Eclipse or SUNrise...

Eclipse or SUNrise...
...JAVA for sure

Tuesday, March 8, 2011

Hacking WebSphere Application Server console

I guess everyone had a situation where he or she forgot his or her password and had to renew it or ask someone to do it for him. This comes more complex where you as an administrator of your server forgets the password or maybe you have to work with a server that you don't know credentials for.

When it comes for WAS, there is a way to change the administrative user account password even if you can't get in the console in the first place! You can do it if you have access to the operating system where the WAS resides and have at least permissions for the user which runs the WAS (so it needn't be a root).

When you log in as that user go to the WAS install directory, then to the profile config subdirectory and find the cells subdirectory. Let's assume we installed WAS here:

/ibm/WebSphere/AppServer/profiles/WPSprofile01/config/cells/XXX_Cell/


In there you will find a nice
security.xml
file. Edit it. The first lines are:


<?xml version="1.0" encoding="UTF-8"?>
<security:Security xmi:version="2.0" xmlns:xmi="http://www.omg.org/XMI" xmlns:or
b.securityprotocol="http://www.ibm.com/websphere/appserver/schemas/5.0/orb.secur
ityprotocol.xmi" xmlns:security="http://www.ibm.com/websphere/appserver/schemas/
5.0/security.xmi" xmi:id="Security_1" useLocalSecurityServer="true" useDomainQua
lifiedUserNames="false" enabled="true" cacheTimeout="598200" issuePermissionWarn
ing="true" activeProtocol="BOTH" enforceJava2Security="false" enforceFineGrained
JCASecurity="false" appEnabled="true" dynamicallyUpdateSSLConfig="true" activeAu
thMechanism="LTPA_1" activeUserRegistry="WIMUserRegistry_1" defaultSSLSettings="
SSLConfig_1">


Now, notice the attribute enabled="true". This property says that administrative security is enabled for the console. So if you change the value to false - you disable it.

Easy? Not really - in order to use the new settings the server has to be restarted and WAS will require a password for that to make it happen. So unless you don't have a valid password you will not be able to log in. Fortunately you can deal with it by using kill command for the WAS process. Just find the process using ps and grepping the WAS profile name.

Now, start the server and log in using the standard url without https (the standard URL is http://washost:9060/ibm/console), just click ok button, you don't have to specify the user and you will see the console.

So you hacked it! Now let's change the password and enable the security. We won't do it with a file, just go to the security tab. Now it depends of your security realm settings of how you can change the password. I'll write more about security and managing users on WAS in another post - basically you can do pretty much in here.

In the end don't forget to switch the security on and restart the server again. This scenario is easy for a standalone server, it gets more complicated with clustered, network managed environments but it also works with them. It just requires additional node synchronizing and a correct order of your operations to be effective.

2 comments:

Funny Guy said...

I know this blog post in over three years old, but I still had to leave a comment. I happened to find this blog post and your tip helped get me out of serious issue with a production server. I had searched the internet for days and found nothing that helped. Even IBM documentation was useless. Again, thank you very much!!

Sebastian Kapciak said...

That's great Funny Guy! I'm glad you found this post helpful and that you managed to fix the problem!

There are lots of things that you won't find in official documentation, maybe I should go back to blogging then ;-)