Using the WebLogic Encryption Utility to Encrypt the passwords
Security best practices require that passwords never be stored in plain text within configuration or startup files. Oracle WebLogic Server provides utilities to encrypt passwords so that sensitive information remains protected.
This guide explains two methods to encrypt passwords using the WebLogic Encryption Utility or WLST (WebLogic Scripting Tool).
Prerequisites
Before proceeding, ensure that:
- You are using a recent version of WebLogic Server.
- The latest PSU (Patch Set Update) and recommended JDK version are applied.
- Encryption algorithms evolve (e.g., from 3DES to AES256), and newer versions provide stronger protection.
- You are running commands from within the domain folder where the file SerializedSystemIni.dat exists — this file contains the domain’s encryption salt used to generate valid encrypted passwords.
- You are using a recent version of WebLogic Server.
- The latest PSU (Patch Set Update) and recommended JDK version are applied.
- Encryption algorithms evolve (e.g., from 3DES to AES256), and newer versions provide stronger protection.
- You are running commands from within the domain folder where the file SerializedSystemIni.dat exists — this file contains the domain’s encryption salt used to generate valid encrypted passwords.
Option 1: Encrypt Using weblogic.security.Encrypt Utility
Steps:
- Navigate to your domain’s bin directory
- Execute the domain environment script:
. ./setDomainEnv.sh # For Linux/Unix
#
or
setDomainEnv.cmd # For Windows
You will be prompted to enter the password. The tool will then display an encrypted value.
Alternatively, you can pass the password directly:
java weblogic.security.Encrypt <PASSWORD>
Example Output:
$ java weblogic.security.Encrypt Password: welcome123
output={AES}CqKXj3V6+zE8x92a8cLLpw==
Replace the plain text password in your configuration or script file with the encrypted value:
password={AES}CqKXj3V6+zE8x92a8cLLpw==
- Run the encrypt utility:
You will be prompted to enter the password. The tool will then display an encrypted value.
Alternatively, you can pass the password directly:
java weblogic.security.Encrypt <PASSWORD>
Example Output:
$ java weblogic.security.Encrypt Password: welcome123
output={AES}CqKXj3V6+zE8x92a8cLLpw==
Replace the plain text password in your configuration or script file with the encrypted value:
password={AES}CqKXj3V6+zE8x92a8cLLpw==
Option 2: Encrypt Using WLST (WebLogic Scripting Tool)
Steps:
- Navigate to your domain’s bin directory:cd $MIDDLEWARE_HOME/user_projects/domains/<DOMAIN_NAME>/bin
- Execute the domain environment script: . ./setDomainEnv.sh
- Launch WLST: java weblogic.WLST
- Inside WLST, use the encrypt() method:
wls:/offline> print(es)
{AES}9LJwWl54h2Quk6+Jz7L1hA==
If you are running WLST from a directory other than your domain, specify the domain location:
wls:/offline> es = encrypt('<PASSWORD>', 'path_to_domain')
Use the encrypted string in configuration files or scripts instead of the plain password.
If you are running WLST from a directory other than your domain, specify the domain location:
wls:/offline> es = encrypt('<PASSWORD>', 'path_to_domain')
Use the encrypted string in configuration files or scripts instead of the plain password.
Notes & Recommendations
- Always run encryption from the same domain where the password will be used, as the SerializedSystemIni.dat is domain-specific.
- If the encrypted password is copied to another domain, it will not decrypt properly.
- Regularly rotate and re-encrypt passwords after patching or changing encryption algorithms.
- Avoid using clear-text passwords in automation scripts or property files.
Post a Comment
Post a Comment