These go to eleven!

August 6, 2008

Decryption of configuration passwords in WebLogic

Filed under: Java — Tags: , — Zbigniew Cyktor @ 10:11 am

BEA/Oracle WebLogic application server being an enterprise-ready piece of software treats security seriously. One of the symptoms of that is the fact that all sensitive pieces of information like logins, passwords etc. are kept in encrypted form. While browsing through config.xml or boot.properties files you can easily spot them since they are usually prefixed with ‘{3DES}’ string which obviously suggests the encryption algorithm used.

The interesting thing is that with a little bit of efford it’s actually quite easy to extract the decrypted values from config files by using a few undocumented APIs buried in WebLogic itself. Below you will find a simple tool that will output a content of either .xml or .properties configuration file provided as input, replacing all encrypted values with their original content. It works with WebLogic 10 but can be easily adapted for versions 8 and 9 as well (domain directory structure is slightly different between these versions). I wrote it some time ago in order to be able to easily retrieve logins and passwords of development domains that I kept forgetting too often. :) Obviously there are many other uses, like configuration management, application server migration tools etc.

You might get worried that since it’s so easy to get to this supposedly safe data then your production environments are endangered. It isn’t so – the decryption mechanism is useless without a file SerializedSystemIni.dat which contains the 3DES key necessary to decrypt the data and is uniqe for every domain. If this file is properly protected from unauthorized access on OS level then have no worries.

(I was going to put here a link to a interesting blog entry on dev2dev.bea.com portal with some insightful comments on this subject but it seems that Dev2Dev has been shut down due to the BEA acquisition by Oracle. I will update this entry if it pops up somewhere else.)

Update: I have noticed that this article is getting quite many views every day – it seems that forgetting domain passwords is more common problem than it seems :). Some users reported issues while processing their configuration files, which often is caused by the poor use of REGEXP in my original code. In order to make it easy to all of us I have prepared a new version of the tool. It uses XPATH to find all XML nodes and attributes containing encrypted data. I hope that this approach is more robust.

Update 2: If you are concerned about the risk of accessing the configuration data by deployed applications, then please have a look at comments #32 – #34.

import java.util.*;
import java.io.*;
import javax.xml.parsers.*;
import javax.xml.xpath.*;
import org.w3c.dom.*;

import weblogic.security.internal.*; // requires weblogic.jar in the class path
import weblogic.security.internal.encryption.*;

public class WebLogicDecryptor {

	private static final String PREFIX = "{3DES}";
	private static final String XPATH_EXPRESSION
		= "//node()[starts-with(text(), '" + PREFIX + "')] | //@*[starts-with(., '" + PREFIX + "')]";

	private static ClearOrEncryptedService ces;

	public static void main(String[] args) throws Exception {
		if (args.length < 2) {
			throw new Exception("Usage: [domainDir] [configFile]");
		}

		ces = new ClearOrEncryptedService(SerializedSystemIni.getEncryptionService(new File(args[0]).getAbsolutePath()));
		File file = new File(args[1]);
		if (file.getName().endsWith(".xml")) {
			processXml(file);
		}
		else if (file.getName().endsWith(".properties")){
			processProperties(file);
		}
	}

	private static void processXml(File file) throws Exception {
		Document doc = DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(file);
		XPathExpression expr = XPathFactory.newInstance().newXPath().compile(XPATH_EXPRESSION);
		NodeList nodes = (NodeList)expr.evaluate(doc, XPathConstants.NODESET);
		for (int i = 0; i < nodes.getLength(); i++) {
			Node node = nodes.item(i);
			print(node.getNodeName(), node.getTextContent());
		}
	}

	private static void processProperties(File file) throws Exception {
		Properties properties = new Properties();
		properties.load(new FileInputStream(file));
		for (Map.Entry p : properties.entrySet()) {
			if (p.getValue().toString().startsWith(PREFIX)) {
				print(p.getKey(), p.getValue());
			}
		}
	}

	private static void print(Object attributeName, Object encrypted) {
		System.out.println("Node name: " + attributeName);
		System.out.println("Encrypted: " + encrypted);
		System.out.println("Decrypted: " + ces.decrypt((String)encrypted) + "\n");
	}
}

Feel free to comment and improve.

import java.util.*;
import java.io.*;
import javax.xml.parsers.*;
import javax.xml.xpath.*;
import org.w3c.dom.*;

import weblogic.security.internal.*; // requires weblogic.jar in the class path
import weblogic.security.internal.encryption.*;

public class WebLogicDecryptor {

private static final String PREFIX = “{3DES}”;
private static final String XPATH_EXPRESSION
= “//node()[starts-with(text(), '" + PREFIX + "')] | //@*[starts-with(., '" + PREFIX + "')]“;

private static ClearOrEncryptedService ces;

public static void main(String[] args) throws Exception {
if (args.length < 2) {
throw new Exception(“Usage: [domainDir] [configFile]“);
}

