Tag: Security

Secured Access Using Encrypted Credentials with WLST

Ravish Mody

We are been getting lot of  questions about how can one avoid giving the clear text uersname and password in the WLST scripts or in the properties file for the security requirement. Hence I though of writing a new article on it so that it would more easier for others to get there answers. A month back I had written a post Deploy Applications Using Encrypted Password With ANT — Security Alert and would be using the same technique with WLST also which works just fine.

I would be using the StoreUserConfig, to create a user-configuration file which would contain an encrypted username and password and an associated key file that contains a secret key that is used to encrypt and decrypt the username and password which is in the user-configuration file. Once these files have been created then we can use them in any WLST script or any properties files.

Steps to create the user configuration file and key file:

There are basically two ways to create the StoreConfig and Key file.

1. weblogic.Admin Command:

Option-1). Using weblogic.Admin utility like following:

java weblogic.Admin -url t3://localhost:7001 -username weblogic -password weblogic
-userconfigfile C:\Security_Files_Dir\domain_A_userConfig.file
-userkeyfile C:\Security_Files_Dir\domain_A_key.file  STOREUSERCONFIG

2. WLST Commands:

Option-2). Now lets see how to create a user-configuration file and an associated key file by running the StoreUserConfig() using WLST with the following commands.

Step-1) Starting the WLST After running the setWLSEnv.sh script in the command prompt.

java  weblogic.WLST

Step-2) Connecting to WebLogic Admin Server using WLST

connect('weblogic','weblogic','t3://localhost:7001')

Step-3) Storing the user config file.

storeUserConfig('/someDirectory/MyUserConfigFile','/someDirectory/MyUserKeyFile')

Here:
someDirectory = Path where you would like to create these files
MyUserConfigFile = user-configuration
MyUserKeyFile = key file

Steps to use the user configuration file and key file in any WLST

Now we can use these files in any WLST scripts or in properties file, so lets look into it one by one

1. WLST script:

Normally we give the clear text username and password in the connect() command with the URL as show below

connect('weblogic','weblogic','t3://localhost:7001')

However as we have created user-configuration and the key files, hence we would now be replacing the above command with the below command

connect(userConfigFile='/someDirectory/MyUserConfigFile',userKeyFile='/someDirectory/MyUserKeyFile',url='t3://localhost:7001')

Where:
userConfigFile = the path where user-configuration file is been kept.
userKeyFile = the path where key file is been kept.
url = the url of the server where you want to connect it.

2. Properties file

We all know the use of the properties file with WLST, it gives an added advantage to just change the values in one simple file without touching the actual WLST which has the business logic. Now here is the changes has to be done as before and after

# Before (When you are NOT using user-configuration and the key files)

In *.properties files

admin.url=t3://localhost:7001
admin.username=weblogic
admin.password=weblogic

In WLST script

adminUrl = configProps.get("admin.url")
adminUser = configProps.get("admin.username")
adminPassword = configProps.get("admin.password")

connect(adminUser,adminPassword,adminUrl)

# After (When using user-configuration and the key files)

In *.properties files

admin.url=t3://localhost:7001
admin.username=/home/rmody/JBoss_Data/Samples/WLS/secure/myuserconfigfile.secure
admin.password=/home/rmody/JBoss_Data/Samples/WLS/secure/myuserkeyfile.secure

In WLST script

adminUrl = configProps.get("admin.url")
adminUser = configProps.get("admin.username")
adminPassword = configProps.get("admin.password")

connect(userConfigFile=adminUser,userKeyFile=adminPassword,url=adminUrl)

Where:
userConfigFile = the path where user-configuration file is been kept.
userKeyFile = the path where key file is been kept.
url = the url of the server where you want to connect it.

This way you can use your user-configuration and the key files inseated of the clear text credentials.

.

.

Regards,

Ravish Mody


WebLogic SQLAuthenticator Demo With FormBased Authentication

Hi,

Jay SenSharma

Jay SenSharma

Thanks to Sanjay for asking a very good query. In Response to Sanjay’s Comment on SQLAuthenticator.

http://middlewaremagic.com/weblogic/?p=2034#comment-2838 with Form Based Authentication.

