skhannit Archive

How to decrypt WebLogic Datasource Password

You need to copy the datasource password present in the -jdbc.xml present under \config\jdbc to the password variable in the WLST Script.

encrypted_password

 

Change the path variable to point to your domain

from weblogic.security.internal import *
from weblogic.security.internal.encryption import *


password = "{AES}0+5YrFk+fD9BFIykr3H+wPsNmPRP/GIOUId7SPqBgNg="
path = "D:/Oracle/Middleware/user_projects/domains/pega7_domain/security"
encryptionService = SerializedSystemIni.getEncryptionService(path)
cService = ClearOrEncryptedService(encryptionService)
print "password: " + cService.decrypt(password)

Execute the above script after setting the environment
>setWLSEnv.cmd
>java weblogic.WLST decryptDatasourcePassword.py

You should see the decrypted password in the terminal.

decrypted_password

How to configure SSL Between Weblogic and Apache

SSL between Apache and Weblogic

 

 

1) Set WLS Environment

C:\Oracle\Middleware\wlserver_10.3\server\bin>setWLSEnv.cmd

2) Go to the lib directory and covert WLS Root Certificate to .pem format

C:\Oracle\Middleware\wlserver_10.3\server\lib>java utils.der2pem CertGenCA.der

C:\Oracle\Middleware\wlserver_10.3\server\lib>dir CertGen*
Volume in drive C is Windows8_OS
Volume Serial Number is 8C04-A406

Directory of C:\Oracle\Middleware\wlserver_10.3\server\lib

01/03/2015 09:29 PM 540 CertGenCA.der
01/19/2015 07:47 PM 786 CertGenCA.pem
01/03/2015 09:29 PM 388 CertGenCAKey.der
3) Go to D:\Apache2.2\conf\httpd.conf and add the following entries

LoadModule weblogic_module modules/mod_wl128_22.so

<Location /console>
   SetHandler weblogic-handler
   SecureProxy ON
   TrustedCAFile C:/Oracle/Middleware/wlserver_10.3/server/lib/CertGenCA.pem
   RequireSSLHostMatch false
   WebLogicHost localhost
   WebLogicPort 7002
   WLLogFile D:/temp/wlproxy.log
   WLTempDir D:/temp
   Debug ALL

</Location>

Note: The Admin/Managed Server should be up and running on the ip& port mentioned in the location directive.

If there are any issues you can check the proxy logs. If you are still not able to resolve the issues please feel free to post here.

 

 

Recommended Best Practices for Securing WebLogic Server.

Disable SSL V2, Weak Ciphers, and Null Encryptions

You can use the following jvm options to disable Weak Ciphers.

-Dweblogic.security.SSL.allowUnencryptedNullCipher=false
-Dweblogic.security.disableNullCipher=true

Steps to disable SSL V2 follows later.

Use Secure Cookies to Prevent Session Stealing

Please refer to this article : link

Configure WebLogic Server to use a Specific Cipher Suite or a List of Ciphers

Please refer to this article : link

-Dweblogic.security.SSL.Ciphersuites=TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_MD5

Restrict the SSL Protocol Versions Allowed by WebLogic Server

Please refer to this article : link

You should also allow only the required http methods ( GET/POST) to access the resource on the server. You can restrict other methods from the web.xml

Refer this

Using RolesAllowed and SecurityRole annotations to secure Webservices on Weblogic

1. Write a JWS that uses the RolesAllowed and SecurityRole annotation

package examples.webservices.security_jws;

import weblogic.jws.WLHttpTransport;
import weblogic.jws.Policies;
import weblogic.jws.Policy;
import javax.jws.WebService;
import javax.jws.WebMethod;
import javax.jws.soap.SOAPBinding;

import weblogic.jws.security.RolesAllowed;
import weblogic.jws.security.SecurityRole;

@WebService(name="SecureHelloWorldPortType", 
            serviceName="SecureHelloWorldService", 
            targetNamespace="http://www.bea.com")

@SOAPBinding(style=SOAPBinding.Style.DOCUMENT, 
             use=SOAPBinding.Use.LITERAL,
             parameterStyle=SOAPBinding.ParameterStyle.WRAPPED)

@WLHttpTransport(contextPath="SecureHelloWorldService", 
                 serviceUri="SecureHelloWorldService",
		 portName="SecureHelloWorldServicePort")

@RolesAllowed (  { 
    @SecurityRole (role="testrole")
} ) 

public class SecureHelloWorldImpl {

  @WebMethod()
  public String sayHello(String s) {
    return "Hello " + s;  
  }
}

2) While deploying the EAR select custom roles

 

custom roles

3)

Go to myrealm> Realm Roles > Global Roles > Edit Globl Roles and create a new role
testrole and add an existing user to the role

custom roles

 

4) You can invoke the Webservice from SOAP UI by providing the username & password in the request properties.

 

SOAPUI