Ravish Mody

We are been getting lot of  questions about how can one avoid giving the clear text uersname and password in the WLST scripts or in the properties file for the security requirement. Hence I though of writing a new article on it so that it would more easier for others to get there answers. A month back I had written a post Deploy Applications Using Encrypted Password With ANT — Security Alert and would be using the same technique with WLST also which works just fine.

I would be using the StoreUserConfig, to create a user-configuration file which would contain an encrypted username and password and an associated key file that contains a secret key that is used to encrypt and decrypt the username and password which is in the user-configuration file. Once these files have been created then we can use them in any WLST script or any properties files.

Steps to create the user configuration file and key file:

There are basically two ways to create the StoreConfig and Key file.

1. weblogic.Admin Command:

Option-1). Using weblogic.Admin utility like following:

java weblogic.Admin -url t3://localhost:7001 -username weblogic -password weblogic
-userconfigfile C:\Security_Files_Dir\domain_A_userConfig.file
-userkeyfile C:\Security_Files_Dir\domain_A_key.file  STOREUSERCONFIG

2. WLST Commands:

Option-2). Now lets see how to create a user-configuration file and an associated key file by running the StoreUserConfig() using WLST with the following commands.

Step-1) Starting the WLST After running the setWLSEnv.sh script in the command prompt.

java  weblogic.WLST

Step-2) Connecting to WebLogic Admin Server using WLST

connect('weblogic','weblogic','t3://localhost:7001')

Step-3) Storing the user config file.

storeUserConfig('/someDirectory/MyUserConfigFile','/someDirectory/MyUserKeyFile')

Here:
someDirectory = Path where you would like to create these files
MyUserConfigFile = user-configuration
MyUserKeyFile = key file

Steps to use the user configuration file and key file in any WLST

Now we can use these files in any WLST scripts or in properties file, so lets look into it one by one

1. WLST script:

Normally we give the clear text username and password in the connect() command with the URL as show below

connect('weblogic','weblogic','t3://localhost:7001')

However as we have created user-configuration and the key files, hence we would now be replacing the above command with the below command

connect(userConfigFile='/someDirectory/MyUserConfigFile',userKeyFile='/someDirectory/MyUserKeyFile',url='t3://localhost:7001')

Where:
userConfigFile = the path where user-configuration file is been kept.
userKeyFile = the path where key file is been kept.
url = the url of the server where you want to connect it.

2. Properties file

We all know the use of the properties file with WLST, it gives an added advantage to just change the values in one simple file without touching the actual WLST which has the business logic. Now here is the changes has to be done as before and after

# Before (When you are NOT using user-configuration and the key files)

In *.properties files

admin.url=t3://localhost:7001
admin.username=weblogic
admin.password=weblogic

In WLST script

adminUrl = configProps.get("admin.url")
adminUser = configProps.get("admin.username")
adminPassword = configProps.get("admin.password")

connect(adminUser,adminPassword,adminUrl)

# After (When using user-configuration and the key files)

In *.properties files

admin.url=t3://localhost:7001
admin.username=/home/rmody/JBoss_Data/Samples/WLS/secure/myuserconfigfile.secure
admin.password=/home/rmody/JBoss_Data/Samples/WLS/secure/myuserkeyfile.secure

In WLST script

adminUrl = configProps.get("admin.url")
adminUser = configProps.get("admin.username")
adminPassword = configProps.get("admin.password")

connect(userConfigFile=adminUser,userKeyFile=adminPassword,url=adminUrl)

Where:
userConfigFile = the path where user-configuration file is been kept.
userKeyFile = the path where key file is been kept.
url = the url of the server where you want to connect it.

This way you can use your user-configuration and the key files inseated of the clear text credentials.

.

.

Regards,

Ravish Mody

If you enjoyed this post, please considerleaving a comment or subscribing to the RSS feed to have future articles delivered to your feed reader.