Here we are going to see a very Simple example of Using FormBased Authentication of demo. But in this case we won’t use the WebLogic’s default Authenticator provider, Rather we will create a separate SQL Authenticator provider inside the Security Realm and the we will insert some Users information in the Database so that we can validate the Database users using our FormBased Authentication technique.

Step1). Create the following Tables “USERS”, “GROUPS” and “GROUPMEMBERS” with exactly same Data Definition as mentioned below:

CREATE TABLE USERS (
    U_NAME VARCHAR(200) NOT NULL,
    U_PASSWORD VARCHAR(50) NOT NULL,
    U_DESCRIPTION VARCHAR(1000));

ALTER TABLE USERS
   ADD CONSTRAINT PK_USERS
   PRIMARY KEY (U_NAME);

CREATE TABLE GROUPS (
    G_NAME VARCHAR(200) NOT NULL,
    G_DESCRIPTION VARCHAR(1000) NULL);

ALTER TABLE GROUPS
   ADD CONSTRAINT PK_GROUPS
   PRIMARY KEY (G_NAME);

CREATE TABLE GROUPMEMBERS (
    G_NAME VARCHAR(200) NOT NULL,
    G_MEMBER VARCHAR(200) NOT NULL);

ALTER TABLE GROUPMEMBERS
   ADD CONSTRAINT PK_GROUPMEMS
   PRIMARY KEY (
      G_NAME,
      G_MEMBER
   );

ALTER TABLE GROUPMEMBERS
   ADD CONSTRAINT FK1_GROUPMEMBERS
   FOREIGN KEY ( G_NAME )
   REFERENCES GROUPS (G_NAME)
   ON DELETE CASCADE;

Step2). Insert the following records in the Above Tables.


insert into USERS  values('weblogic','weblogic','This is an Admin User with username weblogic, password weblogic');

insert into GROUPS values('Adminsitrators','This is an Administrators Group');

insert into GROUPMEMBERS values('Adminsitrators','weblogic');

Step3). Create a DataSource baed on whetever dataSource you want to chose. I created a Simple DataSource like following “$DOMAIN_HOME/config/jdbc/SQLAuthDS-8981-jdbc.xml”:

<?xml version='1.0' encoding='UTF-8'?>
<jdbc-data-source xmlns="http://www.bea.com/ns/weblogic/jdbc-data-source" xmlns:sec="http://www.bea.com/ns/weblogic/90/security" xmlns:wls="http://www.bea.com/ns/weblogic/90/security/wls" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.bea.com/ns/weblogic/jdbc-data-source http://www.bea.com/ns/weblogic/jdbc-data-source/1.0/jdbc-data-source.xsd">
  <name>SQLAuthDS</name>
  <jdbc-driver-params>
    <url>jdbc:oracle:thin:@10.65.209.158:1521:xe</url>
    <driver-name>oracle.jdbc.OracleDriver</driver-name>
    <properties>
      <property>
        <name>user</name>
        <value>SYSTEM</value>
      </property>
    </properties>
    <password-encrypted>{3DES}sUnlI08xXhw=</password-encrypted>
  </jdbc-driver-params>
  <jdbc-connection-pool-params>
    <test-table-name>SQL SELECT 1 FROM DUAL</test-table-name>
  </jdbc-connection-pool-params>
  <jdbc-data-source-params>
    <jndi-name>SQLAuthDS_Jndi</jndi-name>
    <global-transactions-protocol>OnePhaseCommit</global-transactions-protocol>
  </jdbc-data-source-params>
</jdbc-data-source>

And inside your “config.xml” file you will see DataSource file entry ike following:

  <jdbc-system-resource>
    <name>SQLAuthDS</name>
    <target>AdminServer</target>
    <descriptor-file-name>jdbc/SQLAuthDS-8981-jdbc.xml</descriptor-file-name>
  </jdbc-system-resource>

Step4). Now login to Admin Console and create the SQL Authenticator Provider like following:

Home ———)Summary of Security Realms —————-)myrealm ——————)Providers (Tab) Click “New” button
Provider Name: MySQLAuthenticatorProvider
Provider Type: SQL Authenticator

SQL_Auth_Provider_One

SQL_Auth_Provider_One

Now Click On your ProviderName “MySQLAuthenticatorProvider” and go to “Provider Specific” (Tab) and then select the following values:
Plaintext Passwords Enabled (Check this Check Box)
Data Source Name: SQLAuthDS
Group Membership Searching: unlimited

Rest of the things will be as it is Default.

