Weblogic Password Decrypt Steps

Recovering the data source password

1. Log in as the wls user to shell and set the domain environment variables for the domain you want to recover:

[wls@prod01]$ cd $DOMAIN_HOME/bin

[wls@prod01]$ . ./setDomainEnv.sh

2. Start WLST:

[wls@prod01]$ $WL_HOME/common/bin/wlst.sh

3. Run the following WLST commands to display the username and password:

from weblogic.security.internal import BootProperties

BootProperties.load("/oracle/Middleware/user_projects/domains/MY_DOMAIN/servers/MY_AdminServer/security/boot.properties",false)

prop = BootProperties.getBootProperties()

print "username: " + prop.getOneClient()

print "password: " + prop.getTwoClient()

The username and password will be displayed on the screen.

The script reads the boot.properties file, decrypts it, and displays the username and password provided.

The script points to the boot.properties file located in the security folder of the MY_AdminServer. You can point to any security folder that contains the boot.properties file of the other Managed Servers.

It is important to set the domain environments first, otherwise the script will not be able to find the SerializedSystemIni.dat file, which is the seed used by the domain to encrypt and decrypt.

Recovering the admin password

The same way that the WebLogic Administrator password is recoverable, the data source password can be retrieved as well. Here we will use ds-nonXA data source with the JNDI name jdbc/non-XA will be used to

retrieve the password. The encrypted password must be retrieved from the JDBC configuration files in the $DOMAIN_HOME/config/jdbc directory.

1. Log in as a wls user to shell and open the $DOMAIN_HOME/config/config.xml file to get the JDBC configuration filename.

[wls@prod01]$ cd $DOMAIN_HOME/config

[wls@prod01]$ vi config.xml

2. Locate the <jdbc-system-resource> tag of the ds-nonXA data source and get the descriptor filename.

<jdbc-system-resource>

<name>ds-nonXA</name>

<target></target>

<descriptor-file-name>jdbc/ds-nonXA-jdbc.xml</descriptorfile-name>

</jdbc-system-resource>

3. Open the JDBC file:

[wls@prod01]$ vi jdbc/ds-nonXA-jdbc.xml

4. Locate the <password-encrypted> tag and copy the password.

<password-encrypted>{AES}PASSWORD_ENCRYPTED</passwordencrypted>

5. Start WLST using the following command:

[wls@prod01]$ $WL_HOME/common/bin/wlst.sh

6. Set the copied password to the passwd variable, set the full path of the $DOMAIN_HOME/security in the secPath variable, and run the following WLST commands to display the password:

from weblogic.security.internal import *


from weblogic.security.internal.encryption import *


passwd = "{AES}PASSWORD_ENCRYPTED"


secPath = "/oracle/Middleware/user_projects/domains/MY_DOMAIN/security"


encService = SerializedSystemIni.getEncryptionService(secPath)


coeService = ClearOrEncryptedService(encService)


print "password: " + coeService.decrypt(passwd)

7. The password will be displayed on the screen:

wls:/offline> password: dbpwd

There is no need to set the domain environment variables this time since the script receives the full path to the SerializedSystemIni.dat file.

In case of any ©Copyright or missing credits issue please check CopyRights page for faster resolutions.