How to migrate Weblogic's config.xml to multiple machines?

Question

our development team develops a J2EE application that runs on Weblogic 10.3. Each development machine runs its own copy of Weblogic 10.3 application server. The development environment's Weblogic domain was initially created on one machine and then copied onto all the machines using Weblogic's configuration tool (bea10/wlserver_10.3/common/bin/config.cmd).

Each development machine has its own copy of config.xml. All the passphrases (those for JDBC datasources etc.) in this file are encrypted and the encryption apparently uses a different seed on each machine since the same password has different encrypted forms on different machines.

The problem is that every once in a while config.xml needs to updated (for example when a new EJB is added) and the updates need to be applied on all the machines. How should we go about doing this? If we just put the file in CVS and update the other machines from there the encrypted passwords on each machine would get overwritten. This results in ugly paddingexceptions when the server tries to decrypt the passphrases originally encrypted on another machine.

Is there an ant task (I couldn't find one) or a similar mechanism that would take care of correctly merging the changes in config.xml without overwriting the encrypted passwords? Or is it possible to somehow specify the passphrases in plaintext and encrypt them on the first start (I have a faint recollection that this was possible in previous versions but not in 10.3).

How do development teams working on Weblogic handle this?

BR,

Marko

Answer 1

[...] Each development machine has its own copy of config.xml. All the passphrases (those for JDBC datasources etc.) in this file are encrypted ...

Yes, WebLogic Server encrypts all the plain text passwords stored in its domain configuration XML file(s). This is to prevent access to sensitive information. When passwords are entered using administration console or scripting tools, it will automatically get encrypted before they are stored in the configuration XML files(s).

... and the encryption apparently uses a different seed on each machine since the same password has different encrypted forms on different machines.

About the the encrypt utility (from the Oracle WebLogic Server Java Utilities), the documentation says:

The weblogic.security.Encrypt encrypts cleartext strings for use with WebLogic Server. The utility uses the encryption service of the current directory, or the encryption service for a specified WebLogic Server domain root directory.

Note: An encrypted string must have been encrypted by the encryption service in the WebLogic Server domain where it will be used. If not, the server will not be able to decrypt the string.

This is not mentioned in the documentation but, AFAIK, Weblogic uses the domain's password salt file (SerializedSystemIni.dat) for encrypting the clear text string.

[...] If we just put the file in CVS and update the other machines from there the encrypted passwords on each machine would get overwritten.

You could choose to use clear text passwords in the config.xml stored in your VCS (if this is not an issue). Actually, prior to WebLogic Server 9.0, the passwords would get encrypted during the subsequent restart. Starting from WebLogic Server 9.0, using clear text passwords in the configuration files is "fully" supported only for Development domain and Weblogic will not re-encrypt the passwords. In both case, this would allow people to check out the config file without troubles.

Is there an ant task (I couldn't find one) or a similar mechanism that would take care of correctly merging the changes in config.xml without overwriting the encrypted passwords?...

I'm not sure this answers directly your question but Oracle WebLogic Server provides Ant tasks for most of (if not all) its Java Utilities. Maybe you'll find something useful there (check out Configuring a WebLogic Server Domain Using the wlconfig Ant Task)

Or is it possible to somehow specify the passphrases in plaintext and encrypt them on the first start (I have a faint recollection that this was possible in previous versions but not in 10.3).

As I wrote above, this was the "default" behavior prior to Weblogic Server 9.0. I don't know if you can force this behavior for later versions. Of course, you could always use ant and encrypt to do it but, honestly, if you allow people to see clear text passwords once, I don't really see the point of encrypting them after the facts.