실습환경
- OS: OracleLinux 5
- WebLogic ver: 10.3.6
WLST (WebLogic Scripting Tool) 에 대하여..
- 시스템 관리자와 운영자가 WebLogic Server 인스턴스와 도메인을 모니터하고 관리하는 데 사용하는 명령 행 스크립팅 인터페이스
- WLST 스크립팅 환경은 Java 스크립팅 인터프리터 Jython을 기반
1004lucifer
아래의 방법을 통해서 boot.properties의 정보나 DB연동 비밀번호와 같은 암호화된 정보를 복호화 가능하다.
# $BEA_HOME(웹로직 설치디렉토리): /app/weblogic1036/
# $DOMAIN_HOME(도메인 디렉토리): /app/weblogic1036/domains/1004lucifer_domain/
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
# 어느 경로에서 작업을 하던 상관은 없다.
[weblogic@ae2793daea03 weblogic1036]$ pwd
/app/weblogic1036
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$ ll
total 176
-rw-rw-r-- 1 weblogic weblogic 986 Aug 15 04:47 decrypt.py
-rw-rw---- 1 weblogic weblogic 200 Aug 6 00:36 domain-registry.xml
drwxr-x--- 3 weblogic weblogic 4096 Aug 6 00:36 domains
drwxrwxr-x 2 weblogic weblogic 4096 Aug 12 23:41 logs
drwxrwxr-x 7 weblogic weblogic 36864 Aug 5 10:21 modules
-rw-rw-r-- 1 weblogic weblogic 625 Aug 5 10:22 ocm.rsp
-rw-rw-r-- 1 weblogic weblogic 108827 Aug 5 10:22 registry.dat
-rw-rw-r-- 1 weblogic weblogic 1728 Aug 5 10:22 registry.xml
drwxrwxr-x 8 weblogic weblogic 4096 Aug 5 10:21 utils
drwxrwxr-x 8 weblogic weblogic 4096 Aug 5 10:22 wlserver_10.3
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
# wlst 스크립트 내용
[weblogic@ae2793daea03 weblogic1036]$ cat decrypt.py
import os
import weblogic.security.internal.SerializedSystemIni
import weblogic.security.internal.encryption.ClearOrEncryptedService
def decrypt(domainHomeName, encryptedPwd):
domainHomeAbsolutePath = os.path.abspath(domainHomeName)
encryptionService = weblogic.security.internal.SerializedSystemIni.getEncryptionService(domainHomeAbsolutePath)
ces = weblogic.security.internal.encryption.ClearOrEncryptedService(encryptionService)
clear = ces.decrypt(encryptedPwd)
print "Decrypted Password:" + clear
try:
if len(sys.argv) == 3:
decrypt(sys.argv[1], sys.argv[2])
else:
print "INVALID ARGUMENTS"
print " Usage: java -cp {weblogic.jar Path} weblogic.WLST {Script File Path} $domain_home $encrypted_password"
print " Example:"
print " java -cp ./weblogic.jar weblogic.WLST ./decrypt.py /app/weblogic1036/domains/1004lucifer_domain {AES}eGa4JKHZrSTq4LzGfseV6eLVk5vW6PHctTv8bx/UQHA="
except:
print "Unexpected error: ", sys.exc_info()[0]
dumpStack()
raise
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
# wlst 스크립트를 수행하기 위해 weblogic.jar 파일 경로를 찾는다.
[weblogic@ae2793daea03 weblogic1036]$ find . -name weblogic.jar
./wlserver_10.3/server/lib/weblogic.jar
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
# 복호화 할 문자열 확인
[weblogic@ae2793daea03 weblogic1036]$ cat /app/weblogic1036/domains/1004lucifer_domain/servers/AdminServer/security/boot.properties
# Generated by Configuration Wizard on Mon Aug 06 00:36:21 UTC 2018
username={AES}eGa4JKHZrSTq4LzGfseV6eLVk5vW6PHctTv8bx/UQHA=
password={AES}qB4VzD1IRICgIfuxMpq3VV0isKaG7J/1i847Cm2IL4w=
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
# WLST 실행
# java -cp {weblogic.jar경로} {wlst스크립트경로} {domain경로} {암호문자열}
[weblogic@ae2793daea03 weblogic1036]$ java -cp ./wlserver_10.3/server/lib/weblogic.jar weblogic.WLST ./decrypt.py /app/weblogic1036/domains/1004lucifer_domain {AES}eGa4JKHZrSTq4LzGfseV6eLVk5vW6PHctTv8bx/UQHA=
Initializing WebLogic Scripting Tool (WLST) ...
