Decrypting Sailpoint IdentityIQ (IIQ) "encrypted" passwords

, posted: 21-Feb-2019 14:27

Sailpoint IdentityIQ IIQ allows you create "encrypted" passwords so then you store those encrypted passwords in config files such as the database credentials that are stored within the file.




There are two versions of the symmetrical encryption either "AES" or "AES/CBC/PKCS5Padding". 

If it's a legacy AES one then the format is as above, "key number : encrypted password"

If it's a new "AES/CBC/PKCS5Padding" format then they insert "ACP" as an additional field with the same colon separator so it becomes: "1:ACP:JaGpXuLFE2btMQjnrggkdju449U/qfp1HLQA1rgSGno="


Sailpoint cleverly supports decrypting the "encrypted" passwords if you pass a "special" system property via the command line when calling the identityiq.jar which is called by the iiq command line tool. I found this decompiling the identityiq.jar under sailpoint.server.KeyStoreConsole where they had byte encoded the string they required (facepalm).




So you call Sailpoint command line using:

java -cp WEB-INF/lib/identityiq.jar -Dsailpoint.keyStore.consoleContext=magellan sailpoint.launch.Launcher keystore


You will see there are two new commands at then end "encrypt" and "decrypt"

> ?

Console Commands

? display command help
help display command help
echo display a line of text
quit quit the shell (same as exit)
exit exit the shell (same as quit)
source execute a file of commands
properties display system properties
time show how much time a command takes to run.
xtimes Run a command x times.
addKey Generate a new encryption key, the key will be securly generated and random.
list List the contents of the keystore.
master Change the master password and re-encrypt the keystore using the new master.
use Specify the keystore and master file to use when interacting with an alternate keystore.

> decrypt
decrypt <string>

If you have created a custom key rather than the standard supplied one it will default to use the latest key.

> encrypt hello

But you can encrypt using key 1

> encrypt hello 1

Or specify key 2

> encrypt hello 2

Then decrypt by just pasting the whole string in.

> decrypt 1:ACP:JaGpXuLFE2btMQjnrggkdju449U/qfp1HLQA1rgSGno=

Or the standard password stored within the for the database password:

> decrypt 1:iCAlakm5CVUe7+Q6hVJIBA==

You'll also notice that the list option displays generated AES keys in base64 format which is kinda hand.

> addKey
Generate a new encryption key (y/n)?
Generating a new encryption key for keystore [/data/sailpoint/WEB-INF/classes/iiq.dat].
New encrpytion key successfully saved to keystore.
All application servers must be restarted for changes to take effect.
> list
Listing contents for keystore [/data/sailpoint/WEB-INF/classes/iiq.dat].
KeyAlias Algorithm Format Object

2 AES RAW lcECExlG4AF/ehwvZ9SIKw==


Thanks sailpoint for making decrypting passwords so easy.

Useful SNMP OIDs for Home Automation

, posted: 14-Jan-2019 17:37

I've been playing with Home Assistant and using a few devices around my home network so thought it would be useful to document some of the useful SNMP OIDs I have found:


Device SNMP OID On Value Off Value Notes
APC 7920 PDU . 1 2 Increment the last value of the OID for the port number.
Raritan PX2-2190R . 1 0 Increment the last value of the OID for the port number.
Cisco 3750 PoE Switch inline power . 1 4 Increment the last value of the OID for the port number. Integer 4 is "disabled" and 1 is Auto




Device SNMP OID Notes
Raritan DPX-T2H2 sensor for PX2-2190R Temp . Need to divide number by 10 to get decimal place as it is an integer. The DPX-T2H2 has two sensors and the second sensor has the OID value of .3
Raritan DPX-T2H2 sensor for PX2-2190R Humidity . Humidity and the second sensor is .4
Raritan PX2-2190R . Rms Current
Raritan PX2-2190R . Rms Voltage
Raritan PX2-2190R . Active Power
Raritan PX2-2190R . Apparent Power
Raritan PX2-2190R . Power Factor
Raritan PX2-2190R . Active Energy
Raritan PX2-2190R . Active Energy
APC NMC AP9335T . Need to divide number by 10 to get decimal place as it is an integer


New Zealand Dialing validation regex

, posted: 10-Sep-2018 16:10

Was doing some work with the NZ Dialing plan and needed to write some regex to validate NZ numbers. Using the information from the NAD this is what I ended up with

Local area codes 03,04,06,07,09 are all 8 digits long including the 0
Mobiles 0201 to 0206 are either 10 or 11
Mobiles 0211 and 0212 are 10
Mobiles 0213 to 0219 are 9 
Mobiles 022, 027 and 029 are 10
Mobiles 028 are 9 to 11 digits
I could be wrong here, but that was my understanding. Feel free to comment on the above if any of it is incorrect.

Akamai IP Reputation Filter

, posted: 31-May-2018 11:53

So today I had an interesting issue where I was unable to access a web site from a customers internet connection.

