Weblogic: Encrypt properties

Question

Weblogic application server 10g and above encrypts data source passwords etc. in the configuration files which is usually fine.

For a third party library, I have to provide credentials via my application (EAR/WAR) which differ between environments.

I'm aware of the plan.xml / <env-entry/> approach but to my knowledge, this can only replace/modify the deployment descriptor with literal values, not with encrypted values - at least I have not found any example.

All in all I want to "inject" credentials in my application as much as possible supported by the application server and without any "self-build" solutions with external properties file etc (like jaspy).

Is that somehow possible via weblogic's plan.xml approach?

Thanks!

Answer 1

We ended up with this approach:

• Let the user create a encrypted string via WLS' python console - the result has always a prefix being {AES} or {DES}
• Read from the plan.xml the value literally. If it does not start with {AES} or {DES} then use it right away
• Otherwise decrypt via this WLS internal API: https://community.oracle.com/thread/2225201?tstart=0

I do not like using this hidden API but at least that uses WLS' own encrypting and salting and it becomes Sysops responsibility ;-)

Answer 2

A couple things to note - If weblogic is in development (not production mode) you can enter values as clear text in configuration files and when the server starts up it will encrypt them. If you need encryption/decryption methods there is plenty of scripts out there that can help. Like here: http://techtapas.blogspot.com/2011/05/how-to-decrypt-weblogic-passwords-with.html

That said, I think you can enter the values into your plan.xml file encrypted. This example file is doing it: https://jdeveloper-adf.googlecode.com/svn-history/r25/trunk/shiridi/Plan.xml