1004lucifer
Welcome to WebLogic Server Administration Scripting Shell
Type help() for help on available commands
Decrypted Password:1004lucifer
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$ java -cp ./wlserver_10.3/server/lib/weblogic.jar weblogic.WLST ./decrypt.py /app/weblogic1036/domains/1004lucifer_domain {AES}qB4VzD1IRICgIfuxMpq3VV0isKaG7J/1i847Cm2IL4w=
Initializing WebLogic Scripting Tool (WLST) ...
Welcome to WebLogic Server Administration Scripting Shell
Type help() for help on available commands
1004lucifer
Decrypted Password:1234qwer
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
# weblogic.jar 파일을 Class Path로 추가하지 않으면 아래와 같이 실행되지 않는다.
[weblogic@ae2793daea03 weblogic1036]$ java weblogic.WLST ./decrypt.py /app/weblogic1036/domains/1004lucifer_domain "{AES}qB4VzD1IRICgIfuxMpq3VV0isKaG7J/1i847Cm2IL4w="
Exception in thread "main" java.lang.NoClassDefFoundError: weblogic/WLST
Caused by: java.lang.ClassNotFoundException: weblogic.WLST
at java.net.URLClassLoader$1.run(URLClassLoader.java:202)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:190)
at java.lang.ClassLoader.loadClass(ClassLoader.java:306)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:301)
at java.lang.ClassLoader.loadClass(ClassLoader.java:247)
Could not find the main class: weblogic.WLST. Program will exit.
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
암호화된 문자열의 일치여부
1234qwer 라는 문자열을 웹로직에서 암호화 시 결과 문자열이 같은지 여부 확인
1. WebLogic 10.3.0
- 암호화된 문자열이 모두 동일했으며 문자열의 길이가 짧다.
(현재 운영되는 서버에서 확인)
2. WebLogic 10.3.6
- 암호화된 문자열이 모두 다르며 문자열의 길이다 길다.
# 모두 다른 암호문자열 이지만 복호화 시 같은 평문으로 복호화 된다.
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$ java -cp ./wlserver_10.3/server/lib/weblogic.jar weblogic.WLST ./decrypt.py /app/weblogic1036/domains/1004lucifer_domain {AES}S2NIybQcxxahnr6w7BprRMCleEZZH3vcUwp5v91vEv4=
Initializing WebLogic Scripting Tool (WLST) ...
Welcome to WebLogic Server Administration Scripting Shell
Type help() for help on available commands
Decrypted Password:1234qwer
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$ java -cp ./wlserver_10.3/server/lib/weblogic.jar weblogic.WLST ./decrypt.py /app/weblogic1036/domains/1004lucifer_domain {AES}LKstSq2toUT6HubOEROUuZITYJhx5HPMOCvwwdIogC8=
Initializing WebLogic Scripting Tool (WLST) ...
Welcome to WebLogic Server Administration Scripting Shell
Type help() for help on available commands
Decrypted Password:1234qwer
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$ java -cp ./wlserver_10.3/server/lib/weblogic.jar weblogic.WLST ./decrypt.py /app/weblogic1036/domains/1004lucifer_domain {AES}7ywubk/5Z+pGkJhK/bOuSHOdcBZJh6JNhXDrRMy5pQA=
Initializing WebLogic Scripting Tool (WLST) ...