ces = new ClearOrEncryptedService(SerializedSystemIni.getEncryptionService(new File(args[0]).getAbsolutePath()));
File file = new File(args[1]);
if (file.getName().endsWith(“.xml”)) {
processXml(file);
}
else if (file.getName().endsWith(“.properties”)){
processProperties(file);
}
}

private static void processXml(File file) throws Exception {
Document doc = DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(file);
XPathExpression expr = XPathFactory.newInstance().newXPath().compile(XPATH_EXPRESSION);
NodeList nodes = (NodeList)expr.evaluate(doc, XPathConstants.NODESET);
for (int i = 0; i < nodes.getLength(); i++) {
Node node = nodes.item(i);
print(node.getNodeName(), node.getTextContent());
}
}

private static void processProperties(File file) throws Exception {
Properties properties = new Properties();
properties.load(new FileInputStream(file));
for (Map.Entry p : properties.entrySet()) {
if (p.getValue().toString().startsWith(PREFIX)) {
print(p.getKey(), p.getValue());
}
}
}

private static void print(Object attributeName, Object encrypted) {
System.out.println(“Node name: ” + attributeName);
System.out.println(“Encrypted: ” + encrypted);
System.out.println(“Decrypted: ” + ces.decrypt((String)encrypted) + “\n”);
}
}

About these ads

73 Comments »

  1. [...] Oracle releases BEA Workshop as a free eclipse plugin First saved by meganashley | 1 days ago Decryption of configuration passwords in WebLogic First saved by MewMewIchigogirl | 1 days [...]

    Pingback by Recent Faves Tagged With "weblogic" : MyNetFaves — August 13, 2008 @ 5:10 pm

    • Amazing piece of code. Thank you

      Comment by Anonymous — March 3, 2010 @ 3:01 pm

    • Doesn’t work for me on wl10(On wl8 it runs gr8.
      It throws:
      Exception in thread “main” weblogic.security.internal.encryption.EncryptionServiceException: com.rsa.jsafe.JSAFE_PaddingException: Could not perform unpadding: invalid pad byte.
      at weblogic.security.internal.encryption.JSafeEncryptionServiceImpl.decryptBytes(JSafeEncryptionServiceImpl.java:78)
      at weblogic.security.internal.encryption.JSafeEncryptionServiceImpl.decryptString(JSafeEncryptionServiceImpl.java:94)
      at weblogic.security.internal.encryption.ClearOrEncryptedService.decrypt(ClearOrEncryptedService.java:87)

      Comment by Fraggy — January 23, 2011 @ 7:50 pm

      • I Figured it out..

        I was using the wrong SerializedSystemIni.dat.

        Thanks.

        Comment by Fraggy — January 23, 2011 @ 7:53 pm

  2. Thanks, I was looking for a way to do this. Cheers!

    Comment by Anonymous — August 14, 2008 @ 7:13 pm

  3. When I try to run this on my boot.prperties, I get the following error:

    Exception in thread “main” com.rsa.jsafe.JSAFE_InputException: Invalid input length for decryption.Should be a multiple of the block size – 8.
    at com.rsa.jsafe.JG_BlockCipher.decryptFinal(Unknown Source)
    at weblogic.security.internal.encryption.JSafeEncryptionServiceImpl.decryptBytes(JSafeEncryptionServiceImpl.java:67)
    at weblogic.security.internal.encryption.JSafeEncryptionServiceImpl.decryptString(JSafeEncryptionServiceImpl.java:93)
    at weblogic.security.internal.encryption.ClearOrEncryptedService.decrypt(ClearOrEncryptedService.java:56)
    at WebLogicDecryptor.processLine(WebLogicDecryptor.java:60)
    at WebLogicDecryptor.processFile(WebLogicDecryptor.java:45)
    at WebLogicDecryptor.run(WebLogicDecryptor.java:33)
    at WebLogicDecryptor.main(WebLogicDecryptor.java:28)
    ————— nested within: ——————
    weblogic.security.internal.encryption.EncryptionServiceException – with nested exception:
    [com.rsa.jsafe.JSAFE_InputException: Invalid input length for decryption.Should be a multiple of the block size - 8.]
    at weblogic.security.internal.encryption.JSafeEncryptionServiceImpl.decryptBytes(JSafeEncryptionServiceImpl.java:77)
    at weblogic.security.internal.encryption.JSafeEncryptionServiceImpl.decryptString(JSafeEncryptionServiceImpl.java:93)
    at weblogic.security.internal.encryption.ClearOrEncryptedService.decrypt(ClearOrEncryptedService.java:56)
    at WebLogicDecryptor.processLine(WebLogicDecryptor.java:60)
    at WebLogicDecryptor.processFile(WebLogicDecryptor.java:45)
    at WebLogicDecryptor.run(WebLogicDecryptor.java:33)
    at WebLogicDecryptor.main(WebLogicDecryptor.java:28)

    Any ideas? I am using Weblogic8.1 sp4.

    Thanks,

    Comment by Steven — October 23, 2008 @ 6:09 pm

    • Most likely this exception is due to presence of backslashes in encrypted password. Remove all backslashes from the password string, that should do the trick.

