1 2 Previous Next 29 Replies Latest reply: Oct 5, 2010 3:48 PM by the_assface RSS

    administrator password reset procedure failed on Weblogic 11g

    758875
      We run a Weblogic Server 11g, the web console password for the user 'weblogic' is lost.
      The password reset procedure described "java weblogic.security.utils.AdminAccount newAdmin newPassword ." does not work, this java class is not found "Could not find the main class: weblogic.security.utils.AdminAccount. Program will exit."
      Still i found an encrypted hash of the password in the boot.properties file under /oracle/u01/WLS1031/user_projects/domains/domain_Mumus/servers/AdminServer/security, but it is not easy t decrypt it.
      any ideas?
        • 1. Re: administrator password reset procedure failed on Weblogic 11g
          Jay SenSharma MiddlewareMagic
          Have u run "setDomainEnv.sh" before running the class "weblogic.security.utils.AdminAccount"

          or else you can try running the ". ./setWLSEnv.sh"
          Just do

          echo $CLASSPATH
          before running the Class weblogic.security.utils.AdminAccount
          • 2. Re: administrator password reset procedure failed on Weblogic 11g
            758875
            Hi Jay,
            1. yes, i run de setDomain.
            2. i run this too, setWLSEnv.sh and after that the java class, still, i have the following error.

            java weblogic.security.utils.AdminAccount newUser newPass1
            Exception in thread "main" java.lang.NoClassDefFoundError: weblogic/security/utils/AdminAccount
            Caused by: java.lang.ClassNotFoundException: weblogic.security.utils.AdminAccount
            at java.net.URLClassLoader$1.run(Unknown Source)
            at java.security.AccessController.doPrivileged(Native Method)
            at java.net.URLClassLoader.findClass(Unknown Source)
            at java.lang.ClassLoader.loadClass(Unknown Source)
            at sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source)
            at java.lang.ClassLoader.loadClass(Unknown Source)
            at java.lang.ClassLoader.loadClassInternal(Unknown Source)
            Could not find the main class: weblogic.security.utils.AdminAccount. Program will exit

            Edited by: user12774062 on Mar 9, 2010 5:11 PM
            • 3. Re: administrator password reset procedure failed on Weblogic 11g
              Jay SenSharma MiddlewareMagic
              Seems that there is Some problem with classpath so first in your Shell prompt do

              echo $CLASSPATH

              Make sure that *"weblogic.jar"* file is there....If you dont see it there then run the Command like following:

              <font color=maroon>
              java -cp /apps/bea11g/weblogic11g/server/lib/weblogic.jar:$CLASSPATH  weblogic.security.utils.AdminAccount newUser newPass1 .
              </font>


              NOTE:- Don't forget the period "." at the end of the above command. And above command you need to run from inside the "<Domain_Directory>/security" directory.

              (In Windows)
              Example: C:\bea103\user_projects\domains\7001_Domain\security>java weblogic.security.utils.AdminAccount newAdmin newPassword .

              In your case you need to run the command from :

              *" /oracle/u01/WLS1031/user_projects/domains/domain_Mumus/security "* directory because it creates a new "DefaultAuthenticatorInit.ldift" in the current Directory.


              In above command Change the Location os "weblogic.jar" according to your environment.

              Rather than adding "weblogic.jar" you can even add "wlfullclient.jar" as well in the above command....to make "wlfullclient.jar" you can use: http://jaysensharma.wordpress.com/2010/02/03/building-wlfullclient-jar/


              Thanks
              Jay SenSharma
              • 4. Re: administrator password reset procedure failed on Weblogic 11g
                Jay SenSharma MiddlewareMagic
                Once u are done with Resetting the UserName and Password. then you need to edit "boot.properties" file available in the following location by putting the Newly created ClearText UserName and password:

                /oracle/u01/WLS1031/user_projects/domains/domain_Mumus/servers/AdminServer/security/boot.properties


                username=newUser
                password=newPass1


                Then as soon as you start the Server Next time these values will be automatically Encrypted. Ypu can also refer to :


                <b><font color=maroon>http://middlewaremagic.com/weblogic/?p=323</font></b>
                • 5. Re: administrator password reset procedure failed on Weblogic 11g
                  758875
                  Hm, almost working

                  1 first run
                  java -cp /oracle/u01/WLS1031/wlserver_10.3/server/lib/weblogic.jar:$CLASSPATH weblogic.security.utils.AdminAccount John John1 .
                  the idift file was modified successfuly,
                  then i changed the boot properties file

                  username John
                  password John1

                  i restarted the server.
                  I had to make the shutdown with the old credentials. (with the old boot_properties file)


                  but the server cannot log me in.
                  here is the log

                  ###########SABLE-AUTH########### lookupPassword / user:John
                  ###########SABLE-AUTH########### lookupPassword / password:null
                  <Mar 9, 2010 7:07:28 PM EET> <Critical> <Security> <BEA-090402> <Authentication denied: Boot ident ity not valid; The user name and/or password from the boot identity file (boot.properties) is not valid. The boot identity may have been changed since the boot identity file was created. Please ed it and update the boot identity file with the proper values of username and password. The first ti me the updated boot identity file is used to start the server, these new values are encrypted.>
                  <Mar 9, 2010 7:07:28 PM EET> <Critical> <WebLogicServer> <BEA-000386> <Server subsystem failed. Re ason: weblogic.security.SecurityInitializationException: Authentication denied: Boot identity not valid; The user name and/or password from the boot identity file (boot.properties) is not valid. T he boot identity may have been changed since the boot identity file was created. Please edit and u pdate the boot identity file with the proper values of username and password. The first time the u pdated boot identity file is used to start the server, these new values are encrypted.
                  weblogic.security.SecurityInitializationException: Authentication denied: Boot identity not valid; The user name and/or password from the boot identity file (boot.properties) is not valid. The boo t identity may have been changed since the boot identity file was created. Please edit and update the boot identity file with the proper values of username and password. The first time the updated boot identity file is used to start the server, these new values are encrypted.
                  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doBootAuthorization( CommonSecurityServiceManagerDelegateImpl.java:959)
                  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSec urityServiceManagerDelegateImpl.java:1050)
                  at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java :875)
                  at weblogic.security.SecurityService.start(SecurityService.java:141)
                  at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
                  Truncated. see log file for complete stacktrace
                  javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User John denied

                  Edited by: user12774062 on Mar 9, 2010 7:20 PM

                  Edited by: user12774062 on Mar 9, 2010 7:22 PM
                  • 6. Re: administrator password reset procedure failed on Weblogic 11g
                    Jay SenSharma MiddlewareMagic
                    In boot.properties i can see that there is missing '=' sign
                    "boot.properties" contents below two lines with Equal sign

                    username=John
                    password=John1
                    • 7. Re: administrator password reset procedure failed on Weblogic 11g
                      758875
                      it is there, i just hurried and did not copy exactly
                      this is the aes encrypted original file

                      # Generated by Configuration Wizard on Fri Dec 04 19:53:15 EET 2009
                      username={AES}Cg9TZAInmJe16s5Wd1yBxMpE6DzdDA09BV+fzuLOMmg=
                      password={AES}0XiivL+4M4AIRvtebwhXAcwpJ0LgES/7nQJr2/3oexI=

                      i modified afterwards in John and John1.

                      i am currently trying to decrypt this hash using a python script, so i get the original password back.

                      Edited by: user12774062 on Mar 9, 2010 8:47 PM
                      • 8. Re: administrator password reset procedure failed on Weblogic 11g
                        Faisal Khan
                        11g uses 128-bit AES encryption with a random 16-byte initialization vector.
                        It would be practically very difficult to get the original string... particularly when we dont know the initialization vector.
                        Hit and trial is also not going to work since even when encryting the same value, resulting string is different... coz of the random initialization vector..

                        I dont want to discourage you from decrypting it.. was just trying to present some facts..
                        • 9. Re: administrator password reset procedure failed on Weblogic 11g
                          758875
                          yeah, right.
                          and the AES-CTR IV field has probably eight octets...it must be uniqe for every key.The Saurcerer who encrypted this probably used a singularization algorithm or he just incremented a counter... like LFSR. It's not impossible to crack.
                          • 10. Re: administrator password reset procedure failed on Weblogic 11g
                            yesh
                            Use the utility again to generate a new ldift file containing new username password. i think you got this working already


                            under the domainname\servers\adminservername\data\ldap there should be a file called DefaultAuthenticatormyrealmInit.initialized

                            Delete the above file after backing it up in another location

                            This will force weblogic to load the newly created ldift file (it relies on the .initialized file to figure out the status and decide whether to load the new ldift or not )

                            Make sure everything is backed up before you delete stuff as you can lose users created in embedded ldap after the reinitialization

                            Restart managed servers so they can sync up if you are able to start the admin.


                            Thanks
                            Best
                            Yesh
                            • 11. Re: administrator password reset procedure failed on Weblogic 11g
                              758875
                              Thanks Vesh,
                              this version of Weblogic is very security-focused,
                              it seems that our old password reset routines ain't working as known.
                              I'll investigate a layer deeper.

                              here are the steps (i performed them with the server running and also when the server was stopped)
                              1. The IDIFT file is created successfully,
                              2. the boot properties file was updated with the new credential
                              3. the ldap file is deleted.
                              4. the new ldap file is created

                              still, after restarting the server, he screams for his password...
                              here are the commands run

                              1.echo $CLASSPATH
                              2./bin/setDomainEnv.sh
                              3..java -cp /oracle/u01/WLS1031/wlserver_10.3/server/lib/weblogic.jar:$CLASSPATH weblogic.security.utils.AdminAccount John Blackstar .
                              4. modify boot,properties file in

                              # Generated by Configuration Wizard on Fri Dec 04 19:53:15 EET 2009
                              username=John
                              password=Blackstar

                              5. delete the ldap file.
                              here is the server log...

                              izing using security realm myrealm.>
                              ###########SABLE-AUTH########### lookupPassword / user:John
                              ###########SABLE-AUTH########### lookupPassword / password:null
                              <Mar 11, 2010 1:41:31 PM EET> <Critical> <Security> <BEA-090402> <Authentication denied: Boot identity not valid; The user name and/or password from the boot identity file (boot.properties) is not valid. The boot identity may have been changed since the boot identity file was created. Please edit and update the boot identity file with the proper values of username and password. The first time the updated boot identity file is used to start the server, these new values are encrypted.>

                              here is also the output of the newly created ldpa file:

                              #The version of LDIFT loaded for the WLS default Authorizer provider. Last update was to version 61
                              #Thu Mar 11 14:24:28 EET 2010
                              Authorizer=61
                              PolicyUpdate=false
                              StoreId=ldap_RFsBKI0eE+oHB3EkE5ygnbQqRBE\=

                              second experiment: after creating the new IDIFT file I left the old boot.properties file there,
                              Though i run the below command and the new user should have been John and the passord Blackstar, the system logged in succesfully with his old boot.properties file, though the idift file was changed succesfully.

                              java -cp /oracle/u01/WLS1031/wlserver_10.3/server/lib/weblogic.jar:$CLASSPATH weblogic.security.utils.AdminAccount John Blackstar .


                              Edited by: Sandor on Mar 11, 2010 2:28 PM

                              Edited by: Sandor on Mar 11, 2010 2:43 PM
                              • 12. Re: administrator password reset procedure failed on Weblogic 11g
                                Jay SenSharma MiddlewareMagic
                                Hi sandor,

                                You can try the following :
                                <font color=maroon>
                                OPTION-A).
                                </font>
                                After running the *"setDomainEnv.sh"* (Don't run setWLSEnv.sh) run the following weblogic utility to encrypt Username and passwords....

                                java weblogic.security.Encrypt John
                                java weblogic.security.Encrypt Blackstar

                                Above two commands will generate two Encrypted values Just put them inside your "boot.properties"
                                --------------------------
                                <font color=maroon>
                                OPTION-B).
                                </font>
                                Add the following flag in JAVA_OPTIONS of your server startScript (startWebLogic.sh)

                                -Dweblogic.system.StoreBootIdentity=true

                                Which should create the boot.properties file as soon as server gets started.

                                .
                                .
                                .
                                Thanks
                                Jay SenSharma
                                http://middlewaremagic.com/weblogic/?p=323  (Middleware Magic Is Here)
                                • 13. Re: administrator password reset procedure failed on Weblogic 11g
                                  758875
                                  this system was configured by a butcher, not by an admin...

                                  java -cp /oracle/u01/WLS1031/wlserver_10.3/server/lib/weblogic.jar:$CLASSPATH weblogic.security.Encrypt John

                                  Unable to initialize encryption service, verify you are in the domain directory or have specified the correct value for -Dweblogic.RootDirectory

                                  encryption done
                                  username={AES}hJOwok2eyNOimJsXJbLShwCTBO4CwR9k4xJJ2KLaosA=
                                  password={AES}t7X+l+Cg3IBrtFXpcB9n7ObDFVbjoeGVpQPA4Eoj6z8=

                                  still unable to start the admin server with this credentials

                                  Edited by: Sandor on Mar 11, 2010 3:41 PM

                                  Edited by: Sandor on Mar 11, 2010 3:44 PM
                                  • 14. Re: administrator password reset procedure failed on Weblogic 11g
                                    sandeep_singh
                                    Hi,

                                    Just keeping the weblogic.jar file in the classpath and running the encrypt utility will not encrypt the username/password correctly.

                                    As the encryption utility depends upon the domain name configuration so yo will have to provide the domain home path also to correctly use the encryption utility.


                                    Thanks,
                                    Sandeep
                                    1 2 Previous Next