It seems that Akamai IP Reputation Filter has for some reason decided that the reputation of this IP address has some random issue that will prevent me from accessing their web site.

The sites I can't access include:

When I attempt to access the sites I get:


Access Denied

You don't have permission to access "" on this server.

Reference #18.67ff6dcb.1527719015.a6cebb8


At no point in the above do you have any idea this is related to Akamai Web Application Firewall blocking you. There are a number of not particularly helpful posts on the Akamai community talking about the issue.

And none of them provide any real resolution apart from contacting the site you are trying to access and then they can contact Akamai and figure out why.

So after a lengthy conversations it turns out the only way to resolve the issue is to send an email to "support at" and then hopefully get to the bottom of why you are blocked.

My first email consisted of:


Akamai does not block users from accessing our customers’ websites. However, our customers can use tools and policies which may in turn block you (the end user). Our customers use these rules to protect them and you from malicious actors on the internet.

We have checked the logs you provided and have found you are being blocked because of a Web Application Firewall rule being triggered by your IP address. The most likely reason that a company or an end user may be blocked from several sites is due to Reputation-based blocking.  Billions of IP addresses interact with the Akamai Intelligent Platform every month, and the Client Reputation module provides information regarding the reputation of each of them. Customers with this module enabled can block IP addresses whose reputation exceeds a certain configurable threshold.

Some of other reasons that a block may be happening are:

Explicit IP blocking / blacklisting

Location-based blacklisting

Rule-based blocking (i.e. web application firewall protections)

HTTP request rate controls (e.g. DoS protections)

We cannot unblock your IP address as it is the Akamai clients who make up the rules to block certain customers. You can check directly with the website owners why your IP is being blocked if you feel you have not done any harm or any illegal activities on the site you are being blocked. 

Having said this, I have checked x.x.x.x and its not being blocked.


So that's no use at all, as we are still blocked. When I finally manage to figure out how to unblock our IP address I will update this blog.

Bogon Filtering using Regex

, posted: 24-Jan-2018 13:16

I had to filter the Bogon (RFC1918 + CGNAT (RFC6598) + Loopback (RFC990) + Link Local (RFC3927)) from within a proxy server I was setting up. RFC5735 covers a lot of the non-routeable addresses all in a single RFC with the exception of CGNAT. I used this page as a start and tweaked it to my own requirements.

My regex testing site of preference is: as it has an excellent UI to test with and breaks out what the regex is doing.

This is the regex I ended up with:


Reading it the regex blocks the following ranges: &

Regex: ((?:10|127)(?:\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3})

Explanation - A non capture group ?: match 10 or 127 then capture ". + 1-255" {3} times as a non capture group. &

Regex: ((?:192\.168|169\.254)(?:\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){2})

Explanation: A non capture group ?: match 192.168 or 169.254 then capture ". + 1-255" {2} times as a non capture group.

Regex: ((172\.(?:1[6-9]|2[0-9]|3[0-1])(?:\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){2})

Explanation: "172." then non capture group 16-19 or 20-29 or 30-31 then capture ". + 1-255" {2} times as a non capture group.

Regex: ((100\.(?:6[4-9]|[7-9][0-9]|1[0-1][0-9]|12[0-7])(?:\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){2})

Explanation: "100." then non capture group 64-69 or 70-99 or 100-119 or 120 to 127 then capture ". + 1-255" {2} times as a non capture group.


Hope someone finds this useful.

Extracting encrypted passwords from Sun Identity Manager

, posted: 2-Nov-2011 20:25

For my sins I am using Sun IDM.  And I was somewhat disappointed at how easy it is to extract any password from Sun IDM without needing any authentication.  As long as you have comand line access to call the LH you can extract the configurator password.  Here are a few links I found on this topic.

The second link includes the javascript code needed, but a session needs to be established first.  So this is the modified code I used.

/* Decrypt Sun IDM Passwords */
var _lhSession = new InternalSession();
print("Encrypted = " + arguments[0]);
var pwd = new EncryptedData();
print("Decrypted = " + pwd.decryptToString());
/* End */

Then have the above script called pwd.js.  Calling it as shown below:

./lh js pwd.js "3A961D0D453E218C:6BCF235D:122ED7C4BB6:-7FA4|GsggQAq2YSSbb1sZE9Xaxw=="
Encrypted = 3A961D0D453E218C:6BCF235D:122ED7C4BB6:-7FA4|GsggQAq2YSSbb1sZE9Xaxw==
Decrypted = configurator

So... to get the encrypted password you want, a modified version of the JS to take an input file and return the passwords:

/* Decrypt Sun IDM Passwords */
var _lhSession = new InternalSession();
var file = new FileReader(arguments[0]);
var br = new BufferedReader(file);
var line;
while ((line = br.readLine()) != null) {
var obj = _lhSession.getObject(Type.USER, line);
var pwd = new EncryptedData();
print(obj.getName() + "," + pwd.decryptToString());
/* End */

Plus i've now got the offline decryption working too by extracting out the encryption key:

$WSHOME/bin/lh console -c "getObject EncryptionKey *"

And the Misc data:

/* Extract Misc Data */
var _lhSession = new InternalSession();
var obj = _lhSession.getObject(Type.MISCELLANEOUS, "miscData");
print("Result" + obj.toXml());
/* End */

Then call the javascript:

$WSHOME/bin/lh js misc.js

Using the code shown above from Dark Edges.