      Comment by Alex Betin — July 6, 2010 @ 3:20 pm

  4. Any idea what’s the length of the 3-DES secret key?

    Comment by Willie — October 27, 2008 @ 12:29 am

  5. Hi Steven, that’s rather strange – should not happen assuming that encrypted data has not been corrupted. Since we can not exclude that there is a bug in my code, you might want to execute ces.decrypt(encoded) method with a encrypted copy-pasted value taken from your config file. Please let me know if you succeed.

    Other thing is that the earliest version of WebLogic that I run this tool with was 8.1 sp5, so this might have something to do with it, although not very likely.

    Comment by Zbigniew Cyktor — October 27, 2008 @ 7:18 pm

  6. Willie, I don’t know but I’d assume that it uses 168 bit key.

    Comment by Zbigniew Cyktor — October 27, 2008 @ 7:22 pm

  7. Hi Zbigniew,

    Could you please tell me how I can run this tool against a single copy/pasted encrypted value? I am using wrblogic 8.1 sp4. Also, what classpath entries would need to be set for this?

    Comment by Steven — November 24, 2008 @ 5:32 pm

  8. Also,

    I have now tried this with Weblogic 8.1 SP6 and when I run it against the config.xml in my domain, it spits out the entire config.xml again with all encrypted passwords. It does not decrypt any passwords, just displays the same config.xml with same encrypted passwords. Any ideas?

    Comment by Steven — November 24, 2008 @ 5:54 pm

  9. Hi Steven,

    Rather strange. Maybe your config.xml is formatted in a way that fools my primitive regexp code, which extracts encrypted values. You can try to bypass it and run something just like this:

    ClearOrEncryptedService ces = new ClearOrEncryptedService(SerializedSystemIni.getEncryptionService(domainDir.getAbsolutePath()));
    System.out.println(ces.decrypt(encryptedText));

    where encryptedText is pasted from your config file (including ‘{3DES}’ prefix!).

    I assume that you already figured out the right classpath.

    cheers,
    Zbigniew

    Comment by Zbigniew Cyktor — November 25, 2008 @ 1:41 pm

  10. Found the block size issue. The code doesn’t like the escaping of the ‘=’ to ‘\=’ in the properties files.

    I just added

    encoded = encoded.replace(“\\”,””);

    in the process line method to clear that up. Worked perfectly afterwards.

    Thanks,
    Jason

    Comment by Jason — December 29, 2008 @ 10:45 pm

  11. Jason,

    Thanks for bothering to post the solution! I have just updated the code with your change.

    cheers,
    Zbigniew

    Comment by Zbigniew Cyktor — January 7, 2009 @ 1:03 pm

  12. Hi all,

    When I am trying to compile the new code, its throwing the following error:

    $ /usr/local/ibi/bea/jdk142_05/bin/javac WebLogicDecryptor.java

    WebLogicDecryptor.java:60: replace(char,char) in java.lang.String cannot be applied to (java.lang.String,java.lang.String)
    encoded = encoded.replace(“\\”,””);
    ^
    1 error

    Any suggestions?

    Comment by Steven — January 12, 2009 @ 8:12 pm

  13. Hi Guys, looks like this has something to do with the Java version. I compiled it with Java 1.5 and it compiled fine, but when I tried to run it against boot.properties it threw the following error:

    Exception in thread “main” java.lang.NoClassDefFoundError: WebLogicDecryptor

    I am running it like this:

    /opt/java1.5/bin/java WebLogicDecryptor boot.properties

    Comment by Steven — January 15, 2009 @ 10:02 pm

  14. ok, got past that error too :) Now the last one and I am stumped at this one:

    Exception in thread “main” java.lang.NoClassDefFoundError: weblogic/security/internal/encryption/ClearOrEncryptedService
    at WebLogicDecryptor.run(WebLogicDecryptor.java:32)
    at WebLogicDecryptor.main(WebLogicDecryptor.java:28)

    I have my CLASSPATH set like this:

    echo $CLASSPATH
    /opt/java1.4/lib/tools.jar:/usr/local/ibi/bea/sp4_weblogic81/server/lib/weblogic_sp.jar:/usr/local/ibi/bea/sp4_weblogic81/server/lib/weblogic.jar::/usr/local/ibi/bea/sp4_weblogic81/common/eval/pointbase/lib/pbserver44.jar:/usr/local/ibi/bea/sp4_weblogic81/common/eval/pointbase/lib/pbclient44.jar:/opt/java1.4/jre/lib/rt.jar:/usr/local/ibi/bea/sp4_weblogic81/server/lib/webservices.jar:/usr/local/ibi/bea/jdk142_05/lib/tools.jar:/usr/local/ibi/bea/sp4_weblogic81/server/lib/weblogic_sp.jar:/usr/local/ibi/bea/sp4_weblogic81/server/lib/weblogic.jar::/usr/local/ibi/bea/sp4_weblogic81/common/eval/pointbase/lib/pbserver44.jar

    Comment by Steven — January 15, 2009 @ 10:41 pm

  15. Well, I tried to run it on my 8.1 SP6 config.xml file and got a LOT of errors, mostly concering the regular expression. There is a bug that makes it catch 2 strings together if they are on the same line and then the decoding does not work, and there were a few more. But eventually I got it to run :-) Funny enough, despite taking about 3 hours to do it, it was still easier than trying to the admin here to tell me the password by himself… I also added an “i” parameter to the processLine function, it helps to use conditioned breakpoints and catch it just as it enters the problematic line.

