When WS-Security policy files (WSSE files) are compiled, clear text passwords are embedded in the resulting CLASS files. Individuals with access to the production server, could learn these passwords. To mitigate this risk, two utilities are provided to encrypt these clear text passwords in the WSSE files before compilation. The resulting CLASS files will contain encrypted versions of the passwords.
Both utilities, generateSecretKeyFile and encryptWssePolicy, are located in the BEA_HOME/weblogic81/common/bin directory.
generateSecretKeyFile Utility
Use the utility generateSecretKeyFile to generate a secret key used to encrypt the passwords. When you run generateSecretKeyFile, it generates a key named pwdEncryptionInfo.key and places it in the BEA_HOME/weblogic81/common/bin directory.Save the generated key pwdEncryptionInfo.key in your application's APP-INF/classes directory.
encryptWssePolicy Utility
Once you have generated a secret key, use the utility encryptWssePolicy to encrypt the passwords in the WSSE files.The flag -s will encrypt all passwords in the WSSE files in place. For example, assuming that BEA_HOME is C:/bea, the following command will encrypt the passwords in the sample SamplesApp/WebServices/security/security/wsse/callback.
C:\bea\weblogic81\common\bin\encryptWssePolicy.cmd -s C:\bea\weblogic81\samples\workshop\SamplesApp\APP-INF\classes\pwdEncryptionInfo.key C:\bea\weblogic81\samples\workshop\SamplesApp\WebServices\security\wsse\callback\client\TargetControlPolicy.wsse C:\bea\weblogic81\samples\workshop\SamplesApp\WebServices\security\wsse\callback\target\TargetPolicy.wsse
When the WSSE files are compiled, the CLASS files will no longer show the passwords in clear text.
At runtime, WebLogic Server will decrypt the passwords using pwdEncryptionInfo.key when necessary.