Wednesday, June 17, 2009

Recovering WebLogic Passwords

In one of my previous articles (here) I explained that the SerializedSystemIni.dat file in WebLogic contains the key used to encrypt and decrypt passwords. If you're not currently keeping this file secure I suggest you do, as with it someone can (to name a few things):
  • Decrypt the WebLogic admin username and password from boot.properties.
  • Recover database passwords, if JDBC Connection pools are configured, from config.xml.
  • Recover the keystore passwords from config.xml and obtain SSL certificates stored in the jks keystores.
Essentially, they can do whatever they want, so if you don't know who can read your SerializedSystemIni.dat files, look... now.

In this article I will show how easy it is for this file to be used to recover lost passwords via a simple WLST script.


The Script

The script I use to decrypt passwords is incredibly short, and it works with WebLogic 8, 9 and 10 (probably for version 7 too). To use it, just create a new file called decryptpwd.py and paste the following code into it:

from weblogic.security.internal import *
from weblogic.security.internal.encryption import *

# Remind user about how to use
raw_input("Please ensure SerializedSystemIni.dat is in the current directory now, and press ENTER to continue.")

# Get encryption service
encryptionService = SerializedSystemIni.getEncryptionService(".")
clearOrEncryptService = ClearOrEncryptedService(encryptionService)

# Get user to enter password
pwd = raw_input("Enter encrypted password (Eg. {3DES}Y1fA34S...): ")

# Remove unnecessary escape characters
preppwd = pwd.replace("\\", "")

# Decrypt the password
print "Recovered password is: " + clearOrEncryptService.decrypt(preppwd)

You can download the script (decryptpwd.py) here.

Running the Script

To run this script, execute the WLST environment and provide it with the script to run. If you're using a version of WebLogic older than 8.1.6 you'll need to install a newer version which has WLST.

Use the following command (replace %WL_HOME% with the correct directory) to run the script.

%WL_HOME%\common\bin\wlst.cmd decryptpwd.py

Once the WLST environment has started up, the script will remind you to copy the SerializedSystemIni.dat file into the current directory. Press enter and paste your encrypted password string. That's it. It will spit out the password in plain-text.

Understanding the Script

The script is so short and simple it is barely worth explaining, but here are a few things worth mentioning.

You'll notice that the first two lines import weblogic.security packages. These are largely undocumented, so don't expect to find much information on them.

The next significant piece of code instantiates a ClearOrEncryptedService object which will use the SerializedSystemIni.dat file located in the current directory (".").

The final line of code decrypts the password and prints it in plain text.

Monday, June 1, 2009

BEASVC.EXE - WebLogic as a Windows Service

I remember the first time I had to work out why WebLogic wouldn't run as a service. It was a frustrating experience. There were no error messages. No Windows error dialog. No console output.

How do you troubleshoot something like this??!!

This short article will show you. For simplicity I'll talk about the node manager, but the same principles apply for running an admin or managed server as a service.

First Steps

First, you still have your server logs. Sure the console output is better, but it's a starting point. Check this log for errors and especially take note of the start up variables such as PATH and CLASSPATH. If the server log isn't being created, that tells you WebLogic probably isn't even being started. (Check that you have a license file if you haven't already.)

Ok, so the logs were no help. The next step is to look at how the service is trying to start WebLogic.

When you install WebLogic as a service, you're really setting up beasvc.exe as the service. This is a tool that BEA/Oracle supplies with your WebLogic installation, and all it does is runs WebLogic using parameters stored in the Windows Registry.

To find out what beasvc is doing, you can either:
  • Use the beasvc '-debug' mode; or
  • Simulate the way beasvc starts WebLogic.
BEASVC Debug Mode

beasvc.exe provides an easy debug mode. To use it, open a command-line console (cmd.exe) and change to the directory where all your domains are located (eg c:\bea\user_projects\). Then run the following command:

WL_HOME\server\bin\beasvc.exe -debug "SVC_NAME"

Where WL_HOME is where weblogic server is installed to (Eg.
c:\bea\weblogic92) and SVC_NAME is the name of the service.

Running beasvc with this option will give you a lot of useful information. You can find out more about the '-debug' option here.

Simulating BEASVC.EXE

If the '-debug' option isn't helping, or you need to test something specific, you can always simulate how beasvc starts WebLogic.
Normally to start WebLogic, you'd go to the startWebLogic.cmd (or other) script, but since you're starting WebLogic as a service this script is useless.

What we need to do is get all the environment variables and start-up parameters and then run WebLogic at the command-line.

To find the start-up parameters in the Windows Registry, first obtain the full service name from the Windows Services management console. To do this, right-click on the service you are troubleshooting, and click Properties. Copy the 'Display Name' field.

In regedit, search for the service using this display name. (On the Find dialog, select 'Look at: Keys' only.)

When you've found the node, expand it and select 'Parameters'. This contains all the important start-up parameters and environment variables.


Now that we have the start-up parameters used by beasvc, we can easily simulate it.

First, open a command console (cmd.exe) and change to the directory specified by the ExecDir registry entry.

Set the PATH variable to the value of the Path registry entry. Now run java.exe with no options. If it does not execute, you know that the registry's Path entry is incorrect. You can either edit it with regedit, or fix your installsvc.cmd script and run it again.

Finally, run java.exe again, this time followed by the CmdLine registry entry. This should run WebLogic as beasvc.exe would, except any errors will be printed to the console window.

Common Problems

With services, I frequently encounter various problems caused by incorrect CLASSPATH or PATH values - usually directory names with spaces that aren't surrounded by quotes. Java can interpret these as separate command line parameters, rather than a single file path.

As a general rule, avoid installing WebLogic to a directory that has a space in the name. If you do, use the old 8dot3 path name (use the DIR /X command to obtain these).

Resources

If you're having trouble working out why an exception is being thrown, you can check if this site covers your scenario: http://www.insideexceptions.com/. It's a good resource for administrators who understand java.