    Anyway, here is the updated code. Zbigniew, Thanks for that chunk of code, mate, you really saved me here. Good on ya.

    import java.io.*;
    import java.util.regex.*;

    import weblogic.security.internal.SerializedSystemIni;
    import weblogic.security.internal.encryption.ClearOrEncryptedService;

    public class WebLogicDecryptor {

    protected static final String REGEX_FOR_XML = “\\{3DES\\}[^\"]*”;
    protected static final String REGEX_FOR_PROPERTIES = “\\{3DES\\}.*”;

    protected boolean isXML;
    protected Pattern pattern;
    protected ClearOrEncryptedService ces;

    public static void main(String[] args) throws Exception {

    if (args.length < 2) {
    throw new Exception(“Usage: [domainDir] [configFile]“);
    }

    File domainDir = new File(args[0]);
    File configFile = new File(args[1]);

    if (!domainDir.exists() || !domainDir.isDirectory() || !configFile.exists() || configFile.isDirectory()) {
    throw new Exception(“Files or directories provided as parameters do not exist.”);
    }
    new WebLogicDecryptor().run(domainDir, configFile);
    }

    public void run(File domainDir, File configFile) throws Exception {
    ces = new ClearOrEncryptedService(SerializedSystemIni.getEncryptionService(domainDir.getAbsolutePath()));
    processFile(configFile);
    }

    public void processFile(File file) throws Exception {
    int i=0;
    isXML = file.getName().endsWith(“.xml”);
    pattern = Pattern.compile(getRegex());

    BufferedReader in = null;
    try {
    in = new BufferedReader(new FileReader(file));
    String line = null;
    while ((line = in.readLine()) != null) {
    System.out.println(processLine(line, ++i));
    }
    }
    finally {
    if (in != null) {
    in.close();
    }
    }
    }

    protected String processLine(String line, int i) {
    String result = line;
    Matcher m = pattern.matcher(result);
    while (m.find()) {
    String encoded = result.substring(m.start(), m.end());
    encoded = encoded.replace(‘\\’, ”); // see comment #10 below
    String decoded = ces.decrypt(encoded);
    result = result.replaceFirst(getRegex(), decoded);
    m.reset(result);
    }
    return result;
    }

    protected String getRegex() {
    return isXML ? REGEX_FOR_XML : REGEX_FOR_PROPERTIES;
    }
    }

    Comment by Kobi — March 3, 2009 @ 3:16 pm

  16. Ok, I can’t seem to post the config.xml information so I’ll just strip out the tags

    This is what credentials looked like before decryption:

    CredentialEncrypted=”{3DES}OlzwOC4caOpQdC//Qf5EeSOFPc7jYnQS7B9UrYS1kto=” Name=”TestDomain”
    CredentialEncrypted=”{3DES}M5ZBXGoihvVW6dxdWB8RbPHxvgadUZwbJ9SicB0xXyspQtxaYSEqojoVBTiTD8dZMDBhuFQzb41I4gOJ7NTPT0xBsKd/TUHV”

    This is what they looked like after the decryption:

    CredentialEncrypted=”0xfb9cbcf181eefc7667877422b0″ Name=”TestDomain”
    CredentialEncrypted=”0x19e021ed0f324dc6d2a2c9bf78b062abb099ae45eaecce70311458bfc162deef”

    Any clues on what might be the issue here?

    Comment by Steven — March 3, 2009 @ 7:59 pm

  17. Kobi, thanks a lot for sharing the improved version! I will update the code with your changes. I guess that the most error-proof version would probably have to be done as a SAX parser to avoid all problems with different ways the config.xmls are formatted.

    Steven, it seems that the decryption procedure worked just fine. The trick is that the output is binary data encoded as hexadecimals (as the “0x” prefix suggests). If you are looking for logins/passwords, then they are most likely somewhere deeper in the config.xml.

    cheers!

    Comment by Zbigniew Cyktor — March 4, 2009 @ 5:39 am

  18. Zbigniew, not sure exactly how a SAX parser will help, since you are looking for attributes that correspond to a specific reg exp… I don’t have a lot of experience with SAX but I hardly remember an opetion that allows you to enumerate and iterate over all the attributes in an XML document that match a specific reg exp… But if I am wrong, I would love to know how to do that because I have a task just like that sometimes later this month and my plan was to write some sort of helper class that does just that by running over all the attributes and matching them to the reg exp… Would love to save myself that work.

