Password encryption limitations

Open Liberty supports Advanced Encryption Standard (AES) encryption for passwords that are stored in the server.xml file. When you use this option for protecting passwords in the Open Liberty configuration, understand the limitations to the protection that AES encryption provides.

The Open Liberty securityUtility encode command uses AES-128 encryption when the --encoding option is set to aes. The default value for this option is xor. For AES decryption, Open Liberty supports AES-128.

Encrypting a password in the Open Liberty configuration does not guarantee that the password is secure or protected. Encrypting a password means that someone who can see the encrypted password cannot easily recover the password unless they know the encryption key. The application server process requires access to the encrypted password and the decryption key, so these items must be stored on the file system that is accessible to the server runtime environment. The encryption key is also required by anyone who encrypts a password that is placed in the server configuration. If an attacker has access to the same set of files as the Open Liberty server, applying AES encryption to the password provides no additional security over XOR encoding. However, there are reasons why you might consider encrypting passwords in the Open Liberty configuration.

The Open Liberty configuration is composable and sharable. Open Liberty is designed to be configured without an administration subsystem, so any XOR-encoded password is visible to any administrator. Because of these design features, consider whether passwords are sensitive and need to be encrypted.

  • If passwords are not sensitive, encoding them might provide little value.

  • If passwords are sensitive, protect the configuration files or the encoding key, depending on the scenario.

Either the configuration files that contain the passwords are sensitive and access to these files must be controlled, or the passwords are encrypted and the encoding key is protected as sensitive.

For more information about how to obfuscate passwords for Open Liberty, see the securityUtility encode command.

Encryption key protection

In Open Liberty, you can override the default key that is used for encrypting and decrypting by setting the wlp.password.encryption.key property. For a more secure configuration, set the wlp.password.encryption.key property in a separate file that is stored outside the normal configuration directory for the server. Otherwise, the file that contains the key might be included when you run the server dump or server package commands.

The separate configuration file must contain only a single property declaration, as shown in the following example.

<variable name="wlp.password.encryption.key" value="yourKey" />

You can include the configuration file shown in the previous example in a server.xml file, as shown in the following example.

<server>
  ...
  <include location="/protected/key.xml" />
</server>