When I add a data source that contain the user and password properties in the server.xml in WebSphere Liberty
Example:
<dataSource jdbcDriverRef="db2-driver" type="javax.sql.DataSource">
<properties.db2.jcc user="MyUser" password="MyPassword"
databaseName="dbName" serverName="localhost" portNumber="50000"/>
</dataSource>
I get the following warning in the logs:
J2CA8050I: An authentication alias should be used instead of defining a user name
and password on dataSource[default-0].
Looking at how to do this in Configuring authentication aliases for the Liberty profile I see them put the user and password in another element called authData like this:
<authData id="auth1" user="MyUser" password="MyPassword"/>
I don't get what advantage moving the user name and password from the dataSource element to the authData element is giving me. In both cases the password is showing in plain text in the server.xml file.
WebSphere Liberty uses an adapter to manage it's database connections. By specifying an authentication alias the password used by the adapter will be encrypted. If you do not use an auth alias, the userID and password will get stored without encryption on adapter properties.
Additionally, aliases provide another layer of abstraction since the aliases themselves are a resource. The benefit here is that the alias can be configured independently if the database user/password needs to be changed and there are many datasources configured, they can all point to the same auth data.
Use the
securityUtility encodecommand in the wlp/bin directory to encode the password in your server.xml.