    I agree with what you said about the hex output. The specific attribute in question is a serialization of a java object (representing Credentials) so the plain output is not very clear to the human eye but it is to a java deserializer. It’s exactly the same mechanism that decrypts passwords (I checked it on JDBC Connection Pool passwords) and it works perfectly. I am still trying to figure out how you found out how to use these undocumented classes in the first place… You the man… :-)

    So, again, thanks for the code.
    Cheers,

    Kobi

    Comment by Kobi — March 4, 2009 @ 1:25 pm

  19. The trick is that in case of SAX parsing you don’t need regular expressions at all since it’s easy to find which attribute or element needs to be decrypted – either by checking if its name has ‘Encrypted’ suffix or the content has ‘{3DES}’ prefix.

    In case of your planned task it might make more sense to use regexps together with SAX if the logic required to find right pieces of data is more complex than what we are doing here. Maybe it’s also worth to check whether XPATH could be useful to you. I’m pretty sure that in version 1.0 it did not allow regular expressions but maybe it has changed in the meantime. Good luck!

    Comment by Zbigniew Cyktor — March 5, 2009 @ 7:30 am

  20. Thanks, actually, I don’t need to use a regexp if there is a way locate all the attributes whose value contain a specific prefix, much like here. I don’t remember seeing an interface for that, but I’ll check again :-)

    Cheers,

    Comment by Kobi — March 5, 2009 @ 8:06 am

  21. Hi Guys, so to see the clear text password I need a Java deserializer? If not, then how do I convert those Hexadecimals to readable text?

    Thanks to both Zbigniew and Kobi for this great utility. It works very well on the boot.properties and shows clear text user/pass. Now if we can get it to do that for config.xml as well….

    Comment by Steven — March 5, 2009 @ 7:33 pm

  22. [...] for me, I’ve found this post, he got this working for Weblogic 10, however, the config file structure is a bit different, so I [...]

    Pingback by Decryption of Weblogic 8 3DES passwords in config.xml… « Sameh M. Shaker’s Weblog — March 31, 2009 @ 6:31 am

  23. Hi,
    I get the below exception when i was trying to run

    weblogic.security.internal.encryption.EncryptionServiceException: com.rsa.jsafe.
    JSAFE_PaddingException: Could not perform unpadding: invalid pad byte.
    at weblogic.security.internal.encryption.JSafeEncryptionServiceImpl.decr
    yptBytes(JSafeEncryptionServiceImpl.java:78)
    at weblogic.security.internal.encryption.JSafeEncryptionServiceImpl.decr
    yptString(JSafeEncryptionServiceImpl.java:94)
    at weblogic.security.internal.encryption.ClearOrEncryptedService.decrypt
    (ClearOrEncryptedService.java:87)
    at WebLogicDecryptor.processLine(WebLogicDecryptor.java:68)
    at WebLogicDecryptor.processFile(WebLogicDecryptor.java:49)
    at WebLogicDecryptor.run(WebLogicDecryptor.java:36)
    at WebLogicDecryptor1.main(WebLogicDecryptor1.java:28)
    Caused by: com.rsa.jsafe.JSAFE_PaddingException: Could not perform unpadding: in
    valid pad byte.
    at com.rsa.jsafe.JA_PKCS5Padding.a(Unknown Source)
    at com.rsa.jsafe.JG_BlockCipher.decryptFinal(Unknown Source)
    at weblogic.security.internal.encryption.JSafeEncryptionServiceImpl.decr
    yptBytes(JSafeEncryptionServiceImpl.java:68)
    … 6 more

    Any idea why this happens

    Comment by PerfTester — April 1, 2009 @ 9:01 am

  24. How to decrypt suppose if the password starting with {AES}HvuAQSKr5aG….

    Comment by senthil — May 13, 2009 @ 2:35 pm

  25. I tried to decrypt a given text by using:
    ClearOrEncryptedService ces2 = new ClearOrEncryptedService(SerializedSystemIni.getEncryptionService(domainDir.getAbsolutePath()));
    System.out.println(ces2.decrypt(“{3DES}C7IknhvOSWU=”));

    I got the following exception any ideas:

    com.rsa.jsafe.JSAFE_PaddingException: Could not perform unpadding: invalid pad byte.
    at com.rsa.jsafe.JA_PKCS5Padding.performUnpadding(Unknown Source)
    at com.rsa.jsafe.JG_BlockCipher.decryptFinal(Unknown Source)
    at weblogic.security.internal.encryption.JSafeEncryptionServiceImpl.decryptBytes(JSafeEncryptionServiceImpl.java:67)
    at weblogic.security.internal.encryption.JSafeEncryptionServiceImpl.decryptString(JSafeEncryptionServiceImpl.java:93)
    at weblogic.security.internal.encryption.ClearOrEncryptedService.decrypt(ClearOrEncryptedService.java:56)
    at edu.play.WebLogicDecryptor.run(WebLogicDecryptor.java:40)
    at edu.play.WebLogicDecryptor.main(WebLogicDecryptor.java:32)
    ————— nested within: ——————
    weblogic.security.internal.encryption.EncryptionServiceException – with nested exception:
    [com.rsa.jsafe.JSAFE_PaddingException: Could not perform unpadding: invalid pad byte.]
    at weblogic.security.internal.encryption.JSafeEncryptionServiceImpl.decryptBytes(JSafeEncryptionServiceImpl.java:77)
    at weblogic.security.internal.encryption.JSafeEncryptionServiceImpl.decryptString(JSafeEncryptionServiceImpl.java:93)
    at weblogic.security.internal.encryption.ClearOrEncryptedService.decrypt(ClearOrEncryptedService.java:56)
    at edu.play.WebLogicDecryptor.run(WebLogicDecryptor.java:40)
    at edu.play.WebLogicDecryptor.main(WebLogicDecryptor.java:32)

    Comment by Skely — June 19, 2009 @ 6:35 pm

  26. Thank you guys for the wonderful postings, it works. :)

    Comment by Andy — July 3, 2009 @ 12:26 am

  27. Steven,

    How did you get around this one?

    Exception in thread “main” java.lang.NoClassDefFoundError: weblogic/security/internal/encryption/ClearOrEncryptedService
    at WebLogicDecryptor.main(WebLogicDecryptor.java:23)

    Thanks.

    Comment by Harsha — September 1, 2009 @ 4:42 pm

  28. You just need to add weblogic.jar (which is part of you server installation) to the classpath while running the code.

    Comment by Zbigniew Cyktor — September 1, 2009 @ 6:13 pm

  29. This rocks !!!

    I had an issue with node.getTextContent(). Probably my xml jars are old. Copied the password part from xml to properties file. It worked. Thanks.

    Comment by Mahesh — October 6, 2009 @ 4:04 pm

  30. I also get the unpadding problem. Works on some installations, but no on others it seems. This is a 64-bit linux install, clustered with separate admin server. The one it works for is a 32-bit win32 install with no separate admin server.

    Comment by John Bäckstrand — January 15, 2010 @ 6:55 am

  31. I disagree with your statement: “If SerializedSystemIni.dat is properly protected from unauthorized access on OS level then you have no worries.”

    The account running deployed weblogic applications uses SerializedSystemIni.dat for data-sources etc. Hence, any application can invoke ClearOrEncryptedService no? So, while OS protection stops snooping, just get ClearOrEncryptedService code deployed on the server and oh S%^&*(t it just works….

    Can you tell in a production environment and there’s no way to stop them.

    Comment by Worried — February 21, 2010 @ 5:51 am

  32. Sorry, last sentence above was garbled :

    Is it possible to configure weblogic so ClearOrEncryptedService cannot be exploited by deployed applications? If so how?

    Thanks Zbigniew for a great post!

    Comment by Worried — February 21, 2010 @ 5:56 am

  33. Hi, ‘Worried’

    You raised a good question.

    At first I was going to respond with a generic answer that if we let an arbitrary untrusted code to be deployed on a server then the game is over anyway and we should expect bigger problems than somebody decrypting the config content.

    But instead of that I’ve decided to experiment a little bit and here is the result. Essentially by default deployed applications can access the data in subject. But there is a way to block it. You can configure the server to use a Java security manager based on a weblogic.policy file that came with WLS. In order to do so you need to edit the file setDomainEnv.cmd (or it’s unix equivalent) and
    locate a section which mentions JACC. This is the place where you set the following variables:

    set JAVA_PROPERTIES=%JAVA_PROPERTIES% -Djava.security.manager
    set JAVA_PROPERTIES=%JAVA_PROPERTIES% -Djava.security.policy=c:/bea/wlserver_10.3/server/lib/weblogic.policy
    set JAVA_PROPERTIES=%JAVA_PROPERTIES% -Djavax.security.jacc.policy.provider=weblogic.security.jacc.simpleprovider.SimpleJACCPolicy
    set JAVA_PROPERTIES=%JAVA_PROPERTIES% -Djavax.security.jacc.PolicyConfigurationFactory.provider=weblogic.security.jacc.simpleprovider.PolicyConfigurationFactoryImpl
    set JAVA_PROPERTIES=%JAVA_PROPERTIES% -Dweblogic.security.jacc.RoleMapperFactory.provider=weblogic.security.jacc.simpleprovider.RoleMapperFactoryImpl

    You will obviously need to change the path to weblogic.policy to match your location.
    After this change the server does not allow access to the SerializedSystemIni.dat file from within the deployed code. The direct access to config.xml is also denied.

    regards,
    Zbigniew

    Comment by Zbigniew Cyktor — February 21, 2010 @ 10:05 am

  34. This is really easy than the above one.

    import weblogic.security.internal.BootProperties;

    public class RecoverPassword {

    public static void main(String[] args) {
    //BootProperties.load(null, false); // tested with 8.1
    BootProperties.load(“C:\\bea\\user_projects\\domains\\ualdomain\\servers\\AdminServer\\security\\boot.properties”, false); // tested with 10.3
    BootProperties bootp = BootProperties.getBootProperties();

    System.out.println(
    “#####################[" +
    bootp.getOneClient() + "/" + bootp.getTwoClient() +
    "]###################”);
    }

    }

    Comment by Jai Shankar — March 9, 2010 @ 6:50 pm

  35. Thanks for sharing, Jai!

    Unfortunately I haven’t managed to run it successfully – I get multiple exceptions related to padding on my WLS 10.3 instance. Also is there a way to make this code work with XML files which are part of a domain configuration?