SQL_Auth_Provider_Second

SQL_Auth_Provider_Second

Step5). Now Go to Security Realm and the do the following:
Home——————)Summary of Security Realms ——————)myrealm ——————)Providers ——————) DefaultAuthenticator (click) Now Change it’s “Control Flag” to “OPTIONAL”
Save above Changes.

Step6). Now again Go to Security Realm and the do the following:
Home——————)Summary of Security Realms——————)myrealm ——————)Providers——————) MySQLAuthenticatorProvider (click) Now Change it’s “Control Flag” to “REQUIRED”
Save above Changes.

Step7). Now restart your Server so that the Changes will take effect (Make Sure that the Database is running).

====================Form Based Authentication Below======================

Step8). Now insert some more records in the database:

insert into USERS  values('testuser','testpassword','This is an testuser User with username testuser, password testpassword');

insert into GROUPS values('testgroup','This is an test Group');

insert into GROUPMEMBERS values('testgroup','testuser');

Step9). Now use the Following FormBased Authentication Program to deploy on the WebLogic Server: http://middlewaremagic.com/weblogic/?p=2034

Step10). Now Deploy the Above Application On the Server and test it.
username: testuser
password: testpassword

Thanks
Jay SenSharma


Security Breach And Attack For Java Based Application Servers

Hi,

Jay SenSharma

Jay SenSharma

DISCLAIMER:

In this article we may see an abnormal behaviors of weblogic. Which may not be necessarily a BUG but it is always to be aware of such behavior while using Weblogic. The idea behind making this page is just to make awareness among the WebLogic Admins to be alert specially when the some of these behaviors are related to WebLogic Security.

Some of the behaviors of WebLogic which may be due to inappropriate Security implementation in the Security system of WebLogic, Even if in some cases it is work as designed, Still it suggests to keep an eye on it and try to make those features more enhanced. Some of them are now fixed by the Application Server Vendor but still some need to be fixed or enhanced. The intentions here are not to point to the weak points of any Application Server but solely to make people aware about such strange or uncommon behaviors.

==========================================================================
Any WebServer or Application Server which runs on below mentioned JVM are not safe due to the security breach. For example if you just want to hang A server then just sent the following request to the Server using any HttpClient like JMeter or any other Utility which allows you to send the Http Header of your Choice.

Once you are able to send the following Http Request Header successfully to the Java based Application/Web Server …the Server will try to parse the Http Request Header and it will Hang  while processing this request.

“GET”,”/”,headers={“Accept-Language”: “en-us;q=2.2250738585072012e-308”}

Just for an example try to run the following simple Java program which just tries to parse a Double value 2.2250738585072012e-308. As soon as you will run this program you will see that your JVM will Hang….and the CPU Utilization will be around 100%   😉

class HangJVM
{
  public static void main(String[] args)
    {
      System.out.println("Test:");
      double d = Double.parseDouble("2.2250738585072012e-308");
      System.out.println("Value: " + d);
     }
}

The JVMs which are affected are as following:
Java SE
JDK and JRE 6 Update 23 and earlier for Windows, Solaris, and Linux
JDK 5.0 Update 27 and earlier for Solaris 9
SDK 1.4.2_29 and earlier for Solaris 8

Java for Business
JDK and JRE 6 Update 23 and earlier for Windows, Solaris and Linux
JDK and JRE 5.0 Update 27 and earlier for Windows, Solaris and Linux
SDK and JRE 1.4.2_29 and earlier for Windows, Solaris and Linux

Save your JVM and your Application Server From Attack or Contact your Support 😉

Or Please get a Fix from Support  Which Updates the “rt.jar” of the JVM The Fix Details are available in the following Link  http://middlewaremagic.com/weblogic/?p=5393#comment-2821

And

Regarding the “Oracle Security Alert for CVE-2010-4476″You can get the Temp Security Patches related to this issue from the following link:http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.html

.
Thanks
Jay SenSharma


Copyright © 2010-2012 Middleware Magic. All rights reserved. |