10
Password Management

This chapter discusses managing passwords within XML files. It contains the following sections:

• Introduction

• Password Obfuscation In jazn-data.xml and jazn.xml

• Creating An Indirect Password

• Specifying a UserManager In orion-application.xml

Introduction

Many OC4J components require passwords for authentication. Embedding these passwords into deployment and configuration files poses a security risk, especially if the permissions on the files allow them to be read by any user. To avoid this problem, OC4J provides two solutions:

• password obfuscation, which replaces passwords stored in cleartext files with an encrypted version of the password. This is discussed in "Password Obfuscation In jazn-data.xml and jazn.xml".

• password indirection, which replaces cleartext passwords with information necessary to look up the password in another location. This is discussed in "Creating An Indirect Password".

Password Obfuscation In jazn-data.xml and jazn.xml

The JAAS configuration files, jazn.xml and jazn-data.xml, contain user names and passwords for JAAS authorization. To protect these files, OC4J uses password obfuscation.

Whenever you update jazn.xml or jazn-data.xml, OC4J reads the file, then rewrites it with obfuscated (encrypted) versions of all passwords. In all other OC4J configuration files, you can avoid exposing password cleartext by using password indirection, as "Creating An Indirect Password" explains below.

The JAAS Provider does not obfuscate passwords in orion-application.xml. This means that you should not embed passwords within a <jazn> element that is stored in orion-application.xml.

If you are using the LDAP-based provider, you should create a separate jazn.xml file that contains a <jazn> element defining your application; this file does not contain any user or group data. This <jazn> element looks like:

<jazn provider="LDAP" location="yourlocation">
    <property name="ldap.name" value="cn=orcladmin" />
    <property name="ldap.password" value="!welcome1" />
</jazn>

You then create a <jazn> element in orion-application.xml that points to the jazn.xml file using the config attribute, as in:

<jazn config="./jazn.xml" />

JAZN automatically obfuscates the password stored in this separate jazn.xml file the first time it reads this file.

Hand-editing jazn-data.xml

If you prefer, you can directly edit jazn-data.xml with a text editor. The next time OC4J reads jazn-data.xml, it will rewrite the file with all passwords obfuscated and unreadable.

Setting the clear attribute of the <credentials> element to true enables you to use clear (human-readable) passwords in the jazn-data.xml file.

<credentials clear="true">welcome</credentials>  
<credentials>!welcome</credentials>

Creating An Indirect Password

The following OC4J XML configuration and deployment files support password indirection in one or more entities:

• data-sources.xml--password attribute of <data-source> element

• ra.xml -- <res-password> element

• rmi.xml-- password attribute of <cluster> element

• application.xml-- password attributes of <resource-provider> and <commit-coordinator> elements

• jms.xml-- <password> element

• internal-settings.xml-- <sep-property> element, attributes name=" keystore-password" and name=" truststore-password"

To make any of these passwords indirect, replace the literal password string with a string containing "->" followed by either the username or by the realm and username separated by a slash ("/").

Note: To begin a literal (non-indirect) password with the string "->", precede the password by "->!". For instance, you would represent the direct password "->silly" as "->!->silly".

Indirect Password Examples

• <data-source password="->Scott">-- Use JaznUserManager to look up Scott in the JaznUserManager, and use the password stored there.

• <res-password="->customers/Scott">-- Use JaznUserManager to look up Scott in the customers realm, and use the password stored there.

• <cluster password="martha">--The literal string "martha" is the password; the password is not indirect.

Specifying a UserManager In orion-application.xml

The <password-manager> element specifies the UserManager that the global application uses to look up indirect passwords. (See "Creating An Indirect Password" .) If this element is omitted, the UserManager of the global application is used for authentication and authorization of indirect passwords. The <jazn> element within a <password-manager> element can be different from the <jazn> element at the top level.

For example, you can use an LDAP-based UserManager for the regular UserManager, but use an XML-based UserManager to authenticate indirect passwords. This is the only way to use indirect passwords in LDAP.

For full details, see"Specifying a UserManager In orion-application.xml" .

Note: It is possible to use pluggable UserManagers as password managers. However, if you use XMLUserManager as your password manager, principals.xml will not have passwords obfuscated.