Search this blog ...

Saturday, April 13, 2013

Recover / Decrypt Weblogic password from boot.properties

When installing a Weblogic domain in development mode, the Configuration wizard will generate a boot identity file for the administration server containing the encrypted username and password of the initial administrative user. These credentials are then automatically leveraged when starting the admin server and avoid the need for the weblogic administrator to manually supply these. It is also possible to utilize a boot identify file (boot.properties) in production domains.    See the following link for more information: http://docs.oracle.com/cd/E14571_01/web.1111/e13708/overview.htm#i1068887

Recovering/decrypting a credential value from the boot identity file is reasonably straightforward should you have shell and executable access to the Weblogic installation.

First, obtain the DOMAIN_HOME value …

ps auxwww | grep Name=AdminServer | tr " " "\n" | grep "domain.home"

-Ddomain.home=/u01/app/oracle/product/Middleware/user_projects/domains/base_domain

Next, source the setDomainEnv.sh file …

export DOMAIN_HOME=/u01/app/oracle/product/Middleware/user_projects/domains/base_domain

source $DOMAIN_HOME/bin/setDomainEnv.sh

Extract the encrypted username and password credential from the boot identify file ...

USR=`grep username $DOMAIN_HOME/servers/AdminServer/security/boot.properties | sed -e "s/^username=\(.*\)/\1/"`

PW=`grep password $DOMAIN_HOME/servers/AdminServer/security/boot.properties | sed -e "s/^password=\(.*\)/\1/"`

Sample values …

mshannon@slc05elc% echo $USR
{AES}RI+L8BLQQc3mTwbCx59un+vcHJ4c30GMQ90ovDY7VLI=

mshannon@slc05elc% echo $PW
{AES}B9acQuaVUBNqsem1FzGROqu7w2tqZenm3StwYB3C+bM=

Create the small java Decrypt program and invoke it supplying the DOMAIN_HOME and encrypted value requiring decryption …

cat > /tmp/Decrypt.java <<EOF
public class Decrypt {
  public static void main(String[] args) {
    System.out.println("Decrypted value: " + new weblogic.security.internal.encryption.ClearOrEncryptedService(
      weblogic.security.internal.SerializedSystemIni.getEncryptionService(args[0])).
        decrypt(args[1]));
  }
}
EOF

$JAVA_HOME/bin/javac -d /tmp /tmp/Decrypt.java

$JAVA_HOME/bin/java -cp /tmp:$CLASSPATH Decrypt "$DOMAIN_HOME" "$USR"

$JAVA_HOME/bin/java -cp /tmp:$CLASSPATH Decrypt "$DOMAIN_HOME" "$PW"

Sample output … 

mshannon@slc05elc% $JAVA_HOME/bin/java -cp /tmp:$CLASSPATH Decrypt "$DOMAIN_HOME" "$USR"
Decrypted value: weblogic

mshannon@slc05elc% $JAVA_HOME/bin/java -cp /tmp:$CLASSPATH Decrypt "$DOMAIN_HOME" "$PW"
Decrypted value: welcome1

4 comments:

  1. If you receive an error from Decrypt.java similar to the following:

    Exception in thread "Main Thread" weblogic.security.internal.encryption.EncryptionServiceException
    at weblogic.security.internal.encryption.JSafeEncryptionServiceImpl.decryptBytes(JSafeEncryptionServiceImpl.java:139)
    at weblogic.security.internal.encryption.JSafeEncryptionServiceImpl.decryptString(JSafeEncryptionServiceImpl.java:187)
    at weblogic.security.internal.encryption.ClearOrEncryptedService.decrypt(ClearOrEncryptedService.java:96)
    at Decrypt.main(Decrypt.java:3)

    Try the following alternative to extracting the username and password.

    USR=`grep username $DOMAIN_HOME/servers/AdminServer/security/boot.properties | sed -e "s/^username=\(.*\)[\]=$/\1=/"`
    PW=`grep password $DOMAIN_HOME/servers/AdminServer/security/boot.properties | sed -e "s/^password=\(.*\)[\]=$/\1=/"`

    It seems around 11.1.1.6 they added an extra backslash to circumvent this solution. After the above, this worked flawlessly. Also, as an alternative, if you set the nodemanager weblogic password the same during the initial setup, you can find another hashed copy of the password in the config.xml file:

    PW=`grep node-manager-password-encrypted $DOMAIN_HOME/config/config.xml | sed -e "s/\(.*\)<\/node-manager-password-encrypted>/\1/"`

    ReplyDelete