{"id":279,"date":"2018-03-22T15:15:55","date_gmt":"2018-03-22T14:15:55","guid":{"rendered":"http:\/\/hslomka.de\/techno\/?p=279"},"modified":"2026-03-16T15:15:05","modified_gmt":"2026-03-16T15:15:05","slug":"xor-passwort-endode-decode-fur-ibm-websphere-xml-konfigurationsdateien","status":"publish","type":"post","link":"https:\/\/techno.slomka.biz\/?p=279","title":{"rendered":"XOR Passwort Encode\/Decode f\u00fcr IBM Websphere XML Konfigurationsdateien"},"content":{"rendered":"\n<p>IBM Websphere speichert Passw\u00f6rter der WebSphere Application Server Konfiguration in XML Dateien im Profilpfad der WAS Adminkonsole (IBM Integrated Solutions Console &#8211; ISC). Diese Passw\u00f6rter sind nicht verschl\u00fcsselt, sondern nur per XOR kodiert. Da<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro cbp-has-line-numbers\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-color:#f6f6f4;--cbp-line-number-width:calc(1 * 0.6 * .875rem);line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#282A36\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#f6f6f433\" stroke=\"#f6f6f44d\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#f6f6f433\" stroke=\"#f6f6f44d\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#f6f6f433\" stroke=\"#f6f6f44d\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" style=\"color:#f6f6f4;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>a xor b xor b = a<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki dracula-soft\" style=\"background-color: #282A36\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #F6F6F4\">a xor b xor b = a<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>gilt, kann ein XOR kodiertes Passwort auch wieder im Klartext ausgegeben werden. IBM liefert Werkzeuge f\u00fcr den Decode\/Encode Vorgang gleich mit.<\/p>\n\n\n\n<p>Um dies zu verdeutlichen, betrachte ich einen Passwordhash einer IBM WebSphere Application Server Zelle (security.xml). Die kodierten Passw\u00f6rter k\u00f6nnen einfach gefunden werden:<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro cbp-has-line-numbers\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-color:#f6f6f4;--cbp-line-number-width:calc(1 * 0.6 * .875rem);line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:flex;align-items:center;padding:16px 0 0 16px;width:100%;text-align:left;background-color:#282a36\"><span style=\"background:#ebebe6;padding:0.3rem 0.5rem 0.2rem;border-radius:1rem;font-size:0.8em;line-height:1;height:1.25rem;text-align:center;display:inline-flex;align-items:center;justify-content:center;color:#282a36\">Bash<\/span><\/span><span role=\"button\" tabindex=\"0\" style=\"color:#f6f6f4;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>grep xor security.xml<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki dracula-soft\" style=\"background-color: #282A36\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #62E884\">grep<\/span><span style=\"color: #F6F6F4\"> <\/span><span style=\"color: #E7EE98\">xor<\/span><span style=\"color: #F6F6F4\"> <\/span><span style=\"color: #E7EE98\">security.xml<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p><strong>Vorgehensweise f\u00fcr Websphere 8.0 und 8.5 &#8211; Decoding<\/strong><br>Zuerst in das Verzeichnis &lt;WAS_HOME&gt; wechseln. Von dort den Decoder Prozess ausf\u00fchren:<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro cbp-has-line-numbers kasten\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-color:#f6f6f4;--cbp-line-number-width:calc(1 * 0.6 * .875rem);line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:flex;align-items:center;padding:16px 0 0 16px;width:100%;text-align:left;background-color:#282a36\"><span style=\"background:#ebebe6;padding:0.3rem 0.5rem 0.2rem;border-radius:1rem;font-size:0.8em;line-height:1;height:1.25rem;text-align:center;display:inline-flex;align-items:center;justify-content:center;color:#282a36\">Bash<\/span><\/span><span role=\"button\" tabindex=\"0\" style=\"color:#f6f6f4;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>java\/bin\/java -Djava.ext.dirs=.