Decrypt any encrypted password in your WebLogic Server Domain

Posted by Dirk Nachbar on Wednesday, September 20, 2017
It happens regularly, that you configure a WebLogic Domain and you forgot after some time the given password for the WebLogic Administration User or you have configured a JDBC Data Source and you forgot the password of the used Oracle Database User.

All you need is following small Python Script called decrypt.py:

#/bin/python
#=====================================================================
#
# $Id: decrypt.py $
#
# PURPOSE:    Script to decrypt any Password or Username 
#             within a WebLogic Server Domain
#
# PARAMETERS: none
#
# NOTES:      none
#
# AUTHOR:     Dirk Nachbar, https://dirknachbar.blogspot.com
#
# MODIFIED:
#
#
#=====================================================================

# Import weblogic.security.internal and weblogic.security.internal.encryption
from weblogic.security.internal import *
from weblogic.security.internal.encryption import *

# Provide Domain Home Location
domain = raw_input("Provide Domain Home location: ")

# Get encryption service with above Domain Home Location
encryptService = SerializedSystemIni.getEncryptionService(domain)
clearOrEncryptService = ClearOrEncryptedService(encryptService)

# Provide the encrypted password or username, e.g. from boot.properties
encrypted_pwd = raw_input("Provide encrypted password or username (e.g.: {AES}jNdVLr...): ")

# Clear the encrypted value from escaping characters
cleared_pwd = encrypted_pwd.replace("\\", "")

# Personal security hint :-)
raw_input("Make sure that nobody is staying behind you :-) Press ENTER to see the password ...")

# Decrypt the encrypted password or username
print "Value in cleartext is: " + clearOrEncryptService.decrypt(cleared_pwd)

Let's say you will need the password from your WebLogic Administration user, which is present in your boot.properties file under $DOMAIN_HOME/servers/<AdminServerName>/security

cd $DOMAIN_HOME/servers/AdminServer/security
cat boot.properties

#Tue Sep 05 14:05:32 CEST 2017
password={AES}hjP+5eQrx8j6S6b5JRdluvACHjtov3vo3pQ10c+h/Pg\=
username={AES}bHAMPwpk4izstmC7RW3K0jjQK4h4WlNEGu17LqRKYaE\=

Now start the script with your wlst.sh from $ORACLE_HOME/oracle_common/common/bin, provide your DOMAIN_HOME directory and provide the encrypted password.

$ORACLE_HOME/oracle_common/common/bin/wlst.sh decrypt.py

Initializing WebLogic Scripting Tool (WLST) ...

Welcome to WebLogic Server Administration Scripting Shell

Type help() for help on available commands

Provide Domain Home location: /u00/app/oracle/user_projects/domains/demo_domain
Provide encrypted password (e.g.: {AES}jNdVLr...): {AES}hjP+5eQrx8j6S6b5JRdluvACHjtov3vo3pQ10c+h/Pg\=
Make sure that nobody is staying behind you :-) Press ENTER to see the password ...
Value in cleartext is: Oracle12c
The same works with encrypted passwords in your JDBC Data Source configuration file.

cat $DOMAIN_HOME/config/jdbc/testDS*.xml | grep password-encrypted
    {AES}xYk2xRXa5DzyCK/qC0TZJ+bsxWiGIxMDtiVWMstJxD0=

# Now execute the decrypt.py
$ORACLE_HOME/oracle_common/common/bin/wlst.sh decrypt.py

Initializing WebLogic Scripting Tool (WLST) ...

Welcome to WebLogic Server Administration Scripting Shell

Type help() for help on available commands

Provide Domain Home location: /u00/app/oracle/user_projects/domains/demo_domain
Provide encrypted password (e.g.: {AES}jNdVLr...): {AES}xYk2xRXa5DzyCK/qC0TZJ+bsxWiGIxMDtiVWMstJxD0=
Make sure that nobody is staying behind you :-) Press ENTER to see the password ...
Value in cleartext is: Test12c

So, you don't have to rebuild your Oracle WebLogic Domain when you lost your WebLogic Admin User Password.

Happy decrypting :-)