In this Blog, we will learn about the Weblogic Security Best Practice which we can utilise in order to connect to the WebLogic Server using WLST.
If we have used the clear text weblogic Username and Password to connect to Weblogic Scripting Tool (WLST) or to run any WLST scripts, this could lead to security threats.
To prevent identity theft, Oracle recommends utilizing the UserConfigFile and UserKeyFile as appropriate.
One of the best use cases for these key and config files is when using the connect() method in WLST to go online.
Therefore, Instead of using the connect() with clear text Weblogic Username and Password like below
connect("username","password","t3://localhost:7001")
You should use this:
connect(userConfigFile='/tmp/myuserconfigfile.secure',userKeyFile='/tmp/myuserkeyfile.secure',url='t3://localhost:7001'
to connect to the WLST and as well as in scripts you can use this connect() method, in order to securely connect to the AdminServer.
So How to create these files in an Easy way?
Weblogic’s has a built-in method named storeUserConfig(), you can use in either WLST interactive mode (or) in scripting mode in order to get the same result.
mohitchaudhary@MOHITs-MacBook-Air bin % ./wlst.sh
WARNING: This is a deprecated script. Please invoke the wlst.sh script under oracle_common/common/bin.
Initializing WebLogic Scripting Tool (WLST) ...
Jython scans all the jar files it can find at first startup. Depending on the system, this process may take a few minutes to complete, and WLST may not return a prompt right away.
Welcome to WebLogic Server Administration Scripting Shell
Type help() for help on available commands
wls:/offline> connect()
Please enter your username :weblogic
weblogic
Please enter your password :
Please enter your server URL [t3://localhost:7001] :t3://localhost:7001
t3://localhost:7001
Connecting to t3://localhost:7001 with userid weblogic ...
Successfully connected to Admin Server "AdminServer" that belongs to domain "base_domain".
Warning: An insecure protocol was used to connect to the server.
To ensure on-the-wire security, the SSL port or Admin port should be used instead.
wls:/base_domain/serverConfig/> storeUserConfig()
Creating the key file can reduce the security of your system if it is not kept in a secured location after it is created. Creating new key...
The username and password that were used for this WebLogic Server connection are stored in /Users/mohitchaudhary/mohitchaudhary-WebLogicConfig.properties and /Users/mohitchaudhary/mohitchaudhary-WebLogicKey.properties.
As you could see in the preceding code sample, the user config and user key files are created and stored in your home directory by invoking the storeUserConfig() method.
As shown below, you can also mention the path and file names of the user config and user key files.
wls:/base_domain/serverConfig/> storeUserConfig('/tmp/myuserconfigfile.secure','/tmp/myuserkeyfile.secure')
Creating the key file can reduce the security of your system if it is not kept in a secured location after it is created. Creating new key...
The username and password that were used for this WebLogic Server connection are stored in /tmp/myuserconfigfile.secure and /tmp/myuserkeyfile.secure.
Hope this helps.
If you are new to WLST and Weblogic, our website has other similar articles that you can refer to.
Keep an eye out for additional articles and upcoming scripts that are currently in development and will be released in the near future.
Cheers!