\/plugins:.\/lib com.ibm.ws.security.util.PasswordDecoder {xor}HDc6PDQZNjM6Hjw8OiwsfQ==<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki dracula-soft\" style=\"background-color: #282A36\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #62E884\">java\/bin\/java<\/span><span style=\"color: #F6F6F4\"> <\/span><span style=\"color: #BF9EEE\">-Djava.ext.dirs=.\/plugins:.\/lib<\/span><span style=\"color: #F6F6F4\"> <\/span><span style=\"color: #E7EE98\">com.ibm.ws.security.util.PasswordDecoder<\/span><span style=\"color: #F6F6F4\"> <\/span><span style=\"color: #E7EE98\">{xor}HDc6PDQZNjM6Hjw8OiwsfQ==<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>Das Passwort ist mit dem f\u00fchrenden &#8220;{xor}&#8221; zu \u00fcbergeben.<\/p>\n\n\n\n<p><strong>Vorgehensweise f\u00fcr Websphere 9.0 &#8211; Decoding<\/strong><br>Wie bei WAS 8.x Installationen in das Verzeichnis &lt;WAS_HOME&gt; wechseln. Von dort den Decoder Prozess starten, die Pfade f\u00fcr Java sind in WAS 9.0 unter Umst\u00e4nden abweichend (je nachdem, wie es installiert wurde). Ich habe es in Beispiel mit Java 8.0 aufgerufen:<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro cbp-has-line-numbers kasten\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-color:#f6f6f4;--cbp-line-number-width:calc(1 * 0.6 * .875rem);line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:flex;align-items:center;padding:16px 0 0 16px;width:100%;text-align:left;background-color:#282a36\"><span style=\"background:#ebebe6;padding:0.3rem 0.5rem 0.2rem;border-radius:1rem;font-size:0.8em;line-height:1;height:1.25rem;text-align:center;display:inline-flex;align-items:center;justify-content:center;color:#282a36\">Bash<\/span><\/span><span role=\"button\" tabindex=\"0\" style=\"color:#f6f6f4;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>java\/8.0\/bin\/java -Djava.ext.dirs=.\/plugins:.\/lib com.ibm.ws.security.util.PasswordDecoder {xor}HDc6PDQZNjM6Hjw8OiwsfQ==<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki dracula-soft\" style=\"background-color: #282A36\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #62E884\">java\/8.0\/bin\/java<\/span><span style=\"color: #F6F6F4\"> <\/span><span style=\"color: #BF9EEE\">-Djava.ext.dirs=.\/plugins:.\/lib<\/span><span style=\"color: #F6F6F4\"> <\/span><span style=\"color: #E7EE98\">com.ibm.ws.security.util.PasswordDecoder<\/span><span style=\"color: #F6F6F4\"> <\/span><span style=\"color: #E7EE98\">{xor}HDc6PDQZNjM6Hjw8OiwsfQ==<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p><strong>Der Zugriff auf die Konfigurationsdateien ist daher unbedingt besonders zu sch\u00fctzen!<\/strong><\/p>\n\n\n\n<p><strong>Encoding<\/strong><br>Der Prozess des Encodings ist durch Austauschen von PasswordDecoder durch PasswordEncoder m\u00f6glich:<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro cbp-has-line-numbers kasten\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-color:#f6f6f4;--cbp-line-number-width:calc(1 * 0.6 * .875rem);line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:flex;align-items:center;padding:16px 0 0 16px;width:100%;text-align:left;background-color:#282a36\"><span style=\"background:#ebebe6;padding:0.3rem 0.5rem 0.2rem;border-radius:1rem;font-size:0.8em;line-height:1;height:1.25rem;text-align:center;display:inline-flex;align-items:center;justify-content:center;color:#282a36\">Bash<\/span><\/span><span role=\"button\" tabindex=\"0\" style=\"color:#f6f6f4;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>java\/8.0\/bin\/java -Djava.ext.dirs=.\/plugins:.\/lib com.ibm.ws.security.util.PasswordEncoder CheckFileAccess!