration into WebSphere Portal (SSO – Kerberos) During the last years working with Portal I had several challenges with WebSphere Portals HTTP Outbound Proxy (aka. Ajax Proxy) in terms of authenticating backend calls to various other systems. What we`ve done so far in terms of SSO / backend authentication: – Authenticating using LTPAToken – Authenticating using SAML – Authenticating using SPNEGO / Kerberos (this was a new one for me) The challenge this time
8
User provisioning for IBM Connections Cloud – You have the choice
Mon, Aug 28th 2017 1:42p   GIS Techblog
User provisioning for IBM Connections Cloud – You have the choice Customers who use IBM Cloud for Connections, Sametime or other applications face the problem to manage their cloud accounts. For some single users you can use the Web frontend to add or change user accounts or to assign subscriptions and licenses to users. But in real world scenarios it is not possible to manage thousands of users manually or to keep them synchronized with an on-prem user repository or LDAP. This can be handled
8
SAML & IBM Connections 5.5 – not a dream team
Fri, Aug 18th 2017 7:45a   GIS Techblog
Hi all, last week we had to fight with an activation of SAML on a IC 5.5 CR3 environment. The setup was: IBM Connections 5.5 CR3 as test instance ADFS Server 3.0 (I know… it is only tested with ADFS 2.0 – but works with 3.0 too) We followed the instructions from the IBM Connections Knowledge Center. Smooth setup everything standard procedure. When testing this setup, the redirect to the IdP was initiated. After logging into the IdP the browser was redirected to IBM Connections ACS
5
IBM Docs – Migration from DB2 –> ORACLE
Fri, Jul 7th 2017 9:52a   GIS Techblog
IBM Docs – Migration from DB2 –> ORACLE Hi, within our last big project, we had the challenge to transfer the IBM Docs database from DB2 to ORACLE. Within this database comments and other document related data is stored. Officially there is no script available to perform this move using DBT (remove constraints / transfer / reapply constraints). We looked into the database and figured out how to perform this task using DBT – so we are not dependent on any other products. We m
2
IBM Connections – trouble adding additional nodes
Wed, May 31st 2017 2:52p   GIS Techblog
IBM Connections – trouble adding additional nodes Hi all, we are currently involved in a project where we installed a 1 node IBM Connections 6 Cluster and later added a second node to the cell. So far so good… Everything that needs to be done after adding the second node is described here … Everything? Yes, mainly… but not in the mandatory details as I think! Missing custom properties and other settings might result in non-functional nodes. Especially not setting httpSess
0
SNOUG 2017 Presentation – SikaConnect goes External
Thu, Mar 23rd 2017 1:06p   GIS Techblog
SNOUG 2017 Presentation – SikaConnect goes External Hi all, yesterday I was at SNouG in Zurich. I had a great time there – good speakers and a overall perfectly organized event (would we expect sth. else from Switzerland? ) Raymond Weber from SIKA Informationssysteme AG and I did a session about the SIKA Extranet Feature:
3
Whiteboard in IBM Sametime Meeting 9.0.1 removed
Fri, Mar 17th 2017 10:43a   GIS Techblog
Whiteboard in IBM Sametime Meeting 9.0.1 removed IBM implemented in Sametime Meeting 9.0.1 a whiteboard function as technical preview. Ben described in his articel how to enable this feature: https://collaborationben.com/2016/05/20/whiteboard-in-sametime-9-0-1/ With the current cumulative Fix 901-ST-General-FP-SMOL-AK4G43  for the Meeting Server IBM has removed this function. The response on my PMR was: “I can confirm The Meetings Whiteboard feature release is being put on hold indefinitely.
5
Wikis content not accessible…
Thu, Jan 26th 2017 10:54a   GIS Techblog
Wikis content not accessible… Hi, it`s been quite a long time; many projects at the moment so that blogging needs to wait Last week we had a very interesting problem at one customer’s environment. When accessing a Wiki, the page was displayed blank – no content was available. Browsing to older versions of this wikis worked. The error in the log: Parsing error… Wikis content (the body) gets store in the filesystem as xml files. If you access a Wiki there is a XML parser
2
Automatic WebSphere plugin modification II – PowerShell for Windows
Thu, Dec 1st 2016 6:54p   GIS Techblog
Automatic WebSphere plugin modification II – PowerShell for Windows Hi, some months ago I published a shell script to automatically modify the Primary / BackupServer definition in a WebSphere plugin-cfg.xml file. As we have several Windows customers we decided to transfer this script to PowerShell so that it is also useable for a Windows Cluster installation. My colleague Jan Bruns did a great job implementing this script. It basically works the same way as the Linux script: modifywasplug
7
IBM Connections Docs – file preview not possible for some CCM pdf files
Thu, Nov 17th 2016 2:15p   GIS Techblog
IBM Connections Docs – file preview not possible for some CCM pdf files Hi all, last week we had trouble in a customer environment using the file preview functionality for some pdf files (only those that were uploaded using CCM). Instead of a preview the message was displayed: At the same time we saw the following warning in the log: The mime-type was set to “image/pcl” instead of “application/pdf”… this mime-type is not supported by IBM Docs File viewer. We had to dig deep into th




Created and Maintained by Yancy Lent - About - Planet Lotus Blog - Advertising - Mobile Edition