Cool Tools 10: Base64 Decoder

Generally, my Cool Tools articles feature tools that are novel, unique, or otherwise helpful when managing WebCenter Interaction portals, or other applications that can help augment (or – dare I say, replace?) it.  Today’s Cool Tool is in a category where apps are a dime a dozen.  So, let’s call, uh,’s Base64 Decoder a Cool Tool:

Why highlight a dime-a-dozen online app that’s pretty much just a free online tool?  Because today I’m going to explain a bit about how Basic Authentication works between the portal and remote tier, and show you a trick to answer a question that you may have come across during your portal administration:  what password has been configured for the “authenticationid” in the portal for ALUI Publisher Remote Server (or Collaboration Server, for that matter)?  In the process (after the break), hopefully you’ll get a little insight into why it’s not all that secure in and of itself.

Let’s say you’ve inherited an environment where the Publisher or Collaboration Remote Server isn’t working because the portal’s Remote Server password doesn’t match the password required by one of those apps.

The easiest thing to do is to change the password in two places: update the Remote Server object in the portal to use the new password, then change it in the application (Publisher or Collab).  To change the password in Collaboration Server, you would just use the Configuration Manager on that machine.  Changing it in Publisher is a little harder because the value is encrypted in C:\ bea\ alui\ ptcs\ 6.5\ settings\ config\ container.conf.  But pcsencrypt.bat will allow you to easily create the encrypted value.

But if you don’t want to change the password in the portal, you can pretty easily see what password the portal is sending by sniffing the traffic between the portal and the Remote Server.  The user name and password is just a Basic Authentication header sent to the portlet server.  Basic Authentication is encoded (specifically, Base64-encoded) but not encrypted, which means that it’s not all that secure if you’re not using SSL.  Let’s take a look at what’s happening between the portal and Publisher during an HTTP request:

While the value for the Authorization header looks pretty secure, it’s not.  Just take that text value and paste it into the Base64 decoder above, and you’ll see that it’s just a user/password combination in the form of “user:pass” – in this case “authenticationid:authenticationid”.  You could then update the password in the respective applications with these credentials, and everything should start working again – no need to update the Remote Server objects!

Tags: , ,

One Response to “Cool Tools 10: Base64 Decoder”

  1. […] This post was mentioned on Twitter by Webcenter Blogs, Geoff Garcia. Geoff Garcia said: Oracle WebCenter Interaction: Cool Tools 10: Base64 Decoder #integryst #WCI […]

Leave a Reply