Tuesday, 6 December 2016

Encrypting WebSphere Application Server system passwords

This from one of my IBM colleagues, Martin Lansche: -

...
It seems that every day we are bombarded with stories in the technical and mainstream press of attacks of computer systems where passwords are stolen, after which these passwords are then available to attackers. The press frequently points out that one reason that this password data was retrievable is because "it was not encrypted." In this situation, it's important to recognize that the passwords in question are user passwords, those used to log in and access the system, not passwords associated with the system processes and binaries. This difference is extremely important.

With such press coverage in mind, perhaps the most common comment centers around customers wanting to encrypt passwords in their IBM® WebSphere® Application Server systems. This comment is often repeated by WebSphere security consultants, our technical sales people, and the WebSphere security development architects. The message that we get is, "WebSphere is mostly meeting its claim of being secure by default, but there are passwords stored on the filesystem which are simply encoded, not encrypted." This is frequently followed by "and we failed our security audit because they are not encrypted."

Some clients have insisted that encryption of system passwords used by WebSphere Application Server is preferred over encoding. However, a system programming interface (SPI) has been available since WebSphere Application Server Version 6.0.2, which can be used to implement any password "hiding" solution that a client might want to implement. By using this SPI, IBM Hybrid Cloud Services (formerly known as IBM Software Services for WebSphere) has implemented such a solution for several clients. In this article, I define some basic security concepts and then describe the design considerations in this custom solution.
...

No comments: