通过修改jdbc配置文件方式修改Weblogic数据源密码

共计 12331 个字符，预计需要花费 31 分钟才能阅读完成。

注：假定环境中其中一个的 weblogic 域名为 cams，数据源为 CAMSDB

（1）直接修改 weblogic 的数据源配置文件中密文密码为最新的明文密码【首次尝试，以失败告终，weblogic 并没用将 JDBC 配置文件中的密码从明文自动转化成为密文，并遇到了新问题
进入 JDBC 配置文件所在路径
[cams@mymc1 jdbc]$ cd /home/cams/bea/middleware/user_projects/domains/cams/config/jdbc
打开配置文件并进行修改
[cams@mymc1 jdbc]$ vi CAMSDB-2211-jdbc.xml
将 XXX 中的密文密码改为明文密码

然后启动 weblogic 域，并查看启动日志
[cams@mymc1 jdbc]$ cd /home/cams/bea/middleware/user_projects/domains/cams
[cams@mymc1 jdbc]$ nohup ./startWebLogic.sh &
[cams@mymc1 jdbc]$ tail -f nohup.out

发现如下报错信息：

<2016-9-12 下午 10 时 22 分 47 秒 CST> <Error> <J2EE> <BEA-160197> <Unable to load descriptor java.net.URLClassLoader@6639c8c1/null of module null. The error is weblogic.descriptor.DescriptorException: Unmarshaller failed
at weblogic.descriptor.internal.MarshallerFactory$1.createDescriptor(MarshallerFactory.java:161)
at weblogic.descriptor.BasicDescriptorManager.createDescriptor(BasicDescriptorManager.java:323)
at weblogic.application.descriptor.AbstractDescriptorLoader2.getDescriptorBeanFromReader(AbstractDescriptorLoader2.java:788)
at weblogic.application.descriptor.AbstractDescriptorLoader2.createDescriptorBean(AbstractDescriptorLoader2.java:409)
at weblogic.application.descriptor.AbstractDescriptorLoader2.loadDescriptorBeanWithoutPlan(AbstractDescriptorLoader2.java:759)
at weblogic.application.descriptor.AbstractDescriptorLoader2.loadDescriptorBean(AbstractDescriptorLoader2.java:768)
at weblogic.jdbc.module.JDBCDeploymentHelper.getJDBCDataSourceBean(JDBCDeploymentHelper.java:186)
at weblogic.jdbc.module.JDBCDeploymentHelper.createJDBCDataSourceDescriptor(JDBCDeploymentHelper.java:51)
at weblogic.management.mbeans.custom.JDBCSystemResource.loadDescriptor(JDBCSystemResource.java:60)
at weblogic.management.mbeans.custom.ConfigurationExtension.getExtensionRoot(ConfigurationExtension.java:178)
at weblogic.management.mbeans.custom.JDBCSystemResource.getJDBCResource(JDBCSystemResource.java:45)
at weblogic.management.mbeans.custom.JDBCSystemResource._postCreate(JDBCSystemResource.java:50)
at weblogic.management.configuration.JDBCSystemResourceMBeanImpl._postCreate(JDBCSystemResourceMBeanImpl.java:355)
at weblogic.descriptor.internal.AbstractDescriptorBean._postCreate(AbstractDescriptorBean.java:670)
at weblogic.management.configuration.DomainMBeanImpl.setJDBCSystemResources(DomainMBeanImpl.java:11820)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.staxb.runtime.internal.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:48)
at com.bea.staxb.runtime.internal.RuntimeBindingType$BeanRuntimeProperty.setValue(RuntimeBindingType.java:539)
at com.bea.staxb.runtime.internal.AttributeRuntimeBindingType$QNameRuntimeProperty.fillCollection(AttributeRuntimeBindingType.java:381)
at com.bea.staxb.runtime.internal.MultiIntermediary.getFinalValue(MultiIntermediary.java:52)
at com.bea.staxb.runtime.internal.AttributeRuntimeBindingType.getFinalObjectFromIntermediary(AttributeRuntimeBindingType.java:140)
at com.bea.staxb.runtime.internal.UnmarshalResult.unmarshalBindingType(UnmarshalResult.java:200)
at com.bea.staxb.runtime.internal.UnmarshalResult.unmarshalDocument(UnmarshalResult.java:169)
at com.bea.staxb.runtime.internal.UnmarshallerImpl.unmarshal(UnmarshallerImpl.java:65)
at weblogic.descriptor.internal.MarshallerFactory$1.createDescriptor(MarshallerFactory.java:150)
at weblogic.descriptor.BasicDescriptorManager.createDescriptor(BasicDescriptorManager.java:323)
at weblogic.management.provider.internal.DescriptorManagerHelper.loadDescriptor(DescriptorManagerHelper.java:68)
at weblogic.management.provider.internal.RuntimeAccessImpl$IOHelperImpl.parseXML(RuntimeAccessImpl.java:690)
at weblogic.management.provider.internal.RuntimeAccessImpl.parseNewStyleConfig(RuntimeAccessImpl.java:270)
at weblogic.management.provider.internal.RuntimeAccessImpl.<init>(RuntimeAccessImpl.java:115)
at weblogic.management.provider.internal.RuntimeAccessService.start(RuntimeAccessService.java:41)
at weblogic.t3.srvr.ServerServicesManager.startService(ServerServicesManager.java:461)
at weblogic.t3.srvr.ServerServicesManager.startInStandbyState(ServerServicesManager.java:166)
at weblogic.t3.srvr.T3Srvr.initializeStandby(T3Srvr.java:881)
at weblogic.t3.srvr.T3Srvr.startup(T3Srvr.java:568)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:469)
at weblogic.Server.main(Server.java:71)
Caused by: com.bea.xml.XmlException: java.lang.IllegalArgumentException: In production mode, it’s not allowed to set a clear text value to the property: PasswordEncrypted of JDBCDriverParamsBean
at com.bea.staxb.runtime.internal.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:54)
at com.bea.staxb.runtime.internal.RuntimeBindingType$BeanRuntimeProperty.setValue(RuntimeBindingType.java:539)
at com.bea.staxb.runtime.internal.ByNameRuntimeBindingType$ElementQNameProperty.fill(ByNameRuntimeBindingType.java:351)
at com.bea.staxb.runtime.internal.LiteralUnmarshalResult.extractAndFillElementProp(LiteralUnmarshalResult.java:159)
at com.bea.staxb.runtime.internal.ByNameUnmarshaller.deserializeContents(ByNameUnmarshaller.java:51)
at com.bea.staxb.runtime.internal.AttributeUnmarshaller.unmarshalIntoIntermediary(AttributeUnmarshaller.java:47)
at com.bea.staxb.runtime.internal.LiteralUnmarshalResult.unmarshalElementProperty(LiteralUnmarshalResult.java:184)
at com.bea.staxb.runtime.internal.LiteralUnmarshalResult.extractAndFillElementProp(LiteralUnmarshalResult.java:156)
at com.bea.staxb.runtime.internal.ByNameUnmarshaller.deserializeContents(ByNameUnmarshaller.java:51)
at com.bea.staxb.runtime.internal.AttributeUnmarshaller.unmarshalIntoIntermediary(AttributeUnmarshaller.java:47)
at com.bea.staxb.runtime.internal.UnmarshalResult.unmarshalBindingType(UnmarshalResult.java:199)
at com.bea.staxb.runtime.internal.UnmarshalResult.unmarshalDocument(UnmarshalResult.java:169)
at com.bea.staxb.runtime.internal.UnmarshallerImpl.unmarshal(UnmarshallerImpl.java:65)
at weblogic.descriptor.internal.MarshallerFactory$1.createDescriptor(MarshallerFactory.java:150)
… 39 more
Caused by: java.lang.IllegalArgumentException: In production mode, it’s not allowed to set a clear text value to the property: PasswordEncrypted of JDBCDriverParamsBean
at weblogic.j2ee.descriptor.wl.JDBCDriverParamsBeanImpl.setPasswordEncrypted(JDBCDriverParamsBeanImpl.java:430)
at weblogic.j2ee.descriptor.wl.JDBCDriverParamsBeanImpl.setPasswordEncryptedAsString(JDBCDriverParamsBeanImpl.java:276)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.staxb.runtime.internal.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:48)
… 52 more
.>
<2016-9-12 下午 10 时 22 分 47 秒 CST> <Critical> <WebLogicServer> <BEA-000362> <Server failed. Reason: [Management:141266]Parsing Failure in config.xml: weblogic.management.ManagementRuntimeException: weblogic.application.ModuleException: >

（2）查找问题的解决方案【weblogic 不能启动：PasswordEncrypted of JDBCDriverParamsBean 问题】
找到解决方案链接如下：
http://Oraclemiddlewareblog.com/2012/04/25/unable-to-start-weblogic-passwordencrypted-of-serverstartmbean/

内容如下：

The Weblogic administration server is not starting and the complete error message is:
“In production mode, it’s not allowed to set a clear text value to the property: PasswordEncrypted of ServerStartMBean”
If this is occurring in Weblogic versions 10.3.1 or earlier, then it is a known bug with the administration console. The bug will cause a <password-encrypted> tag of a certain weblogic instance in your domain to be set to a null value in the config.xml. This will happen if you modify some startup arguments of that instance in the administration console. Weblogic will interpret the null value as a plain text password, which is not allowed in a production domain, thus the error in starting the server.
There is a patch that you can apply for this issue, but there are also some quick workarounds that might prove very useful if there is a time constraint for starting the administration service.
The first solution, and the one that is recommended since it is the final fix is to apply the patch delivered by Oracle for this issue:
– PKJ1 for Weblogic 10.3.1
– 6RDR for Weblogic 10.3
Both patches are released for generic platforms. If you are having a hard time identifying these patches in the new My Oracle Support site, please check out this post for instructions on how to find“old style”Weblogic patches in My Oracle Support.
Then, there are a few workarounds that you can quickly apply based on your needs:
1. The quickest solution is to switch your domain to Development mode. This will allow you to start the administration server, but take into consideration the implications that this change has on the runtime of the server, such as different logging levels and runtime performance.
2. Another way you can solve this issue is to simply copy the value of the empty tag from another instance in your domain. Locate another instance in the config.xml for which you have the <password-encrypted> tag correctly defined and copy it to the empty tag.
<password-encrypted>{AES}ve8cqLahYHyy8prbAudZTIyRvk4rNG+7kKvANZdaJzU=</password-encrypted>
3. If you simply do not have the encrypted password, you can encrypt it yourself using a utility provided by Weblogic:
– Run $DOMAIN_HOME/bin/setDomainEnv.sh so set the environment variables for your domain
– Execute:‘java weblogic.security.Encrypt’
– Enter the password in clear text and the encrypted value will be returned in the output. Copy that in the empty tag in the config.xml and restart the administration server.

因为我所使用的 weblogic 版本是 10.3.6.0，所以不是缺陷的问题。这里给出了三种建议，第一种是切换 domain 到开发模式，显然不合适；第二种是从其他实例拷贝密码标签的值，因为数据库中每个用户的密码都是不一样的，显然不适用；第三种是使用 weblogic 提供的工具将明文转化成为密文，然后进行替换，这是一种可行的方案。

（3）按照上述第三种方法执行【再次遇到错误】

[cams@mymc1 bin]$ cd /home/cams/bea/middleware/user_projects/domains/cams/bin
[cams@mysc1 bin]$ setDomainEnv.sh
[cams@mymc1 bin]$ java weblogic.security.Encrypt
Exception in thread “main” java.lang.NoClassDefFoundError: weblogic/security/Encrypt
Caused by: java.lang.ClassNotFoundException: weblogic.security.Encrypt
at java.net.URLClassLoader$1.run(URLClassLoader.java:202)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:190)
at java.lang.ClassLoader.loadClass(ClassLoader.java:306)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:301)
at java.lang.ClassLoader.loadClass(ClassLoader.java:247)
Could not find the main class: weblogic.security.Encrypt. Program will exit.

（4）接着查找该问题的处理方案【成功执行并生成了新的密文】

encrypting password in weblogic (get java.lang.ClassNotFoundException:)
if you need to encrypt password and get java.lang.ClassNotFoundException: weblogic.security.Encrypt then use this way /app/bea/WLS1031/jdk/bin/java -cp /app/bea/WLS1031/wlserver_10.3/server/lib/weblogic.jar:$java weblogic.security.Encrypt yourpassword
PS: i have called java cause it was not in my env.
if you already have java in your env then /opt/bea/WLS1031/wlserver_10.3/server/lib/weblogic.jar:$java weblogic.security.Encrypt yourpassword

参考上文，执行命令如下：【注：标黄的 password 处输入真实的明文密码，可自动输出为密文】

[cams@mymc1 ~]$ cp /home/cams/bea/middleware/wlserver_10.3/server/lib/weblogic.jar /home/cams/bea/middleware/user_projects/domains/cams/
[cams@mymc1 ~]$ cd /home/cams/bea/middleware/user_projects/domains/cams/
[cams@mymc1 cams]$ java -cp weblogic.jar weblogic.security.Encrypt password

这里得到数据源 CAMSDB 的密码的密文为：【注：相同的明文在不同的 weblogic 下生成的密文不同】

{AES}dUH3nDtUg3LfPBCngOAAPFgsIW4gVRPyD25aibk4zVQ=

这里测试在另外一个 weblogic 下生成的密文为：

{AES}GA2sa2jSBeEtCoyt2g6NxJS3JPIWth70Z7s6dmIJ1uM=

显然两个相同密码在不同 weblogic 下生成的密文大不相同。

（5）修改 weblogic 的数据源配置文件中密文密码为最新的密文密码【还是遇到问题，账户锁定了】
进入 JDBC 配置文件所在路径
[cams@mymc1 jdbc]$ cd /home/cams/bea/middleware/user_projects/domains/cams/config/jdbc
打开配置文件并进行修改
[cams@mymc1 jdbc]$ vi CAMSDB-2211-jdbc.xml
将 XXX 中的密文密码改为最新密文密码

发现如下报错信息：

weblogic.common.ResourceException: weblogic.common.ResourceException: Could not create pool connection. The DBMS driver exception was: ORA-28000: the account is locked

很显然，是 Oracle 用户使用错误的密码尝试连接的次数过多，导致账户被锁定了

（6）处理最后的问题【结果再次遇到报错，不细心造成的】
这里需要联系数据库管理员，使用 system 或者 sys 用户登录数据库，执行查询语句：

SQL> select * from dba_users where account_status <> ‘OPEN’ ;

找到锁定的用户，然后执行解锁语句：
SQL> alter user XXXX account unlock;

然后再次重启，还是发现报错信息：

ORA-01017: invalid username/password; logon denied

经过检查，因为在替换的时候，有一个密文替换错了，导致数据源连接失败。这里重新替换即可。

最终，weblogic 启动成功，一切 OK！

更多 Oracle 相关信息见Oracle 专题页面 http://www.linuxidc.com/topicnews.aspx?tid=12

本文永久更新链接地址：http://www.linuxidc.com/Linux/2017-07/145982.htm