To meet Oracle’s security standards, the encryption algorithms require later versions of JDK 7, JDK 8, or newer to run.
Models contain WebLogic Server domain configuration. Certain types of resources and other configurations require passwords; for example, a JDBC data source requires the password for the user establishing the database connection. When creating or configuring a resource that requires a password, that password must be specified either in the model directly or in the variable file. Clear-text passwords are not conducive to storing configurations as source, so the Encrypt Model Tool gives the model author the ability to encrypt the passwords in the model and variable file using passphrase-based, reversible encryption. When using a tool with a model containing encrypted passwords, the encryption passphrase must be provided, so that the tool can decrypt the password in memory to set the necessary WebLogic Server configuration (which supports its own encryption mechanism based on a domain-specific key). While there is no requirement to use the WebLogic Deploy Tooling encryption mechanism, it is highly recommended because storing clear-text passwords on disk is never a good idea.
The Create Domain, Update Domain, and Deploy Applications Tools can take a set of models. The Encrypt model will encrypt a set of models. Each model is encrypted using the same passphrase and written back to its original location.
WebLogic Deploy Tooling also supports the use of domain-encrypted passwords directly in the model. The Encrypt Model Tool cannot be used in tandem with this method.
Start with the following example model:
domainInfo:
AdminUserName: weblogic
AdminPassword: welcome1
ServerStartMode: prod
topology:
Name: DemoDomain
SecurityConfiguration:
NodeManagerUsername: weblogic
NodeManagerPasswordEncrypted: welcome1
Security:
Group:
FriscoGroup:
Description: The WLS Deploy development group
User:
Robert:
Password: welcome1
GroupMemberOf: [ Administrators, FriscoGroup ]
Derek:
Password: welcome1
GroupMemberOf: 'Administrators, FriscoGroup'
Richard:
Password: welcome1
GroupMemberOf: [ FriscoGroup ]
Carolyn:
Password: welcome1
GroupMemberOf: FriscoGroup
Mike:
Password: welcome1
GroupMemberOf: FriscoGroup
Johnny:
Password: welcome1
GroupMemberOf: FriscoGroup
Gopi:
Password: welcome1
GroupMemberOf: FriscoGroup
To run the Encrypt Model Tool on the model, run the following command:
$ weblogic-deploy\bin\encryptModel.cmd -oracle_home c:\wls12213 -model_file UnencryptedDemoDomain.yaml
The tool will prompt for the encryption passphrase twice and then encrypt any passwords it finds in the model, skipping
any password fields that have variable values, to produce a result that looks like the following model. You can bypass
the stdin prompt with two other options. Store the passphrase in an environment variable, and use the environment
variable name with command-line option -passphrase_env. Another option is to create a file containing the passphrase
value. Pass this filename using the command-line option -passphrase_file.
domainInfo:
AdminUserName: weblogic
AdminPassword: '{AES}a0dacEQ4Q2JnTmI4VHp5NjIzVHNPRFg5ZjRiVDJ4NzU6T1M0SGYwM2xBeHdRdHFWVTpWZEh6bkd4NzZSQT0='
ServerStartMode: prod
topology:
Name: DemoDomain
SecurityConfiguration:
NodeManagerUsername: weblogic
NodeManagerPasswordEncrypted: '{AES}WndJQWNySWpoY0VEbFpmR2V1RFhvamVFdGwzandtaFU6L1d4V0dPRFpsaXJIUkl2djpQdUdLaTloR1IxTT0='
Security:
Group:
FriscoGroup:
Description: The WebLogic Deploy development group
User:
Robert:
Password: '{AES}VFIzVmdwcWNLeHBPaWhyRy82VER6WFV6aHRPbGcwMjQ6bS90OGVSTnJxWTIvZjkrRjpjSzBQUHlOWWpWTT0='
GroupMemberOf: [ Administrators, FriscoGroup ]
Derek:
Password: '{AES}R1BTM21ZSkxpdTNIZjNqcTlsSC9PeHV4aXJoT3kxazM6M1dLOXBLeCtlc1lsVDUrWjo5VitHZUxCcjZnOD0='
GroupMemberOf: 'Administrators, FriscoGroup'
