Friday, June 15, 2007

A common (and tricky) security question

One common question people always ask me is "If I forget my administrator password how can I reset it". It was simple during WebLogic Server 6.1 days where the password was stored in a plain text file - filerealm.properties. When they released version 7.0 of WebLogic Server(WLS), the security architecture went through a complete overhaul. They introduced a file based Embedded LDAP server for storing security related information in the domain.

First there are few recommendations that I want to share with you:
  1. Create a backup admin user and keep it safe so that you can use that admin user in such disaster scenario. Make sure you keep that info in a safe place.
  2. Take periodical back ups of your domain's embedded LDAP directory on the admin server machine(/Servers/AdminServer/data/ldap/).
  3. Take periodical back ups of the individual providers in you real using WebLogic Server security import/export feature. (For more info see Export data from a security provider from edocs)

Following are some of the ways in which you can answer the above question:

  • If you are in development, one option is you can simply recreate the domain from the existing domain by creating a Domain Template using Domain Template Builder. That way you don't loose any configuration that you did in the original domain but any security changes you made will be lost.

  • If you have already created User Config file set for the admin user, run a JMX Script to change the admin user password using that User Config file set. Obviously you might want to recreate the User Config file set after you change the password. If you have no User Config file set created for the admin user then follow one of the following steps.

  • Delete the ldap sub-directory under the adminserver folder and restart the adminserver(Obiviously make a backup before you delete). It will automatically rebuild the ldap from the *.ldift files in the domain directory (created when the domain was created Ex. DefaultAuthenticatorInit.ldift). This will work if you changed the admin password after creating the domain and you forgot/loose the new password but still remember the old password which you created when you created the domain (Strange use case ! huh). When using this method you will loose all the existing users and groups in the ldap so you might want to export the users and groups before you delete the ldap and import them back later. But this can be performed only if you still have access to the console or some pre written backup scripts which are using encrypted username and password in the form of user config file.

  • If you don't remember the Adminstrator password at all (Original or Changed) and if you are ready to loose all the user and groups (if not backed up using export feature) in the existing ldap then delete the ldap sub-directory under the adminserver folder (Don't forget to create a backup). Edit the file 'DefaultAuthenticatorInit.ldift' in a text editor and locate the line 'dn: uid=adminusername,ou=people,ou=@realm@, dc=@domain@' (Obiviously make a backup before you edit). Edit the value for the attribute 'userpassword' to a known plain text value. Restart the admin server using the new credentials. The domain will recreate the ldap with the new admin username and password. If you have already exported the old users and groups import them back.

  • What if you haven't backed up any users or groups and you also don't want to loose them. But still you want to recover the lost administration user password. In such scenario to recover the administrator password in a WebLogic domain, provided the default Admin role is not modified/removed perform the following:

    • At the command line, change directory to the domain and run the setEnv script to set the PATH and CLASSPATH.
    • Create a new DefaultAuthenticatorInit.ldift: run java weblogic.security.utils.AdminAccount tempadminusername temppassword ./
    • Remove the initialized status file, DefaultAuthenticatormyrealmInit.initialized from the Domain/AdminServer/ldap subdirectory.
    • Restart the server, using the new user identity.
    • To change the old admin user identity, log into the admin console or JMX Scripts. (Optional)

  • Delete and recreate the domain (Yuck!). I dont think you would ever end up doing this unless you change the default Admin role or his permissions. This is highly unlikely situation.




View Balamurali Kothandaraman's profile on LinkedIn

1 comment:

  1. Hello,

    Is there a way to change a password in a security realm in WLS6.1?

    Regards,

    ReplyDelete