How to know lost weblogic password ?
or
How to know encrypted key-store or database Schema password for Oracle Application ?
We may face issues if we forget weblogic passwords or else set incorrect of different password.
So there may be need of time to recall or decrypt those passwords for use. This document will guide
on how you can decrypt weblogic password or any AES algorithm based password for weblogic supported oracle application. It can be for Trust Store Key or DB-Schema for the application mentioned in config.xml or weblogic encrypted password in boot.properties for the component.
Prerequisites:
Access to the server (Unix / Windows Box)
I will cover steps from unix server for OBIEE environment (Which may be applied to any
middleware environment in any OS, with small changes or differences)
Step-1: Login to server with read / write & execute permission to server.
Step-2: Navigate to wlst.sh script path & execute it to start working in wlst prompt (offline)
##############
12c - /Middleware/oracle_common/common/bin
11g - /Middleware/oracle_common/common/bin
##############
Execute ./wlst.sh
You will go to wlst offline prompt like below:
wls:/offline>
Step-3: Set the values for domain ,service and encryption variables where the value for domain is the path to your weblogic domain:
[For 11g Environment]
wls:/offline> domain="/Middleware/user_projects/domains/bifoundation_domain"
wls:/offline> service=weblogic.security.internal.SerializedSystemIni.getEncryptionService(domain)
wls:/offline> encryption=weblogic.security.internal.encryption.ClearOrEncryptedService(service)
[For 12c Environment domain path differs, due to different directory structure & domain home rest is same]
[For 12c wls:/offline> domain="/Middleware/user_projects/domains/bi"]
Step-4: Open boot.properties file to get encrypted password
boot.properties file path
###
12c - /Middleware/user_projects/domains/bi/servers/AdminServer/data/nodemanager
11g - /Middleware/user_projects/domains/bifoundation_domain/servers/AdminServer/security
###
Step-5: Copy encrypted password in other file but replace second last special character which is \
This AES Encrypted code will end with \=, you only need to remove \ & keep all other characters as it is
Step-6: Now execute print command with encrypted code as below:
print "Weblogic server Admin password : %s" %encryption.decrypt("{AES}vcTrVGvE0MbzzLmh3PGq5imw4RMf3B0sOvUBFxB5lok=")
Weblogic server Admin password : Admin321
Well you got the password now.
The good thing about this decryption is, you can only decrypt password of this AES algorithm weblogic password for
only the environment you are working for, so its secure & only user with admin privilege to access server can decrypt lost weblogic password.
Now the question is:
Is this AES code only limited to decrypting weblogic password or user name or we can decrypt many more passwords which are to establish connection ?
The Answer is Yes, we can also decrypt any code of the server with same steps as mentioned above with only change in last print command code.
We can decrypt key-store passwords encrypted in config.xml files in the path:
/Middleware/user_projects/domains/bi/config
[Command to print only line with AES encrypted password: grep -n "{AES}" config.xml]
or we can also decrypt all associated database schema passwords from any Schema_Datasource-jdbc.xml file under the path:
/Middleware/user_projects/domains/bi/config/jdbc
[Note - Backslash followed by equal to sign as suffix in the code (\=) only appears in weblogic password, for other AES encrypted passwords for environment (key-store or db schema) remains without backslash. So you do not need to make any changes in encrypted code of any password other than weblogic admin password.]
Important Note - Same steps are applicable to all middleware applications (SOA/ Forms & Reports, etc.) with only difference is there domain home and directory structure.
So there may be need of time to recall or decrypt those passwords for use. This document will guide
on how you can decrypt weblogic password or any AES algorithm based password for weblogic supported oracle application. It can be for Trust Store Key or DB-Schema for the application mentioned in config.xml or weblogic encrypted password in boot.properties for the component.
Prerequisites:
Access to the server (Unix / Windows Box)
I will cover steps from unix server for OBIEE environment (Which may be applied to any
middleware environment in any OS, with small changes or differences)
Step-1: Login to server with read / write & execute permission to server.
Step-2: Navigate to wlst.sh script path & execute it to start working in wlst prompt (offline)
##############
12c - /Middleware/oracle_common/common/bin
11g - /Middleware/oracle_common/common/bin
##############
Execute ./wlst.sh
You will go to wlst offline prompt like below:
wls:/offline>
Step-3: Set the values for domain ,service and encryption variables where the value for domain is the path to your weblogic domain:
[For 11g Environment]
wls:/offline> domain="/Middleware/user_projects/domains/bifoundation_domain"
wls:/offline> service=weblogic.security.internal.SerializedSystemIni.getEncryptionService(domain)
wls:/offline> encryption=weblogic.security.internal.encryption.ClearOrEncryptedService(service)
[For 12c Environment domain path differs, due to different directory structure & domain home rest is same]
[For 12c wls:/offline> domain="/Middleware/user_projects/domains/bi"]
Step-4: Open boot.properties file to get encrypted password
boot.properties file path
###
12c - /Middleware/user_projects/domains/bi/servers/AdminServer/data/nodemanager
11g - /Middleware/user_projects/domains/bifoundation_domain/servers/AdminServer/security
###
Step-5: Copy encrypted password in other file but replace second last special character which is \
This AES Encrypted code will end with \=, you only need to remove \ & keep all other characters as it is
Step-6: Now execute print command with encrypted code as below:
print "Weblogic server Admin password : %s" %encryption.decrypt("{AES}vcTrVGvE0MbzzLmh3PGq5imw4RMf3B0sOvUBFxB5lok=")
Weblogic server Admin password : Admin321
Well you got the password now.
The good thing about this decryption is, you can only decrypt password of this AES algorithm weblogic password for
only the environment you are working for, so its secure & only user with admin privilege to access server can decrypt lost weblogic password.
Now the question is:
Is this AES code only limited to decrypting weblogic password or user name or we can decrypt many more passwords which are to establish connection ?
The Answer is Yes, we can also decrypt any code of the server with same steps as mentioned above with only change in last print command code.
We can decrypt key-store passwords encrypted in config.xml files in the path:
/Middleware/user_projects/domains/bi/config
[Command to print only line with AES encrypted password: grep -n "{AES}" config.xml]
or we can also decrypt all associated database schema passwords from any Schema_Datasource-jdbc.xml file under the path:
/Middleware/user_projects/domains/bi/config/jdbc
[Note - Backslash followed by equal to sign as suffix in the code (\=) only appears in weblogic password, for other AES encrypted passwords for environment (key-store or db schema) remains without backslash. So you do not need to make any changes in encrypted code of any password other than weblogic admin password.]
Important Note - Same steps are applicable to all middleware applications (SOA/ Forms & Reports, etc.) with only difference is there domain home and directory structure.
