Forget your WebSphere password

npoore — Tue, 28 Apr 2009 02:32:28 +0000

Call it hacking if you want but here is an example where it may be useful when it comes to WebSphere. WebSphere uses a XOR-encrypted password system that isn’t really meant for rock hard security but more for not storing plain text passwords in configuration files. In my average workday I could easily be using 5 different WebSphere servers for test/development in 4 different hosting environments. So to decrypt the XOR-encrypted password use these commands.

WebSphere 5.x
> cd $WAS_INSTALL_DIR/lib
> ../java/bin/java -cp securityimpl.jar:iwsorb.jar com.ibm.ws.security.util.PasswordDecoder {xor}LDo8LTor
decoded password == “secret”, encoded password == “{xor}LDo8LTor”

WebSphere 6.0.x (this also works with 6.1.x)

> cd $WAS_INSTALL_DIR/lib
> ../java/bin/java -cp securityimpl.jar:iwsorb.jar::ras.jar:wsexception.jar:bootstrap.jar:emf.jar:ffdc.jar com.ibm.ws.security.util.PasswordEncoder {xor}LDo8LTor
decoded password == “secret”, encoded password == “{xor}LDo8LTor”

Here are some other WebSphere 6.1.x commands I found but haven’t tested.

C:\IBM\WAS61\AppServer\bin\ProfileManagement\plugins\com.ibm.websphere.v61_6.1.200>C:\IBM\WAS61\AppServer\java\bin\java -cp ws_runtime.jar com.ibm.ws.security.util.PasswordDecoder {xor}LDo8LTor
encoded password == “{xor}LDo8LTor”, decoded password == “secret”

To encrypt

WebSphere 5.x

> cd $WAS_INSTALL_DIR/lib
> ../java/bin/java -cp securityimpl.jar:iwsorb.jar com.ibm.ws.security.util.PasswordEncoder secret
decoded password == “secret”, encoded password == “{xor}LDo8LTor”

WebSphere 6.0.x

> cd $WAS_INSTALL_DIR/lib
> ../java/bin/java -cp securityimpl.jar:iwsorb.jar::ras.jar:wsexception.jar:bootstrap.jar:emf.jar:ffdc.jar com.ibm.ws.security.util.PasswordEncoder secret
decoded password == “secret”, encoded password == “{xor}LDo8LTor”

nick poore » WebSphere

Forget your WebSphere password