How to decode Websphere passwords

Posted by Marcel Friedmann on 7:41 PM with No comments
WebSphere Application Server 8 / 8.5 XOR-encodes (not encrypts!) system passwords based on an underscore ("_") - and some additional base64.

To decode the passwords stored in WebSphere first get the xor-value from the <profile-root>/config/cells/<cell-name>/security.xml.

Switch to the command line and define the WAS_HOME-Variable
WAS_HOME="was-system-root"
Also you need to define a Java CLASS-PATH containing the needed jars
MYCLASSPATH=$WAS_HOME/plugins/com.ibm.ws.runtime.jar:$WAS_HOME/lib/bootstrap.jar:$WAS_HOME/plugins/com.ibm.ws.emf.jar:$WAS_HOME/lib/ffdc.jar:$WAS_HOME/plugins/org.eclipse.emf.ecore.jar:$WAS_HOME/plugins/org.eclipse.emf.common.jar
The class PasswordDecoder acutally decodes the xor
$WAS_HOME/java/bin/java -cp $MYCLASSPATH com.ibm.ws.security.util.PasswordDecoder {xor}NzozMzA=
Executing the last command should output the decoded password:
encoded password == "{xor}NzozMzA=", decoded password == "hello"
To dig a little more deeper i recommand this excellent ibm techjournal article:

Sources:
[Images] Cover picture taken from unsplash.com
Categories: ,