Oracle WebLogic Server
Oraclemiddleware3 credentials
WebLogic Administrator Password
oracle-weblogic / administrator-password
WebLogic Server security realms authenticate users for administrative and application access. Oracle documents security realms, authentication providers, and user/password protection in WebLogic Server.
Location
WebLogic embedded LDAP or configured authentication provider storing users and password verifier material
Administration Console, Node Manager, T3/HTTP management endpointsWebLogic administrative login surfaces
domain config, provisioning scripts, and security provider configuration
credential stores, deployment vaults, Kubernetes Secrets, and domain secrets
domain templates, WLST scripts, Docker Compose files, and committed config
domain creation logs, boot logs, and authentication troubleshooting output
Notes
WebLogic administrator passwords are chosen during domain creation or provisioning; there is no universal static WebLogic administrator password.
Boot Identity File Credential
oracle-weblogic / boot-identity-file
WebLogic Server can use boot identity files to start servers without interactively entering the administrator username and password. These files contain boot credentials that WebLogic protects after use.
Looks like
pattern^(?:username|password)\s*=\s*[^\r\n]+$Location
boot.propertiesWebLogic server boot identity file
domain backups, Kubernetes Secrets, and provisioning vault entries
committed domains, container images, and WLST provisioning scripts
domain archives and server backups containing boot.properties
startup traces and provisioning output showing boot identity file locations
Notes
Even if WebLogic later encrypts the file contents, boot identity files in backups or images remain sensitive operational credentials.
Credential Mapping / Data Source Secret
oracle-weblogic / credential-mapping-secret
WebLogic security includes credential mapping providers and supports stored credentials for data sources, JMS, and outbound resources. WebLogic protects passwords in configuration but they remain sensitive deployment secrets.
Location
config.xml, JDBC data source descriptors, JMS modules, and deployment plans
WebLogic credential stores, domain encryption key material, Kubernetes Secrets, and vaults
domain templates, WLST scripts, and committed deployment plans
domain backups and container images containing encrypted configuration
Notes
Domain encryption key material plus encrypted configuration can expose downstream database, LDAP, JMS, and service credentials.
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.