Weblogic WLST storeuserconfig - Security Best Practice

Overview

While connecting to Weblogic Scripting Tool  (WLST) or while running any WLST scripts, we might have used the clear text username and password which could lead us to any potential security threat.

In order to avoid it, Oracle recommends us to use the UserConfigFile and UserKeyFile where ever applicable.

Best example where you can use this keyfile and configfile is while using  connect() method to go WLST online

Therefore, Rather using the connect with clear text password like below

connect("username","password","t3://localhost:7001")

you can use

connect("userConfigFile='/home/aksarav/myuserconfigfile.secure', userKeyFile='/home/aksarav/myuserkeyfile.secure','t3://localhost:7001')

 

to connect to WLST and in scripts also you can use this connect method, in order to securely connect to AdminServer

 

How to Create these files in an Easy way

So how to create these files?.  There is a built-in method in weblogic named storeUserConfig() you can run in WLST interactive mode (or) scripting mode, in order achieve the same.

[weblogic@mwiapp01 bin]$ . ./setDomainEnv.sh
 
[weblogic@mwiapp01 mwidomain]$ java weblogic.WLST
Initializing WebLogic Scripting Tool (WLST) ...
Welcome to WebLogic Server Administration Scripting Shell
Type help() for help on available commands

wls:/offline> connect()

Please enter your username :weblogic
Please enter your password :
Please enter your server URL [t3://localhost:7001] :t3://localhost:18001
Connecting to t3://localhost:18001 with userid weblogic ...
Successfully connected to Admin Server "AdminServer" that belongs to domain "mwidomain".
Warning: An insecure protocol was used to connect to the server. 
To ensure on-the-wire security, the SSL port or Admin port should be used instead.

wls:/mwidomain/serverConfig/> storeUserConfig()
Creating the key file can reduce the security of your system if it is not kept in a secured location after it is created. Creating new key...
The username and password that were used for this WebLogic Server connection are stored in /home/weblogic/weblogic-WebLogicConfig.properties and /home/weblogic/weblogic-WebLogicKey.properties.
wls:/mwidomain/serverConfig/> 

 

As you could see in the preceding command snippet, you could just get the user config and user key file created into your home directory by just invoking the storeUserConfig() method

You can mention the path and the file name of the user config and user key files, Like shown below

wls:/mwidomain/serverConfig/> storeUserConfig('/tmp/myuserconfigfile.secure', '/tmp/myuserkeyfile.secure')
Creating the key file can reduce the security of your system if it is not kept in a secured location after it is created. Creating new key...
The username and password that were used for this WebLogic Server connection are stored in /tmp/myuserconfigfile.secure and /tmp/myuserkeyfile.secure.

The Customized WLST Script Way

I have written some script to make your job ease and getting this job done.

There are two flavours of the script, I have written.

  1. The First one is using getopts where you have to give the details as startup arguments. ( If you are using this script. There are chances, people can get access to your password from the bash history. If you feel that's not a problem you can use this)
  2. The Second one is using the properties file, where the script will obtain the username, password and other information from the properties file.

The Default Flag

The script is using a terminology called, Default flag if the default mode/flag is ON . the userConfigFile and userKeyFile will be saved in the default location, which is the home directory of the current user

you can set the default flag to ON using --default startup argument for the first script

and

you can set the default flag to ON by mentioning defaultflag=ON in the store.properties file

I have given both versions of the scripts below and you can choose any, as per your requirement.

The First one has a good help/usage information, you can get it by passing "help" as a startup argument like shown below.

java weblogic.WLST storeuserconfig.py help

The First One ( Using Startup arguments)

The Output[s]

 

Without Default flagscreen-shot-2017-12-30-at-2-22-53-am

 

With Default Flag

screen-shot-2017-12-30-at-2-22-12-am

The Second One ( Using Properties file)

The Output

 

With Default Flag ON

screen-shot-2017-12-30-at-2-09-26-am

With Default Flag OFF

screen-shot-2017-12-30-at-2-39-04-am

The Properties File ( For the Second One)

Note*: You must place the properties file in the same directory where you save second python script and the properties file name must be store.properties

 

Hope this helps.

 

If you are a Beginner to WLST and weblogic, this scripts could help you learn some new things. There are other articles like this in our site you can refer to.

 

Weblogic Domain Creation using WLST : http://www.mwinventory.in/blog/weblogic-domain-creation-script-wlst/

Weblogic Server Status using WLST : http://www.mwinventory.in/blog/weblogic-server-status-script-wlst/

 

There are more such articles here and more scripts still under development and will be published soon. Stay connected

Cheers,

A K S A R A V

Write to us at : [email protected]

 Follow us on Facebook

 To Join our Community in Whatsapp – Click here