Managing Security of Passwords
In Enterprise Server, the file domain.xml, which contains the specifications for a particular domain, initially contains the password of the Message Queue broker in clear text. The element in the domain.xml file that contains this password is the admin-password attribute of the jms-host element. Because this password is not changeable at installation time, it is not a significant security impact.
However, use the Admin Console to add users and resources and assign passwords to these users and resources. Some of these passwords are written to the domain.xml file in clear text, for example, passwords for accessing a database. Having these passwords in clear text in the domain.xml file can present a security hazard. You can encrypt any password in domain.xml, including the admin-password attribute or a database password. Instructions for managing the security passwords is included in the following topics:
Encrypting a Password in the domain.xml File
To encrypt a password in the domain.xml file. Follow these steps:
-
From the directory where the domain.xml file resides (domain-dir/config by default), run the following asadmin command:
asadmin create-password-alias --user admin alias-name
For example,
asadmin create-password-alias --user admin jms-password
A password prompt appears (admin in this case). Refer to the man pages for the create-password-alias, list-password-aliases, delete-password-alias commands for more information.
-
Remove and replace the password in domain.xml. This is accomplished using the asadmin set command. An example of using the set command for this purpose is as follows:
asadmin set --user admin server.jms-service.jms-host. default_JMS_host.admin-password='${ALIAS=jms-password}'
Note –Enclose the alias password in single quotes as shown in the example.
-
Restart the Enterprise Server for the relevant domain.
Protecting Files with Encoded Passwords
Some files contain encoded passwords that need protecting using file system permissions. These files include the following:
-
domain-dir/master-password
This file contains the encoded master password and should be protected with file system permissions 600.
-
Any password file created to pass as an argument using the --passwordfile argument to asadmin should be protected with file system permissions 600.
Changing the Master Password
The master password (MP) is an overall shared password. It is never used for authentication and is never transmitted over the network. This password is the central point for overall security; the user can choose to enter it manually when required, or obscure it in a file. It is the most sensitive piece of data in the system. The user can force prompting for the master password by removing this file. When the master password is changed, it is re-saved in the master-password keystore, which is a Java JCEKS type keystore.
To change the master password, follow these steps:
-
Stop the Enterprise Server for the domain. Use the asadmin change-master-password command, which prompts for the old and new passwords, then re-encrypts all dependent items. For example:
asadmin change-master-password> Please enter the master password> Please enter the new master password> Please enter the the new master password again>
-
Restart the Enterprise Server.
Caution – At this point in time, server instances that are running must not be started and running server instances must not be restarted until the SMP on their corresponding node agent has been changed. If a server instance is restarted before changing its SMP, it will fail to come up.
-
Stop each node agent and its related servers one at a time. Run the asadmin change-master-password command again, and then restart the node agent and its related servers.
-
Continue with the next node agent until all node agents have been addressed. In this way, a rolling change is accomplished.
Working with the Master Password and Keystores
The master password is the password for the secure keystore . When a new application server domain is created, a new self-signed certificate is generated and stored in the relevant keystore, which is locked using the master password. If the master password is not the default, the start-domain command prompts you for the master password. Once the correct master password is entered, the domain starts.
When a node agent associated with the domain is created, the node agent synchronizes the data with domain. While doing so, the keystore is also synchronized. Any server instance controlled by this node agent needs to open the keystore. Since the store is essentially identical to the store that was created by the domain creation process, it can only be opened by an identical master password. But the master password itself is never synchronized, meaning it is not transmitted to the node agent during the synchronization, but needs to be available with the node agent locally. This is why creation and/or starting of a node agent prompts you for the master password and you need to enter the same password that you entered while creating/starting the domain. If the master password is changed for a domain, you will have to perform the same step to change it at every node agent that is associated with this domain.
Changing the Admin Password
Encrypting the admin password is discussed in Managing Security of Passwords. Encrypting the admin password is strongly encouraged. If you want to change the admin password before encrypting it, use the change-admin-password command.
Consult the Admin Console online help for instructions on changing the admin password using the Admin Console.
- © 2010, Oracle Corporation and/or its affiliates