Welcome to WebLogic Server Administration Scripting Shell
Type help() for help on available commands
Decrypted Password:1234qwer
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
다른 서버에 있던 암호화된 문자열을 복호화 시도
- 다른 서버에 있던 암호화 문자열 복호화 필요시 해당 서버에 설치된 WebLogic과 같은버전, 같은경로, 같은도메인 그대로 설치 후 복호화 시 정상적으로 복호화 가능
- 그렇지 않은경우 암호화된 해당 서버에서 복호화를 시도해야 한다.
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
# 다른 서버에 있던 암호화문자열을 단순 복호화 시도 시 아래와 같이 EncryptionServiceException 발생
[weblogic@ae2793daea03 weblogic1036]$ java -cp ./wlserver_10.3/server/lib/weblogic.jar weblogic.WLST ./decrypt.py /app/weblogic1036/domains/1004lucifer_domain {AES}KWdg6MEJEo/iDG0mTUaTDLU5IoiaGAAUkQu1/IZHPaI\=
Initializing WebLogic Scripting Tool (WLST) ...
Welcome to WebLogic Server Administration Scripting Shell
Type help() for help on available commands
1004lucifer
Unexpected error: weblogic.security.internal.encryption.EncryptionServiceException
Problem invoking WLST - Traceback (innermost last):
File "/app/weblogic1036/./decrypt.py", line 14, in ?
File "/app/weblogic1036/./decrypt.py", line 9, in decrypt
at weblogic.security.internal.encryption.JSafeEncryptionServiceImpl.decryptBytes(JSafeEncryptionServiceImpl.java:139)
at weblogic.security.internal.encryption.JSafeEncryptionServiceImpl.decryptString(JSafeEncryptionServiceImpl.java:187)
at weblogic.security.internal.encryption.ClearOrEncryptedService.decrypt(ClearOrEncryptedService.java:96)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
weblogic.security.internal.encryption.EncryptionServiceException: weblogic.security.internal.encryption.EncryptionServiceException
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
WebLogic의 보안키 - SerializedSystemIni.dat 파일에 대하여..
- WebLogic의 도메인내의 암/복호화를 하기위해 필요한 해시가 포함된 도메인 파일
- Triple-DES 블록 암호를 사용 (암호가 {3DES}로 시작되는 이유)
- 파일의 해시는 파일을 만든 도메인에 바인딩하는 알고리즘을 사용하기 때문에 해당 도메인 에서만 사용이 가능
- 해당 파일이 손상된 경우 WebLogic을 다시 설치해야 하기 때문에 백업이 필요하다.
# 파일 위치: $DOMAIN_HOME/security/SerializedSystemIni.dat
[weblogic@ae2793daea03 weblogic1036]$ pwd
/app/weblogic1036
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$ find . -name SerializedSystemIni.dat
./domains/1004lucifer_domain/security/SerializedSystemIni.dat
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$
[weblogic@ae2793daea03 weblogic1036]$ ll /app/weblogic1036/domains/1004lucifer_domain/security/SerializedSystemIni.dat
-rw-r----- 1 weblogic weblogic 64 Aug 6 00:36 /app/weblogic1036/domains/1004lucifer_domain/security/SerializedSystemIni.dat
[weblogic@ae2793daea03 weblogic1036]$
PS.
책이나 다른 인터넷글을 보면 setDomainEnv.sh 파일을 실행시키면 Class Path를 추가하지 않아도 된다고 나와있는데..
스크립트를 보면 그거 실행시킨다고 될게 아닌데 왜 그런지 모르겠다.
웹로직 버전이 바뀌면서 현재 실습하는 10.3.6 버전의 쉘에서는 지원을 안하는건가..
참고
- https://docs.oracle.com/cd/E13222_01/wls/docs90/config_scripting/using_WLST.html
- http://cybergav.in/2009/06/24/weblogic-serializedsystemini-dat/
참고서적
 | 설치에서 트러블슈팅까지 웹로직의 모든 것 WebLogic Expert -  이규석.김민수 지음/에이콘출판 |
댓글
댓글 쓰기