0

product = WebSphere Application Server 8.5.5.9 Liberty Profile

Does anyone know how to hide passwords in IBM WebSpere Liberty log files? I want to keep the current logging detail at AUDIT level but do not want password values displaying in the log files.

Here is what I see in my log files.

[8/27/16 8:22:04:581 EDT] 00002603 SystemOut O url parameters client_id=ro_app1&validator_id=CorpDirectory&username=user_id&password=my_password&grant_type=password

[8/27/16 8:22:05:299 EDT] 00002603 SystemOut O Post parameters : client_id=ro_app1&validator_id=CorpDirectory&username=user_id&password=my_password&grant_type=password

my_password - represents the actual users password.

Here is what I have for logging properties:

com.ibm.ws.logging.max.file.size=5
com.ibm.ws.logging.hideMessage=password
com.ibm.ws.logging.max.files=20
com.ibm.ws.logging.console.log.level=AUDIT
com.ibm.ws.logging.message.file.name=loggingMessages.log

Thank you in advance for any suggestions.

mTarkowski
  • 1
  • 1
  • 2

2 Answers2

3

The com.ibm.ws.logging.hideMessage property can only be used to hide official IBM message keys (such as SRVE0255E). This cannot be used to hide any string in logs, as doing so could severely impact performance.

Additionally, those logging messages are coming from System.out.print statements in your application code. If you don't want passwords to be printed, don't print out the entire URL in your application code.

Also, the passwords showing up in your logs is less of an issue than the fact that you're passing cleartext passwords as HTTP GET parameters in the first place

Andy Guibert
  • 41,446
  • 8
  • 38
  • 61
  • We are using https, NOT http – mTarkowski Aug 29 '16 at 19:07
  • ok, using https is good (although, using passwords as a url param is still discouraged per this article http://blog.httpwatch.com/2009/02/20/how-secure-are-query-strings-over-https/). The main point of my answer was that this log statement is coming from System.out, not WebSphere. So the simplest solution is to change the application to not log the URL when it sees a password parameter come through – Andy Guibert Aug 29 '16 at 19:56
  • The link you provided does not relate to the mobile app we are using. So basically, the free Tomcat app server which offers the ability to replace password values with a string of *'s has more options then the pay for IBM Liberty app server? And instead of offering the same functionality as a free app server you attack the code for an application you know nothing about. Real smooth . . . – mTarkowski Aug 30 '16 at 13:49
  • 1
    I won't enter the product vs. product argument on SO. What I was attempting to suggest with my answer is a simple solution. The side note about not using passwords as HTTP get parameters was valid given the amount of information provided in the original question, so I'm leaving it there for future readers, since it is a good thing to avoid in the general case. – Andy Guibert Aug 30 '16 at 16:03
0

IIRC (I have not tried this recently, but I remember working on or near the code that did this), Liberty will obfuscate passwords in GET parameters in http access logs. We do not analyze all system out calls to scrub for passwords as that would have a negative impact on performance. As @aguibert says, this is something that should be managed at the application level. You might try turning access logging on, which would allow you to remove the system.out.

http://www.ibm.com/support/knowledgecenter/SSD28V_8.5.5/com.ibm.websphere.wlp.core.doc/ae/rwlp_http_accesslogs.html

ebullient
  • 1,250
  • 7
  • 16