Friday, May 2, 2008

Tips & Tricks : how to encrypt the clear text boot.properties manually in WebLogic Application Server?

This tip is useful for two purposes.

  1. First is to recover from invalid system password situation and

  2. second to encrypt the clear text boot.properties.

The trick is to execute File Realm Class from core weblogic.jar file.

  1. First Identify a user and/or the set of users who needs to recover an invalid system password or to encrypt the clear text boot.properties manually.

  2. Second Create a properties file with extension .src and Add all the users need to be defined within this file.

  3. Third execute the File Realm class.

Here is how it is done:

Comments are allowed within the file (preceded by the # sign), and for each user within the set a corresponding entry must be defined on its own new line within the file using the following format:


An example follows:

# define the WebLogic system to have the clear text password WebLogic

  • The newly created fileRealm input definition file (.src) can reside anywhere on the local file system.

  • When the input definition file has been created, the location of SerializedSystemIni.dat must be determined before the FileRealm class is executed from the command line.

  • SerializedSystemIni.dat provides an input seed (or salt) to the hashing phase of the encryption process, and that a password hashed with a specific salt can be successfully compared only to another password hashed by the same exact salt.

  • Therefore, the SerializedSystemIni.dat file, localized at the domain level and present within the security/ directory, has an explicit relationship to the passwords it hashes for the file realm of a given domain. Since WLS can't maintain a file realm in which the set of hashed passwords present have been seeded by different SerializedSystemIni.dat files, you should never mix passwords hashed by different salt files within the same file realm.

  • Set system class path to include the “weblogic.jar” file from the lib directory of the WLS installation.

  • Invoke the utility from the command line as follows:
    java weblogic.security.acl.internal.FileRealm \ <path_to_output_file>\<path_to_salt_file>

  • <path_to_output_file>-
    The path to the output file given by the first parameter should be identical to that of the input definition file, with the .src extension dropped for the output file.

    For example, if you had created the input definition file as mentioned in above steps in a folder:


    You’d now need to define the output file at


  • This accommodates the way the FileRealm class internally handles the location of the input definition file - it concludes its location by using the same path and name of the output file, yet it assumes the input file has the .src extension added to it.

  • <path_to_salt_file>-
    This contains a hash key (called salt) to encrypt clear text password. This
    Parameter defines the location of the SerializedSystemIni.dat file.

  • It is under folder
    <<bea_home>>\user_projects\domains\<<domain name>>\security

  • Upon execution, the FileRealm class will generate its hashed password outputs into the file defined by the first input parameter.

  • After completion of command execution, open output file in notepad.

    • To recover invalid system password Select encrypted Password
    • &copy it from that output files and paste that encrypted password to FileRealm.dat which is under following folder:
    • After completion of copy-paste and file save of FileRealm.properties file, start WLS server to test the password recently set for the <<domain>> user. If the password recovery was successful, the server will properly start and WLS will operate as expected.

    • To encrypt the clear textSelect encrypted Password & copy it from that output files and paste that encrypted password to boot.properties.


1 comment:

Anonymous said...

Good lord, this is a life saver. It has helped me to recover password.