Monday, October 20, 2008

How To Encrypt Clear Text Passwords With WebLogic Server

WebLogic Server encrypts all the plain text passwords stored in its domain configuration XML file(s). This is to prevent access to sensitive information. When passwords are entered using administration console or scripting tools, it will automatically get encrypted before they are stored in the configuration XML files(s).

Prior to WebLogic Server 9.0

If those passwords need to be reset either the configuration tools (Console or scripting tools) can be used which will automatically re-encrypt the passwords or by directly changing the configuration files using a text editor. When files are directly modified using a text editor the passwords will get encrypted during the subsequent restart.

Starting from WebLogic Server 9.0

Using clear text passwords in the configuration files are supported only for Development domain and it will not re-encrypt the passwords. If the domain is a Production domain then you cannot set the passwords in clear text. You have to either use a dedicated command-line utility or WLST to encrypt the clear text passwords. If the server encounters a clear text password when parsing the configuration file(s) while starting in Production Mode, then you will get an error similar to the following:

<Oct 20, 2008 9:05:35 PM EDT> <Critical> <WebLogicServer> <BEA-000362> <Server failed. Reason: [Management:141266]Parsing Failure in config.xml: java.lang.IllegalArgumentException: In production mode, it's not allowed to set a clear text value to the property: PasswordEncrypted of ServerStartMBean>


Depending on the configuration the MBean name value of the error message may change. In this case the ServerStartMBean has clear text value for a password property. Either the dedicated Java utility to encrypt clear text values can be used or WLST cant be used to re-encrypt. To run the encrypt utility follow the instructions below:

  1. Change directory to your domain's bin folder (For Eg. cd c:\bea\user_projects\domains\mydomain\bin)
  2. Execute the setDomainEnv script (For Eg. setDomainEnv.cmd)
  3. Execute java weblogic.security.Encrypt which will prompt for the password and will print the encrypted value in stdout.
The following are some sample output from running the utility

C:\bea\user_projects\domains\mydomain>java weblogic.security.Encrypt
Password:
{3DES}9HWsf87pJTw=

You should execute this utility from the domain folder as it requires the domain's password salt file (SerializedSystemIni.dat) for encrypting the clear text string. You can also pass the clear text string as an argument

C:\bea\user_projects\domains\mydomain>java weblogic.security.Encrypt testpwd
{3DES}9HWsf87pJTw=


You can also use WLST to encrypt clear text strings as below:

C:\bea\user_projects\domains\mydomain>java weblogic.WLST

Initializing WebLogic Scripting Tool (WLST) ...

Welcome to WebLogic Server Administration Scripting Shell

Type help() for help on available commands

wls:/offline> es = encrypt('testpwd')
wls:/offline> print es
{3DES}9HWsf87pJTw=
wls:/offline>

When running WLST from a location different than the domain folder you can pass in an argument to specify the domain directory. Once you have the encrypted value, the configuration files can be modified to include this encrypte value instead of clear text passwords. These features will make your domain to operate when resetting the encrypted passwords on a Production domain's configuration XML files. These methods not only can be used to encrypt configuration XML (config.xml) but also the JDBC or JMS descriptor XML files.

14 comments:

  1. Hi,

    I've tried your example to encrypt the passwords in my database, because I've wanted to try to authentication using the ReadOnlySQLProvider with Disable Plain Text Passwords option. It haven't worked, I wasn't able to login. WLS version was 10gR3. It doesn't work on the passwords in the RDBMS? Thanks: Zsolt

    ReplyDelete
  2. Hi,

    Thanks for the article.
    java weblogic.Admin -username weblogic -Password weblogic GETSTATE

    Current state of "AdminServer" : RUNNING

    java weblogic.Admin -username weblogic -Password {3DES}aWvZBj39GtKjdMohvnQkFw==
    GETSTATE

    User: weblogic, failed to be authenticated.

    When I do the encryption of password, how can I use it in my weblogic.admin command it does not work. Is there any way I can make it work, as I need to put the user/pass in the startup script, and I want it to be encrypted.

    Thanks,
    Venu

    ReplyDelete
  3. Read this entry http://weblogicserver.blogspot.com/2008/09/encrypt-credentials-when-running-wlst.html. This entry was talking about WLST but the same logic can be applied for weblogic.Admin so that you don't have to supply plain text password.

    ReplyDelete
  4. If you use RDBMS Authentication provider and specify that the plain text passwords are disabled then the security framework will automatically store the passwords in encrypted form with the database.

    Regarding the problem you are having, make sure that the user exists in one of the Authentication provider and also set the JAAS control flag to be optional for all the providers. Encrypted passwords do work with RDBMS Authentication providers.



    Replied for the following entry:
    ------------------------------
    Anonymous said...

    Hi,

    I've tried your example to encrypt the passwords in my database, because I've wanted to try to authentication using the ReadOnlySQLProvider with Disable Plain Text Passwords option. It haven't worked, I wasn't able to login. WLS version was 10gR3. It doesn't work on the passwords in the RDBMS? Thanks: Zsolt

    ReplyDelete
  5. Bala, the instructions on how to get an encrypted version of my password to plug in to config.xml (to avoid needing to leave a plain text in that file in the WebLogic instance on my local machine) were very helpful. Thank you!

    ReplyDelete
  6. java weblogic.Admin -username weblogic -Password weblogic GETSTATE

    C:\Oracle\Middleware\user_projects\domains\base_domain>java weblogic.Admin -user
    name weblogic -Password 12345678 GETSTATE
    Exception in thread "main" java.lang.NoClassDefFoundError: weblogic/Admin

    Why I am getting this error

    ReplyDelete
    Replies
    1. Make sure your classpath contains weblogic.jar.
      java -cp "/path/to/weblogic.jar:$CLASSPATH" weblogic.Admin -username weblogic -password 12345678 GETSTATE
      should do the trick..

      Regards,
      Thulasiram

      Delete
    2. Make sure you have your classpath containing the weblogic.jar file.
      $java -cp "/path/to/weblogic.jar" weblogic.Admin -username weblogic -password 12345678 GETSTATE
      should do the trick for you.

      Delete
  7. Hi,

    Thanks for the precise and accurate information, it was very handy ..

    ReplyDelete
  8. Hey Bala,

    Thanks for this info. Was very helpful and worked for me.

    -imtiaz

    ReplyDelete
  9. Hi,
    I used the same proceudre you mentioned but my weblogic server is not coming up. I create a domain in weblogic 10 with weblogic/password as user/pass. I tried to edit the startWeblogic.sh script adding the 2 variables as

    WLS_USER="weblogic"
    WLS_PW="password".

    My weblogic comes up fine. Then I did a wlst as you mentioned and replaced the string password with the ecnrypted value, then my weblogic does not come up.

    It throws this error.
    Reason: weblogic.security.SecurityInitializationException: Authentication for user weblogic denied


    Can you please help me over here.

    Thanks,
    venu

    ReplyDelete
  10. Excellent article. Thanks for Posting.

    ReplyDelete
  11. Thank You, it was really helpful

    ReplyDelete
  12. Hi,

    I just wanted to say thanks for putting this out there.

    I always forget this "java weblogic.security.Encrypt" and it's always here as a reminder... so a big thanks!

    Best to you,
    Jay

    ReplyDelete