Richard:
Password: '{AES}Y3FkQmRIRGhjZEtlRjVkVVdLQU1Eb09LWDIzMlhUWVo6MjllVExsMmNmNzJzZDFjaTpNcVNDbUs2cnRFRT0='
GroupMemberOf: [ FriscoGroup ]
Carolyn:
Password: '{AES}cW8wczJqZXJZOHVsTGNOTmlqTGpuZGFoSkY2ME5WbTk6c0VaWGs1ME5pemlKdC9wajpFaTJPRS9ZQlcvND0='
GroupMemberOf: FriscoGroup
Mike:
Password: '{AES}cnF6Z3JOVWcvc0czN3JVb1g5T2FidmRsSU51anJCa0Y6UlBsNVFsOFlXU29xUlY1aDp3VWZWYU5VOVRkMD0='
GroupMemberOf: FriscoGroup
Johnny:
Password: '{AES}UWJ5Y25Ma2RHTkNMVTZ1RnlhRkNaTUxXaXV4SjBjaWg6citwTDQvelN1aUlPdnZaSDpCMEdSWGg2ZlVJUT0='
GroupMemberOf: FriscoGroup
Gopi:
Password: '{AES}MWJGcnhtZlNyWXVrU1VXMVFxZFEvQThoS1hPN2FQdDc6MmRPaUF2Y1FCQ3VIK3MydDpZaFR5clBrN1FjOD0='
GroupMemberOf: FriscoGroup
If the model stores passwords in the variables file, like the following model:
resources:
JDBCSystemResource:
Generic1:
Target: mycluster
JdbcResource:
JDBCDataSourceParams:
JNDIName: [ jdbc/generic1 ]
GlobalTransactionsProtocol: TwoPhaseCommit
JDBCDriverParams:
DriverName: oracle.jdbc.xa.client.OracleXADataSource
URL: 'jdbc:oracle:thin:@//@@PROP:db.url@@'
PasswordEncrypted: '@@PROP:db.password@@'
Properties:
user:
Value: '@@PROP:db.user@@'
oracle.net.CONNECT_TIMEOUT:
Value: 5000
oracle.jdbc.ReadTimeout:
Value: 30000
JDBCConnectionPoolParams:
InitialCapacity: 3
MaxCapacity: 15
TestTableName: SQL ISVALID
TestConnectionsOnReserve: true
MailSession:
MyMailSession:
JNDIName: mail/MyMailSession
Target: mycluster
SessionUsername: john.smith@example.com
SessionPasswordEncrypted: '@@PROP:mymailsession.password@@'
Properties:
mail.store.protocol: imap
mail.imap.port: 993
mail.imap.ssl.enable: true
mail.imap.starttls.enable: true
mail.imap.host: imap.example.com
mail.impa.auth: true
mail.transport.protocol: smtp
mail.smtp.starttls.enable: true
mail.smtp.port: 465
mail.smtp.ssl.enable: true
mail.smtp.auth: true
mail.smtp.host: smtp.example.com
Run the Encrypt Model Tool and pass both the model and variable files, like this:
$ weblogic-deploy\bin\encryptModel.cmd -oracle_home c:\wls12213 -model_file UnencryptedDemoDomain.yaml -variable_file UnencryptedDemoDomain.properties
The variable file will now look something like the following:
#Variables updated after encryption
#Thu Feb 01 19:12:57 CST 2018
db.user=rpatrick
db.url=mydb.example.com:1539/PDBORCL
db.password={AES}czFXMkNFWNG9jNTNYd0hRL2R1anBnb0hDUlp4K1liQWFBdVM4UTlvMnE0NU1aMUZ5UVhiK25oaWFBc2lIQ20\=
mymailsession.password={AES}RW9nRnUzcE41WGNMdnEzNDdRQVVNWm1LMGhidkFBVXg6OUN3aXcyci82cmh3cnpNQTpmY2UycUp5YWl4UT0\=
The following environment variables may be set.
JAVA_HOME The location of the JDK. This must be a valid JDK that has support for the WDT encryption algorithms.WLSDEPLOY_PROPERTIES System properties that will be passed to Java.Since the Encrypt Model Tool uses Jython directly without using WLST, the JAVA_HOME will be the JDK used to execute
the command (unlike other tools that use WLST).
encryptModel| Parameter | Definition | Default |
|---|---|---|
-manual |
Run without a model and get an encrypted value for a single password. | |
-model_file |
The location of the model file or a set of model files. | |
-oracle_home |
Home directory of the Oracle WebLogic installation. Required if the ORACLE_HOME environment variable is not set. |
|
-passphrase_env |
An alternative to entering the encryption passphrase at a prompt. The value is an environment variable name that WDT will use to retrieve the passphrase. | |
-passphrase_file |
An alternative to entering the encryption passphrase at a prompt. The value is a the name of a file with a string value which WDT will read to retrieve the passphrase. | |
-passphrase_prompt |
Allow WDT to prompt for the encryption passphrase or read it from stdin. | |
-variable_file |
The location and name of the property file containing the variable values for all variables used in the model(s). |