Secured Access Using Encrypted Credentials with WLST

Apr/11

Secured Access Using Encrypted Credentials with WLST

Ravish Mody

We are been getting lot of questions about how can one avoid giving the clear text uersname and password in the WLST scripts or in the properties file for the security requirement. Hence I though of writing a new article on it so that it would more easier for others to get there answers. A month back I had written a post Deploy Applications Using Encrypted Password With ANT — Security Alert and would be using the same technique with WLST also which works just fine.

I would be using the StoreUserConfig, to create a user-configuration file which would contain an encrypted username and password and an associated key file that contains a secret key that is used to encrypt and decrypt the username and password which is in the user-configuration file. Once these files have been created then we can use them in any WLST script or any properties files.

Steps to create the user configuration file and key file:

There are basically two ways to create the StoreConfig and Key file.

1. weblogic.Admin Command:

Option-1). Using weblogic.Admin utility like following:

java weblogic.Admin -url t3://localhost:7001 -username weblogic -password weblogic
-userconfigfile C:\Security_Files_Dir\domain_A_userConfig.file
-userkeyfile C:\Security_Files_Dir\domain_A_key.file  STOREUSERCONFIG

2. WLST Commands:

Option-2). Now lets see how to create a user-configuration file and an associated key file by running the StoreUserConfig() using WLST with the following commands.

Step-1) Starting the WLST After running the setWLSEnv.sh script in the command prompt.

java  weblogic.WLST

Step-2) Connecting to WebLogic Admin Server using WLST

connect('weblogic','weblogic','t3://localhost:7001')

Step-3) Storing the user config file.

storeUserConfig('/someDirectory/MyUserConfigFile','/someDirectory/MyUserKeyFile')

Here:
someDirectory = Path where you would like to create these files
MyUserConfigFile = user-configuration
MyUserKeyFile = key file

Steps to use the user configuration file and key file in any WLST

Now we can use these files in any WLST scripts or in properties file, so lets look into it one by one

1. WLST script:

Normally we give the clear text username and password in the connect() command with the URL as show below

connect('weblogic','weblogic','t3://localhost:7001')

However as we have created user-configuration and the key files, hence we would now be replacing the above command with the below command

connect(userConfigFile='/someDirectory/MyUserConfigFile',userKeyFile='/someDirectory/MyUserKeyFile',url='t3://localhost:7001')

Where:
userConfigFile = the path where user-configuration file is been kept.
userKeyFile = the path where key file is been kept.
url = the url of the server where you want to connect it.

2. Properties file

We all know the use of the properties file with WLST, it gives an added advantage to just change the values in one simple file without touching the actual WLST which has the business logic. Now here is the changes has to be done as before and after

# Before (When you are NOT using user-configuration and the key files)

In *.properties files

admin.url=t3://localhost:7001
admin.username=weblogic
admin.password=weblogic

In WLST script

adminUrl = configProps.get("admin.url")
adminUser = configProps.get("admin.username")
adminPassword = configProps.get("admin.password")

connect(adminUser,adminPassword,adminUrl)

# After (When using user-configuration and the key files)

In *.properties files

admin.url=t3://localhost:7001
admin.username=/home/rmody/JBoss_Data/Samples/WLS/secure/myuserconfigfile.secure
admin.password=/home/rmody/JBoss_Data/Samples/WLS/secure/myuserkeyfile.secure

In WLST script

adminUrl = configProps.get("admin.url")
adminUser = configProps.get("admin.username")
adminPassword = configProps.get("admin.password")

connect(userConfigFile=adminUser,userKeyFile=adminPassword,url=adminUrl)

Where:
userConfigFile = the path where user-configuration file is been kept.
userKeyFile = the path where key file is been kept.
url = the url of the server where you want to connect it.

This way you can use your user-configuration and the key files inseated of the clear text credentials.

Regards,

Ravish Mody

Buffer

If you enjoyed this post, please considerleaving a comment or subscribing to the RSS feed to have future articles delivered to your feed reader.

Security, WLST

3 Comments for this entry

mpkbang
May 8th, 2011 on 6:10 pm
Hi Ravish,

i had followed the above steps mentioned and i am getting prompt for entering username and password for every connect. find the below output.

Initializing WebLogic Scripting Tool (WLST) …

Welcome to WebLogic Server Administration Scripting Shell

Type help() for help on available commands

Checking All Servers State Details

You will need to be connected to a running server to execute this command

Please enter your username [weblogic] :

Please help me how can avoid this prompt

Log in to Reply
- JaySenSharma
  May 9th, 2011 on 11:33 am
  Hi mpkbang,
  It looks like you are not passing the userKey file and the Config file to the connect() properly :
  
  admin.url=t3://localhost:7001
  admin.username=/home/rmody/JBoss_Data/Samples/WLS/secure/myuserconfigfile.secure
  admin.password=/home/rmody/JBoss_Data/Samples/WLS/secure/myuserkeyfile.secure
  connect(userConfigFile=adminUser,userKeyFile=adminPassword,url=adminUrl)
  .
  .
  Keep Posting 🙂
  Thanks
  Jay SenSharma
  
  Log in to Reply
mpkbang
May 10th, 2011 on 2:30 pm
Thanks corrected my mistake.

Thanks,
Pavan

Log in to Reply

You must be logged in to post a comment.

RSS feed for this post (comments) · TrackBack URI