    Comment by Zbigniew Cyktor — March 14, 2010 @ 4:12 pm

  36. Thanks very much for the code! It works with Weblogic 8.1.6 and java 1.4 if you port the conditional to java 1.4. I did the following with success.

    replace line 46:
    for (Map.Entry p : properties.entrySet()) {

    with the following 2 lines:
    for (Iterator it = properties.entrySet().iterator(); it.hasNext();) {
    Map.Entry p = (Map.Entry) it.next();

    Comment by kevin t — April 14, 2010 @ 7:41 pm

  37. Thanks for the code. It is very useful.

    Comment by Karthick_3d — May 26, 2010 @ 11:14 am

  38. Two Question, how do you use this? Can I copy weblogic.jar and config.xml and boot.properties to another computer? I would assume you need to compile and run but machine does not have javac and I don’t think I can install sdk without breaking other things.

    Thanks,
    Matt

    Comment by Matt — June 5, 2010 @ 3:58 am

  39. You do a good job, Thanks a lot!

    Comment by Steven zhou — August 10, 2010 @ 4:09 am

    • This doesn’t work with AES.

      I tried this code:
      EncryptionService es=weblogic.security.internal.SerializedSystemIni.getEncryptionService(“.”);
      ClearOrEncryptedService ces= new ClearOrEncryptedService(es);
      ces.decrypt(password);
      but I get the following:
      Exception in thread “main” weblogic.security.internal.encryption.EncryptionServiceException: com.rsa.jsafe.JSAFE_PaddingException: Could not perform unpadding: invalid pad byte.
      at weblogic.security.internal.encryption.JSafeEncryptionServiceImpl.decryptBytes(JSafeEncryptionServiceImpl.java:125)
      at weblogic.security.internal.encryption.JSafeEncryptionServiceImpl.decryptString(JSafeEncryptionServiceImpl.java:173)
      at weblogic.security.internal.encryption.ClearOrEncryptedService.decrypt(ClearOrEncryptedService.java:96)
      at br.com.thiagovespa.weblogic.util.RecoverLostPass.main(RecoverLostPass.java:25)
      Caused by: com.rsa.jsafe.JSAFE_PaddingException: Could not perform unpadding: invalid pad byte.
      at com.rsa.jsafe.JA_PKCS5Padding.a(Unknown Source)
      at com.rsa.jsafe.JG_BlockCipher.decryptFinal(Unknown Source)
      at weblogic.security.internal.encryption.JSafeEncryptionServiceImpl.decryptBytes(JSafeEncryptionServiceImpl.java:113)
      … 3 more

      Did anybody succeed with AES?

      Comment by Thiago Galbiatti Vespa — September 17, 2010 @ 4:09 pm

      • I got it…. in the encryptionservice param I inform the security folder where the SerializedSystemIni.dat resides.

        Comment by Thiago Galbiatti Vespa — September 17, 2010 @ 4:36 pm

      • Can you advise how did you inform “the security folder where the SerializedSystemIni.dat resides”?

        I am trying to use this code to be able to decrypt user/pass from multiple domains. Idea is to have one function within a script to decode boot.property file depending on the user id that executes the script. I am getting same exception as you mentioned above.
        Thank you in advance.

        Comment by Sajid Rashid — May 5, 2011 @ 6:58 pm

      • Thank you. I found the answer to my own question. I use the following parameter in java called made to wlst.jar and had set the value to the domain root directory depending each time I call the script.

        -Dweblogic.RootDirectory=”PATH2DOMAIN”

        Comment by Sajid Rashid — May 6, 2011 @ 6:31 pm

  40. I am getting this error why………
    how to run this program

    Exception in thread “main” java.lang.NoClassDefFoundError: weblogic/kernel/Kernel
    at weblogic.logging.LoggingHelper.getServerLogger(LoggingHelper.java:24)
    at weblogic.security.notshared.LoggerAdapterImpl.getServerLogger(LoggerAdapterImpl.java:196)
    at weblogic.security.notshared.LoggerAdapterImpl.getLogger(LoggerAdapterImpl.java:107)
    at weblogic.security.shared.LoggerWrapper.getInstance(LoggerWrapper.java:65)
    at weblogic.security.internal.encryption.JSafeEncryptionServiceImpl.(JSafeEncryptionServiceImpl.java:26)
    at weblogic.security.internal.SerializedSystemIni.generateEncryptedSecretKey(SerializedSystemIni.java:58)
    at weblogic.security.internal.SerializedSystemIni.(SerializedSystemIni.java:111)
    at weblogic.security.internal.SerializedSystemIni.getEncryptionService(SerializedSystemIni.java:260)
    at WebLogicDecryptor.main(WebLogicDecryptor.java:23)

    Comment by manik — November 15, 2010 @ 6:40 am

  41. This is too good.

    Comment by pravin — December 24, 2010 @ 9:18 pm

  42. Great tool. Don’t forget to pass the only that domain directory for which passwords have to be de-crypted. Ex: passing unix bootfile.properties on windows domain.. no no

    Comment by shashik — January 12, 2011 @ 4:36 pm

  43. Thanks the article helped greatly in solving a costly issue.

    Comment by charles — February 1, 2011 @ 9:19 pm

  44. Great, that was really useful. Thanks a lot !!

    Comment by Chait — March 7, 2011 @ 12:46 pm

  45. great dude !!!

