Forget your WebSphere password
Call it hacking if you want but here is an example where it may be useful when it comes to WebSphere. WebSphere uses a XOR-encrypted password system that isn’t really meant for rock hard security but more for not storing plain text passwords in configuration files. In my average workday I could easily be using 5 different WebSphere servers for test/development in 4 different hosting environments. So to decrypt the XOR-encrypted password use these commands.
WebSphere 5.x
> cd $WAS_INSTALL_DIR/lib
> ../java/bin/java -cp securityimpl.jar:iwsorb.jar com.ibm.ws.security.util.PasswordDecoder {xor}LDo8LTor
decoded password == “secret”, encoded password == “{xor}LDo8LTor”
WebSphere 6.0.x (this also works with 6.1.x)
> cd $WAS_INSTALL_DIR/lib
> ../java/bin/java -cp securityimpl.jar:iwsorb.jar::ras.jar:wsexception.jar:bootstrap.jar:emf.jar:ffdc.jar com.ibm.ws.security.util.PasswordEncoder {xor}LDo8LTor
decoded password == “secret”, encoded password == “{xor}LDo8LTor”
Here are some other WebSphere 6.1.x commands I found but haven’t tested.
C:\IBM\WAS61\AppServer\bin\ProfileManagement\plugins\com.ibm.websphere.v61_6.1.200>C:\IBM\WAS61\AppServer\java\bin\java -cp ws_runtime.jar com.ibm.ws.security.util.PasswordDecoder {xor}LDo8LTor
encoded password == “{xor}LDo8LTor”, decoded password == “secret”
To encrypt
WebSphere 5.x
> cd $WAS_INSTALL_DIR/lib
> ../java/bin/java -cp securityimpl.jar:iwsorb.jar com.ibm.ws.security.util.PasswordEncoder secret
decoded password == “secret”, encoded password == “{xor}LDo8LTor”
WebSphere 6.0.x
> cd $WAS_INSTALL_DIR/lib
> ../java/bin/java -cp securityimpl.jar:iwsorb.jar::ras.jar:wsexception.jar:bootstrap.jar:emf.jar:ffdc.jar com.ibm.ws.security.util.PasswordEncoder secret
decoded password == “secret”, encoded password == “{xor}LDo8LTor”
Recent Comments