Prior to WebLogic Server 9.0
If those passwords need to be reset either the configuration tools (Console or scripting tools) can be used which will automatically re-encrypt the passwords or by directly changing the configuration files using a text editor. When files are directly modified using a text editor the passwords will get encrypted during the subsequent restart.
Starting from WebLogic Server 9.0
Using clear text passwords in the configuration files are supported only for Development domain and it will not re-encrypt the passwords. If the domain is a Production domain then you cannot set the passwords in clear text. You have to either use a dedicated command-line utility or WLST to encrypt the clear text passwords. If the server encounters a clear text password when parsing the configuration file(s) while starting in Production Mode, then you will get an error similar to the following:
<Oct 20, 2008 9:05:35 PM EDT> <Critical> <WebLogicServer> <BEA-000362> <Server failed. Reason: [Management:141266]Parsing Failure in config.xml: java.lang.IllegalArgumentException: In production mode, it's not allowed to set a clear text value to the property: PasswordEncrypted of ServerStartMBean>
Depending on the configuration the MBean name value of the error message may change. In this case the ServerStartMBean has clear text value for a password property. Either the dedicated Java utility to encrypt clear text values can be used or WLST cant be used to re-encrypt. To run the encrypt utility follow the instructions below:
- Change directory to your domain's bin folder (For Eg. cd c:\bea\user_projects\domains\mydomain\bin)
- Execute the setDomainEnv script (For Eg. setDomainEnv.cmd)
- Execute java weblogic.security.Encrypt which will prompt for the password and will print the encrypted value in stdout.
C:\bea\user_projects\domains\mydomain>java weblogic.security.Encrypt
Password:
{3DES}9HWsf87pJTw=
You should execute this utility from the domain folder as it requires the domain's password salt file (SerializedSystemIni.dat) for encrypting the clear text string. You can also pass the clear text string as an argument
C:\bea\user_projects\domains\mydomain>java weblogic.security.Encrypt testpwd
{3DES}9HWsf87pJTw=
You can also use WLST to encrypt clear text strings as below:
C:\bea\user_projects\domains\mydomain>java weblogic.WLST
Initializing WebLogic Scripting Tool (WLST) ...
Welcome to WebLogic Server Administration Scripting Shell
Type help() for help on available commands
wls:/offline> es = encrypt('testpwd')
wls:/offline> print es
{3DES}9HWsf87pJTw=
wls:/offline>
When running WLST from a location different than the domain folder you can pass in an argument to specify the domain directory. Once you have the encrypted value, the configuration files can be modified to include this encrypte value instead of clear text passwords. These features will make your domain to operate when resetting the encrypted passwords on a Production domain's configuration XML files. These methods not only can be used to encrypt configuration XML (config.xml) but also the JDBC or JMS descriptor XML files.
Hi,
ReplyDeleteI've tried your example to encrypt the passwords in my database, because I've wanted to try to authentication using the ReadOnlySQLProvider with Disable Plain Text Passwords option. It haven't worked, I wasn't able to login. WLS version was 10gR3. It doesn't work on the passwords in the RDBMS? Thanks: Zsolt
Hi,
ReplyDeleteThanks for the article.
java weblogic.Admin -username weblogic -Password weblogic GETSTATE
Current state of "AdminServer" : RUNNING
java weblogic.Admin -username weblogic -Password {3DES}aWvZBj39GtKjdMohvnQkFw==
GETSTATE
User: weblogic, failed to be authenticated.
When I do the encryption of password, how can I use it in my weblogic.admin command it does not work. Is there any way I can make it work, as I need to put the user/pass in the startup script, and I want it to be encrypted.
Thanks,
Venu
Read this entry http://weblogicserver.blogspot.com/2008/09/encrypt-credentials-when-running-wlst.html. This entry was talking about WLST but the same logic can be applied for weblogic.Admin so that you don't have to supply plain text password.
ReplyDeleteIf you use RDBMS Authentication provider and specify that the plain text passwords are disabled then the security framework will automatically store the passwords in encrypted form with the database.
ReplyDeleteRegarding the problem you are having, make sure that the user exists in one of the Authentication provider and also set the JAAS control flag to be optional for all the providers. Encrypted passwords do work with RDBMS Authentication providers.
Replied for the following entry:
------------------------------
Anonymous said...
Hi,
I've tried your example to encrypt the passwords in my database, because I've wanted to try to authentication using the ReadOnlySQLProvider with Disable Plain Text Passwords option. It haven't worked, I wasn't able to login. WLS version was 10gR3. It doesn't work on the passwords in the RDBMS? Thanks: Zsolt
Bala, the instructions on how to get an encrypted version of my password to plug in to config.xml (to avoid needing to leave a plain text in that file in the WebLogic instance on my local machine) were very helpful. Thank you!
ReplyDeletejava weblogic.Admin -username weblogic -Password weblogic GETSTATE
ReplyDeleteC:\Oracle\Middleware\user_projects\domains\base_domain>java weblogic.Admin -user
name weblogic -Password 12345678 GETSTATE
Exception in thread "main" java.lang.NoClassDefFoundError: weblogic/Admin
Why I am getting this error
Make sure your classpath contains weblogic.jar.
Deletejava -cp "/path/to/weblogic.jar:$CLASSPATH" weblogic.Admin -username weblogic -password 12345678 GETSTATE
should do the trick..
Regards,
Thulasiram
Make sure you have your classpath containing the weblogic.jar file.
Delete$java -cp "/path/to/weblogic.jar" weblogic.Admin -username weblogic -password 12345678 GETSTATE
should do the trick for you.
Hi,
ReplyDeleteThanks for the precise and accurate information, it was very handy ..
Hey Bala,
ReplyDeleteThanks for this info. Was very helpful and worked for me.
-imtiaz
Hi,
ReplyDeleteI used the same proceudre you mentioned but my weblogic server is not coming up. I create a domain in weblogic 10 with weblogic/password as user/pass. I tried to edit the startWeblogic.sh script adding the 2 variables as
WLS_USER="weblogic"
WLS_PW="password".
My weblogic comes up fine. Then I did a wlst as you mentioned and replaced the string password with the ecnrypted value, then my weblogic does not come up.
It throws this error.
Reason: weblogic.security.SecurityInitializationException: Authentication for user weblogic denied
Can you please help me over here.
Thanks,
venu
Excellent article. Thanks for Posting.
ReplyDeleteThank You, it was really helpful
ReplyDeleteHi,
ReplyDeleteI just wanted to say thanks for putting this out there.
I always forget this "java weblogic.security.Encrypt" and it's always here as a reminder... so a big thanks!
Best to you,
Jay