    Comment by sarava20@gmail.com — March 14, 2011 @ 9:32 am

  46. great dude !!! ..worked fine !!!

    Comment by sarava20@gmail.com — March 14, 2011 @ 9:35 am

  47. how to cnvert encrypted password to decrypted form ????????

    Comment by vivian — April 6, 2011 @ 10:52 am

  48. For those looking for recovering AES-encoded passwords (such as Weblogic 11g R1), look at http://www.javamonamour.org/2010/07/how-to-recover-weblogic-password.html.

    Comment by Sri Sankaran — April 28, 2011 @ 12:27 pm

    • I used the above code to recover AES encrypted passwords from my WLS 10.3.3 domain, by simply changing the PREFIX variable from “3DES” to “AES”. worked like a charm

      Comment by Anonymous — July 18, 2011 @ 7:03 pm

  49. Excellent post :)
    Regards,

    Comment by Rafael — June 1, 2011 @ 7:12 pm

  50. I’m getting this error while reading passwords from boot.properties in Weblogic 9.2 MP3

    Exception in thread “main” java.lang.NoClassDefFoundError: com/rsa/jsafe/JSAFE_SecureRandom
    at weblogic.security.internal.SerializedSystemIni.getEncryptionService(SerializedSystemIni.java:214)
    at weblogic.security.internal.SerializedSystemIni.getEncryptionService(SerializedSystemIni.java:261)
    at WebLogicDecryptor.main(WebLogicDecryptor.java:48)

    Regards,
    Dipil Jain

    Comment by Dipil Jain — August 1, 2011 @ 6:26 pm

  51. forgot to mention that my classpath settings does have weblogic.jar in it.

    Comment by Dipil Jain — August 1, 2011 @ 6:27 pm

  52. got it… was executing with a local copy of weblogic.jar… instead used the complete classpath of /weblogic92/server/lib/weblogic.jar
    and it worked like a charm :)

    Thanks
    Dipil Jain

    Comment by Dipil Jain — August 1, 2011 @ 8:27 pm

    • This is due to the relative classpath in META-INF

      Comment by Amjad Ashkar — February 4, 2012 @ 3:11 pm

  53. If you have still “com.rsa.jsafe.JSAFE_InputException: Invalid input length for decryption” after removing backslashes, maybe you forgot to add quotes on the java call :

    “{AES}wyg/OLkXkN7KL5h1/VLX47hjg3pImP1IPIUKnQHoyQ0=”
    instead of
    {AES}wyg/OLkXkN7KL5h1/VLX47hjg3pImP1IPIUKnQHoyQ0=

    Comment by Marco — September 23, 2011 @ 3:14 pm

  54. FYI.. I tried this app on Weblogic 8.1 SP4, worked great. Thanks

    Comment by Anonymous — January 6, 2012 @ 11:13 pm

  55. [...] 펌 : http://middlewaremagic.com/weblogic/?p=5806#comment-2935 펌 : http://gustlik.wordpress.com/2008/08/06/decryption-of-configuration-passwords-in-weblogic/ Tags config.xml, jdbc, SerializedSystemIni, weblogic Categories [...]

    Pingback by Decryption Of Configuration Passwords In WebLogic // Woo0s.com — January 26, 2012 @ 6:41 am

  56. Thanks, it worked fine for my weblogic 10.3

    Comment by Chandu — March 16, 2012 @ 5:52 pm

  57. Thanks, It worked fine for AES as well

    Comment by Anonymous — April 12, 2012 @ 5:49 pm

  58. Perfect. I have been looking for a way to retrieve passwords. tested your code on 10.3.2.0 servers and worked great.
    Thanks a lot.

    Comment by Anonymous — September 26, 2012 @ 3:16 am

    • Hi can you please give steps to execute this script

      Comment by Anonymous — April 17, 2014 @ 5:51 pm

  59. Hi can you any one please give steps to execute this script

    Comment by Reddy — April 17, 2014 @ 5:54 pm

  60. It’s remarkable for me to have a web page, which is
    beneficial in favor of my know-how. thanks
    admin

    Comment by http://www.Google.ca/ — July 15, 2014 @ 9:33 pm

  61. Hi there it’s me, I am also visiting this site regularly, this web site is genuinely fastidious and the people are genuinely sharing good thoughts.

    Comment by slate roof installation details — September 11, 2014 @ 12:01 pm


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Shocking Blue Green Theme. Create a free website or blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: