Translate

2018년 8월 15일 수요일

[WebLogic] 암호화된 문자열 복호화 하기 (boot.properties, DB연동 비밀번호)










실습환경
 - OS: OracleLinux 5
 - WebLogic ver: 10.3.6




WLST (WebLogic Scripting Tool) 에 대하여..
 - 시스템 관리자와 운영자가 WebLogic Server 인스턴스와 도메인을 모니터하고 관리하는 데 사용하는 명령 행 스크립팅 인터페이스
 - WLST 스크립팅 환경은 Java 스크립팅 인터프리터 Jython을 기반

1004lucifer

아래의 방법을 통해서 boot.properties의 정보나 DB연동 비밀번호와 같은 암호화된 정보를 복호화 가능하다.



# 실습환경 웹로직 관련 홈디렉토리 경로
# $BEA_HOME(웹로직 설치디렉토리): /app/weblogic1036/
# $DOMAIN_HOME(도메인 디렉토리): /app/weblogic1036/domains/1004lucifer_domain/
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
# 어느 경로에서 작업을 하던 상관은 없다.
[weblogic@ae2793daea03 weblogic1036]$ pwd
/app/weblogic1036
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$ ll
total 176
-rw-rw-r-- 1 weblogic weblogic    986 Aug 15 04:47 decrypt.py
-rw-rw---- 1 weblogic weblogic    200 Aug  6 00:36 domain-registry.xml
drwxr-x--- 3 weblogic weblogic   4096 Aug  6 00:36 domains
drwxrwxr-x 2 weblogic weblogic   4096 Aug 12 23:41 logs
drwxrwxr-x 7 weblogic weblogic  36864 Aug  5 10:21 modules
-rw-rw-r-- 1 weblogic weblogic    625 Aug  5 10:22 ocm.rsp
-rw-rw-r-- 1 weblogic weblogic 108827 Aug  5 10:22 registry.dat
-rw-rw-r-- 1 weblogic weblogic   1728 Aug  5 10:22 registry.xml
drwxrwxr-x 8 weblogic weblogic   4096 Aug  5 10:21 utils
drwxrwxr-x 8 weblogic weblogic   4096 Aug  5 10:22 wlserver_10.3
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
# wlst 스크립트 내용
[weblogic@ae2793daea03 weblogic1036]$ cat decrypt.py
import os
import weblogic.security.internal.SerializedSystemIni
import weblogic.security.internal.encryption.ClearOrEncryptedService

def decrypt(domainHomeName, encryptedPwd):
    domainHomeAbsolutePath = os.path.abspath(domainHomeName)
    encryptionService = weblogic.security.internal.SerializedSystemIni.getEncryptionService(domainHomeAbsolutePath)
    ces = weblogic.security.internal.encryption.ClearOrEncryptedService(encryptionService)
    clear = ces.decrypt(encryptedPwd)
    print "Decrypted Password:" + clear

try:
    if len(sys.argv) == 3:
        decrypt(sys.argv[1], sys.argv[2])
    else:
        print "INVALID ARGUMENTS"
        print " Usage: java -cp {weblogic.jar Path} weblogic.WLST {Script File Path} $domain_home $encrypted_password"
        print " Example:"
        print "    java -cp ./weblogic.jar weblogic.WLST ./decrypt.py /app/weblogic1036/domains/1004lucifer_domain {AES}eGa4JKHZrSTq4LzGfseV6eLVk5vW6PHctTv8bx/UQHA="
except:
    print "Unexpected error: ", sys.exc_info()[0]
    dumpStack()
    raise
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
# wlst 스크립트를 수행하기 위해 weblogic.jar 파일 경로를 찾는다.
[weblogic@ae2793daea03 weblogic1036]$ find . -name weblogic.jar
./wlserver_10.3/server/lib/weblogic.jar
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
# 복호화 할 문자열 확인
[weblogic@ae2793daea03 weblogic1036]$ cat /app/weblogic1036/domains/1004lucifer_domain/servers/AdminServer/security/boot.properties
# Generated by Configuration Wizard on Mon Aug 06 00:36:21 UTC 2018
username={AES}eGa4JKHZrSTq4LzGfseV6eLVk5vW6PHctTv8bx/UQHA=
password={AES}qB4VzD1IRICgIfuxMpq3VV0isKaG7J/1i847Cm2IL4w=
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
# WLST 실행
# java -cp {weblogic.jar경로} {wlst스크립트경로} {domain경로} {암호문자열}
[weblogic@ae2793daea03 weblogic1036]$ java -cp ./wlserver_10.3/server/lib/weblogic.jar weblogic.WLST ./decrypt.py /app/weblogic1036/domains/1004lucifer_domain {AES}eGa4JKHZrSTq4LzGfseV6eLVk5vW6PHctTv8bx/UQHA=

Initializing WebLogic Scripting Tool (WLST) ...
 1004lucifer
Welcome to WebLogic Server Administration Scripting Shell

Type help() for help on available commands

Decrypted Password:1004lucifer
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$ java -cp ./wlserver_10.3/server/lib/weblogic.jar weblogic.WLST ./decrypt.py /app/weblogic1036/domains/1004lucifer_domain {AES}qB4VzD1IRICgIfuxMpq3VV0isKaG7J/1i847Cm2IL4w=

Initializing WebLogic Scripting Tool (WLST) ...

Welcome to WebLogic Server Administration Scripting Shell

Type help() for help on available commands
 1004lucifer
Decrypted Password:1234qwer
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
# weblogic.jar 파일을 Class Path로 추가하지 않으면 아래와 같이 실행되지 않는다.
[weblogic@ae2793daea03 weblogic1036]$ java weblogic.WLST ./decrypt.py /app/weblogic1036/domains/1004lucifer_domain "{AES}qB4VzD1IRICgIfuxMpq3VV0isKaG7J/1i847Cm2IL4w="
Exception in thread "main" java.lang.NoClassDefFoundError: weblogic/WLST
Caused by: java.lang.ClassNotFoundException: weblogic.WLST
        at java.net.URLClassLoader$1.run(URLClassLoader.java:202)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.net.URLClassLoader.findClass(URLClassLoader.java:190)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:306)
        at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:301)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:247)
Could not find the main class: weblogic.WLST.  Program will exit.
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$








암호화된 문자열의 일치여부
1234qwer 라는 문자열을 웹로직에서 암호화 시 결과 문자열이 같은지 여부 확인

1. WebLogic 10.3.0
  - 암호화된 문자열이 모두 동일했으며 문자열의 길이가 짧다.
    (현재 운영되는 서버에서 확인)

2. WebLogic 10.3.6
  - 암호화된 문자열이 모두 다르며 문자열의 길이다 길다.


# WebLogic 10.3.6 환경에서의 암호화된 문자열 복호화 테스트!!
# 모두 다른 암호문자열 이지만 복호화 시 같은 평문으로 복호화 된다.

[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$  java -cp ./wlserver_10.3/server/lib/weblogic.jar weblogic.WLST ./decrypt.py /app/weblogic1036/domains/1004lucifer_domain {AES}S2NIybQcxxahnr6w7BprRMCleEZZH3vcUwp5v91vEv4=

Initializing WebLogic Scripting Tool (WLST) ...

Welcome to WebLogic Server Administration Scripting Shell

Type help() for help on available commands

Decrypted Password:1234qwer
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$  java -cp ./wlserver_10.3/server/lib/weblogic.jar weblogic.WLST ./decrypt.py /app/weblogic1036/domains/1004lucifer_domain {AES}LKstSq2toUT6HubOEROUuZITYJhx5HPMOCvwwdIogC8=

Initializing WebLogic Scripting Tool (WLST) ...

Welcome to WebLogic Server Administration Scripting Shell

Type help() for help on available commands

Decrypted Password:1234qwer
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$  java -cp ./wlserver_10.3/server/lib/weblogic.jar weblogic.WLST ./decrypt.py /app/weblogic1036/domains/1004lucifer_domain {AES}7ywubk/5Z+pGkJhK/bOuSHOdcBZJh6JNhXDrRMy5pQA=

Initializing WebLogic Scripting Tool (WLST) ...

Welcome to WebLogic Server Administration Scripting Shell

Type help() for help on available commands

Decrypted Password:1234qwer
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$








다른 서버에 있던 암호화된 문자열을 복호화 시도


 - 다른 서버에 있던 암호화 문자열 복호화 필요시 해당 서버에 설치된 WebLogic과 같은버전, 같은경로, 같은도메인 그대로 설치 후 복호화 시 정상적으로 복호화 가능
 - 그렇지 않은경우 암호화된 해당 서버에서 복호화를 시도해야 한다.



# 테스트환경: WebLogic 10.3.6

[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
# 다른 서버에 있던 암호화문자열을 단순 복호화 시도 시 아래와 같이 EncryptionServiceException 발생
[weblogic@ae2793daea03 weblogic1036]$ java -cp ./wlserver_10.3/server/lib/weblogic.jar weblogic.WLST ./decrypt.py /app/weblogic1036/domains/1004lucifer_domain {AES}KWdg6MEJEo/iDG0mTUaTDLU5IoiaGAAUkQu1/IZHPaI\=

Initializing WebLogic Scripting Tool (WLST) ...

Welcome to WebLogic Server Administration Scripting Shell

Type help() for help on available commands
1004lucifer
Unexpected error:  weblogic.security.internal.encryption.EncryptionServiceException

Problem invoking WLST - Traceback (innermost last):
  File "/app/weblogic1036/./decrypt.py", line 14, in ?
  File "/app/weblogic1036/./decrypt.py", line 9, in decrypt
        at weblogic.security.internal.encryption.JSafeEncryptionServiceImpl.decryptBytes(JSafeEncryptionServiceImpl.java:139)
        at weblogic.security.internal.encryption.JSafeEncryptionServiceImpl.decryptString(JSafeEncryptionServiceImpl.java:187)
        at weblogic.security.internal.encryption.ClearOrEncryptedService.decrypt(ClearOrEncryptedService.java:96)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)

weblogic.security.internal.encryption.EncryptionServiceException: weblogic.security.internal.encryption.EncryptionServiceException

[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$








WebLogic의 보안키 - SerializedSystemIni.dat 파일에 대하여..


 - WebLogic의 도메인내의 암/복호화를 하기위해 필요한 해시가 포함된 도메인 파일
 - Triple-DES 블록 암호를 사용 (암호가 {3DES}로 시작되는 이유)
 - 파일의 해시는 파일을 만든 도메인에 바인딩하는 알고리즘을 사용하기 때문에 해당 도메인 에서만 사용이 가능
 - 해당 파일이 손상된 경우 WebLogic을 다시 설치해야 하기 때문에 백업이 필요하다.



# WebLogic 10.3.6 기준
# 파일 위치: $DOMAIN_HOME/security/SerializedSystemIni.dat

[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$ pwd
/app/weblogic1036
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$ find . -name SerializedSystemIni.dat
./domains/1004lucifer_domain/security/SerializedSystemIni.dat
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$ ll /app/weblogic1036/domains/1004lucifer_domain/security/SerializedSystemIni.dat
-rw-r----- 1 weblogic weblogic 64 Aug  6 00:36 /app/weblogic1036/domains/1004lucifer_domain/security/SerializedSystemIni.dat
[weblogic@ae2793daea03 weblogic1036]$





PS.
책이나 다른 인터넷글을 보면 setDomainEnv.sh 파일을 실행시키면 Class Path를 추가하지 않아도 된다고 나와있는데..
스크립트를 보면 그거 실행시킨다고 될게 아닌데 왜 그런지 모르겠다.
웹로직 버전이 바뀌면서 현재 실습하는 10.3.6 버전의 쉘에서는 지원을 안하는건가..




참고
 - https://docs.oracle.com/cd/E13222_01/wls/docs90/config_scripting/using_WLST.html
 - http://cybergav.in/2009/06/24/weblogic-serializedsystemini-dat/

참고서적
설치에서 트러블슈팅까지 웹로직의 모든 것 WebLogic Expert - 10점
이규석.김민수 지음/에이콘출판


댓글 없음 :

댓글 쓰기