lolcreds

Public credential defaults and exposure patterns for authorized security testing.

IBM WebSphere Application Server

IBMmiddleware4 credentials

Credentials4 documented
01

Administrative User Password

ibm-websphere-application-server / administrative-user-password

WebSphere Application Server administrative security uses users and groups from a local file registry, LDAP, federated repository, or OS registry to protect the admin console, wsadmin, and management APIs.

user definedgenerated on installsecretusername/password

Location

public interface
Integrated Solutions Console, wsadmin, JMX, REST management, and SOAP connector
config file

security.xml, fileRegistry.xml, soap.client.props, sas.client.props, and deployment response files

database

registry or LDAP backend storing local/federated user password verifier data

secret store

WebSphere credential stores, password vaults, and deployment secrets

logs

SystemOut/SystemErr, security audit, wsadmin, and FFDC logs

02

wsadmin / SOAP Client Password

ibm-websphere-application-server / wasadmin-script-password

Administrative scripts often store WebSphere usernames and passwords for wsadmin, SOAP connector, deployment automation, and CI/CD tasks.

user definedsecretusername/password

Location

config file
soap.client.props, sas.client.props, wsadmin.properties

administrative client credential files and scripts

environment
WAS_USER, WAS_PASSWORD, WEBSPHERE_USER, WEBSPHERE_PASSWORD
secret store

CI/CD variables, Ansible Vault, password vaults, and deployment managers

source code

Jython/Jacl wsadmin scripts, pipelines, and deployment repos

logs

wsadmin traces and deployment logs

03

LTPA Keys / Cell Signing Secrets

ibm-websphere-application-server / ltpa-and-cell-secrets

WebSphere uses LTPA keys, cell/node secrets, and token keys for SSO and trust between servers. Leaked keys can enable token forgery or trust abuse within the cell/domain.

generated on installuser definedsecretsecret value

Location

config file

security.xml, ltpa.keys exports, cell/node config repositories, and backupConfig archives

secret store

WebSphere key stores, credential stores, and backup vaults

artifact

profile backups, support bundles, and configuration archives

04

Keystore, Data Source, JMS, and JAAS Secrets

ibm-websphere-application-server / keystore-and-datasource-secrets

WebSphere stores data source passwords, JAAS auth aliases, JMS provider credentials, LDAP bind passwords, and SSL keystore/truststore passwords in cell configuration.

user definedgenerated on installsecretsecret value

Looks like

pattern
pattern

WebSphere XOR-obfuscated password value often found in configuration files

\{xor\}[A-Za-z0-9+/=]+

Location

config file

resources.xml, security.xml, ssl.client.props, key.p12/trust.p12 settings, and JAAS auth data

secret store

WebSphere configuration repository, keystores, and external vaults

source code

application server configuration as code and deployment scripts

logs

connection pool, JMS, LDAP, and SSL debug logs

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.