How to Decrypt WebLogic Console & Java Keystore Password?

There might be situation while working in a Middleware team where Oracle WebLogic environment setup is done by someone else, or you don’t know the password, but you have the server access.

If you are in such situation and need to know the password, then the following would be handy to decode it.

Decrypting WebLogic Console Password

This assumes you had server access and logged in with the respective UNIX account.

Go to Oracle bin directory (oracle_home/common/bin)E

Execute the wlst.sh

./wlst.sh

You will get WLST prompt in offline mode, invoke the following command

wls:/offline> domain = "/opt/apps/user_projects/domains/domain_name"

Note: change the domain path if necessary

wls:/offline> service = weblogic.security.internal.SerializedSystemIni.getEncryptionService(domain)
wls:/offline> encryption = weblogic.security.internal.encryption.ClearOrEncryptedService(service)
wls:/offline> print encryption.decrypt("{AES}WDhZb5/IP95P4eM8jwYITiZs01kawSeliV59aFog1jE=")
 weblogic123
wls:/offline>

Note: encrypted code starting with AES you can find in a boot.properties file.

As you can see the password is decoded – weblogic123

Decrypting WebLogic Java Keystore Password

If you are not sure what the password is for your WebLogic Java keystore, then you can use the following wlst method to decode it.

Invoke wlst.sh from Oracle home>>bin directory and execute the below commands

wls:/offline> domain = "/opt/apps/user_projects/domains/domain_name"

Note: Change the domain path if necessary

wls:/offline> service = weblogic.security.internal.SerializedSystemIni.getEncryptionService(domain)
wls:/offline> encryption = weblogic.security.internal.encryption.ClearOrEncryptedService(service)
wls:/offline> print encryption.decrypt("{AES}WDhZb5/IP95P4eM8jwYITiZs01kawSeliV59aFog1jE=")
 weblogic123
wls:/offline>

Note: encrypted string starting with AES, you can find in config.xml

You may face the following issue while decrypting.

wls:/offline> print encryption.decrypt("{AES}yM9zSPu4d57o83Hi3yromUP3Vzu+FUTpHMwl1U90kMM=")
Traceback (innermost last):
File "<console>", line 1, in ?
at weblogic.security.internal.encryption.JSafeEncryptionServiceImpl.decryptBytes(JSafeEncryptionServiceImpl.java:139)
at weblogic.security.internal.encryption.JSafeEncryptionServiceImpl.decryptString(JSafeEncryptionServiceImpl.java:187)
at weblogic.security.internal.encryption.ClearOrEncryptedService.decrypt(ClearOrEncryptedService.java:96)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
weblogic.security.internal.encryption.EncryptionServiceException: weblogic.security.internal.encryption.EncryptionServiceException

If you are encountering the above error, then you got to remove the forward symbol at the end.

From

wls:/offline> print encryption.decrypt("{AES}yM9zSPu4d57o83Hi3yromUP3Vzu+FUTpHMwl1U90kMM=")

To

wls:/offline> print encryption.decrypt("{AES}yM9zSPu4d57o83Hi3yromUP3Vzu+FUTpHMwl1U90kMM=")

I hope the above quick instructions help you in decrypting password for WebLogic Console and Java keystore.

Interested in learning Oracle WebLogic administration? Check out this online course.

Article by Yagnam Amarender Reddy