<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki dracula-soft\" style=\"background-color: #282A36\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #62E884\">java\/8.0\/bin\/java<\/span><span style=\"color: #F6F6F4\"> <\/span><span style=\"color: #BF9EEE\">-Djava.ext.dirs=.\/plugins:.\/lib<\/span><span style=\"color: #F6F6F4\"> <\/span><span style=\"color: #E7EE98\">com.ibm.ws.security.util.PasswordEncoder<\/span><span style=\"color: #F6F6F4\"> <\/span><span style=\"color: #E7EE98\">CheckFileAccess!<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>&nbsp;Die Thematik wird von IBM auf developerworks diskutiert: <a href=\"https:\/\/www.ibm.com\/developerworks\/library\/mw-1611-lansche-trs\/index.html\">devloperworks &#8211; Encrypting WebSphere Application Server system passwords<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>IBM Websphere speichert Passw\u00f6rter der WebSphere Application Server Konfiguration in XML Dateien im Profilpfad der WAS Adminkonsole (IBM Integrated Solutions Console &#8211; ISC). Diese Passw\u00f6rter sind nicht verschl\u00fcsselt, sondern nur per XOR kodiert. Da gilt, kann ein XOR kodiertes Passwort auch wieder im Klartext ausgegeben werden. IBM liefert Werkzeuge f\u00fcr den Decode\/Encode Vorgang gleich mit. Um dies zu verdeutlichen, betrachte ich einen Passwordhash einer IBM WebSphere Application Server Zelle (security.xml). Die kodierten Passw\u00f6rter k\u00f6nnen einfach gefunden werden: Vorgehensweise f\u00fcr Websphere 8.0 und 8.5 &#8211; DecodingZuerst in das Verzeichnis &lt;WAS_HOME&gt; wechseln. Von dort den Decoder Prozess ausf\u00fchren: Das Passwort ist mit dem f\u00fchrenden &#8220;{xor}&#8221; zu \u00fcbergeben. Vorgehensweise f\u00fcr Websphere 9.0 &#8211; DecodingWie bei WAS 8.x Installationen in das Verzeichnis &lt;WAS_HOME&gt; wechseln. Von dort den Decoder Prozess starten, die Pfade f\u00fcr Java sind in WAS 9.0 unter Umst\u00e4nden abweichend (je nachdem, wie es installiert wurde). Ich habe es in Beispiel mit Java 8.0 aufgerufen: Der Zugriff auf die Konfigurationsdateien ist daher unbedingt besonders zu sch\u00fctzen! EncodingDer Prozess des Encodings ist durch Austauschen von PasswordDecoder durch PasswordEncoder m\u00f6glich: &nbsp;Die Thematik wird von IBM auf developerworks diskutiert: devloperworks &#8211; Encrypting WebSphere Application Server system passwords<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[34,11,17],"tags":[54,58,67,87,106,107],"class_list":["post-279","post","type-post","status-publish","format-standard","hentry","category-ibm-websphere-application-server","category-middleware","category-security","tag-decoding","tag-encoding","tag-ibm-websphere-application-server","tag-security","tag-was","tag-websphere"],"_links":{"self":[{"href":"https:\/\/techno.slomka.biz\/index.php?rest_route=\/wp\/v2\/posts\/279","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/techno.slomka.biz\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/techno.slomka.biz\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/techno.slomka.biz\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/techno.slomka.biz\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=279"}],"version-history":[{"count":3,"href":"https:\/\/techno.slomka.biz\/index.php?rest_route=\/wp\/v2\/posts\/279\/revisions"}],"predecessor-version":[{"id":1112,"href":"https:\/\/techno.slomka.biz\/index.php?rest_route=\/wp\/v2\/posts\/279\/revisions\/1112"}],"wp:attachment":[{"href":"https:\/\/techno.slomka.biz\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=279"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/techno.slomka.biz\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=279"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/techno.slomka.biz\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=279"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}