Master password expired. So what?

Hi experts,

I am dazzled by the “Master Password” for “Outbound Passwords”. Basically the password had expired for a system and I was getting the persistent emails requesting me to change it :talker:. I went and changed it from “manage” to a new password and the change was accepted by wM. What puzzles me is that the user “Administrator” has already had his password changed from “manage”, so this password is not tied to the user Administrator :eek:.

Furthermore, documentation stipulates that for example (I quote) “when a user request/requires use of a database server, the Integration Server must send a password to that database server in order to connect to it.”

This is a confusing piece of information :crazy: because our database does not have anything to compare the password to. Never have I stored such password in the database and after I have changed it the whole system continued to work fine including connections to DB. That tells me the DB (and other systems such as SAP for that matter) don’t give a rat about this password :mad:.

Does anyone know what such password is actually used for? :confused:
And is there is any hidden problem to the fact I have now changed in? This is critical because I need to also change it in production and I am nervous about that.:uhoh:

Thanks heaps for your help and support

these are different passwords, no need to mix them.

  1. webMethods userid and password - eg “Administrator” and “manage”
  2. Outbound password - this is kind of master password (for a vault within wM) you can use to secure some key strings/passwords used by integration server to connect with external world.
  3. database userid and password - these are the ones used to connect with external databases like db queried in flow for data/ db for wM audit logging, TN etc

admin guide and other docs might be helpful.

My apology if I didn’t understand your question completely.

hope this helps!
DC

Thanks Deepan for the answer. I have checked the user guide and I am well aware of the answers you gave me.

What I am after is to understand how could the Master password be used.

For instance, wM wants to connect to a database. wM needs therefore to send the username and password to this database, and the database then checks them against its list of users and once authentication is completed, it allows wM to run the query.

wM Documentation says that as wM is sending these username and password, it protects them using the Master Password. I cannot see how that can be possible. If wM sends a string to the database that was encrypted using the Master password, the DB server must be able to decrypt the message before reading it and doing the authentication steps. How could the DB decrypt the message when it is not even aware of what the Master password is?

webMethods provides “outbound password store” to store the passwords/keys that are used by webMethods to access external resources - It means instead of saving the password in plain we have option to securely store them in “outbound password store” and encrypt it with “Master Password” as encryption key. When required these passwords has to be retrieved from the store for use in services.

While sending password/key to target system wM wont send in its own encrypted form. The service which uses these passwords must retrieve from the password store. There are some built-in services available for this in pub.security.outboundPasswords.

Further these passwords can be classified as internal/external and can be more secured using extended properties in admin page.
These are very useful in securing passwords for external connections as well as securing the PrivateKey, Certificate Chain used for digital signatures etc.

-regards
DC

1 Like

You sir should be knighted :smile:
I was mixing “Master Password” and “Outbound Password” :rofl:. It now makes sense why changing the Master Password did not have an impact on the system as whole. It’s because it is internal to the system.:wink:

Thanks heaps…

Hi everybody,

I would like to dig up this old thread again, as I have another question regarding the encryption with the Master Password.

At that moment when I change this Master Password, IS will automatically decrypt the stored outbound passwords with the previous Master Password and re-encrypt them with the new one? Is that correct?

If yes, how long will it take? Is this process finished, when the administration page says that the new Master Password has successfully been stored?

The reason I am asking is that our client once changed that password and had trouble restarting their IS afterwards as it couldn’t connect to the database anymore. The Master Password got corrupted somewhere along the way. So I need to give them a recommendation of how to proceed as they want to change that password on a regular basis to fulfill the company’s security requirements.

Thanks a lot for your input.

Cheers,
Sascha

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.