Sad.. But true.

NZ Cell Site location information - Now with Google Fusion Tables!

, posted: 26-Aug-2011 13:00

Many of you may know that I have an existing blog entry with KML files you can download or load up in Google Earth here:

So... Now thanks to Mark Hansen and is great work he did drawing all the links nationwide

I've come to learn of Google Fusion Tables.  Now the super cool thing about Fusion Tables is you can map data from a table in fusion tables directly into Google Maps and not have the annoying 1000 Placemark limit you have with KMLs plus sluggish response when loading a KML file into Google Maps.

With Google Fusion you can either map directly from with Fusion from your dataset, or write up a small web page and do some pretty stuff.  I've got the web page so then I can add a Fusion Tables style in so all the place marks have a "T"/"V" etc depending on if it's a Telecom or Vodafone site.

Try V2 of The NZ Cell Information:

If you look in the html it lists the Fusion Table data that I extracted out of RSM which can be found here: 1355049

NZ Cell Site Information

, posted: 26-Sep-2010 14:52

I have extracted the data out of the Radio Spectrum Management Database Spectrum Search Lite which is the Government agency who controlls all radio frequencies in NZ. They kindly put up their whole database as a Access 97 DB free for download (Yay for Open Govt!).  So this is the frequencies that the companies are allowed to transmit from, not necessarily an actual Cell Site.  But more often that not it IS a cell site.
First I transferred the Access Database into a SQLite Database using mdb-sqlite. Then using a SQL Query and Saxon I manipulated the files into KML Files.


I've been playing around with Google Fusion thanks to Mark Hanson's great entry showing how he used the RSM data to get all the radio links:

Now I have a Google Fusion site showing all sites.

Update: I've just added Carrier specific kml's with icons at each site saying what frequencies are transmitted from that site.

Update, this is a work in progress with updated data and displaying the data slightly differently.

RSM Database dump 20 June 2011

If you want a copy of the whole archive to create the KMLs from the RSM Database download just PM me and I will send you the link.

All Sites

All Cell Sites by Carrier:
This lists all Cell Sites broken down by carrier.  The Google Maps 1000 Feature Limit means that it won't load properly in anything other than Google Earth.
KML and Google Maps Link

This has just Telecom, Voda, 2Deg and Woosh, and all the frequencies on a per-site basis.  It still doesn't open very well in Google Maps due to the large number of Placemarks.
And a GPS with the Site Name - Provider and Location all in the Name string: or Google Maps Link


All Telecom Sites: CDMA, XT850 and XT2100
KML or Google Maps Link

Telecom CDMA:
KML or Google Maps Link
Telecom XT 850 Mhz:
KML or Google Maps Link
Telecom XT 2100 Mhz:
KML or Google Maps Link


All Vodafone Sites: 900, 1800 and 2100
KML or Google Maps Link

Vodafone GSM 900:
KML or Google Maps Link
Vodafone GSM 1800:
KML or Google Maps Link
Vodafone WCDMA 2100:
KML or Google Maps Link

Note: I'm not sure which 900Mhz sites are 2G and which are 3G Extended.  This isn't registered in RSM since Vodafone own the frequency and can do what they like with it.

Two Degrees

All Two Degrees Sites: 900, 1800 and 2100
KML or Google Maps Link

Two Degrees GSM 900:
KML or Google Maps Link
Two Degrees GSM 1800:
KML or Google Maps Link
Two Degrees WCDMA 2100:
KML or Google Maps Link

Custom Two Degrees Maps

And New Cell Site Locations (that only have microwave backhaul so far).

KML or Google Maps Link

And All 2D Locations across the country.

KML or Google Maps Link


Woosh TD-CDMA 2067.5:
KML or Google Maps Link

Any other mobile networks I should add, just PM me.

Feel free to redistribute in any format you want, as this is public information from RSM anyway.

Fun with Snapper - Take 1

, posted: 20-Jul-2009 08:15

After getting a Snapper USB I thought I would look into what it's all about a bit more, and see if I can see what's going on and look into the card using Linux. Firstly it took a while to figure out where to find the USB Driver software, as the Snapper site isn't exactly obvious on where you download it from: <- The main start page <- Download the ActiveX control <- Download either the USB or Snapper Feeder driver Or direct links: <- Phone home to see if it all works. Ok, so you can start off with getting the ActiveX control installed, this is why you need IE (ugh) Then after I had the drivers installed I found out it's a Smartcard, in fact it's a JCOP 3.1 card as per its ATR. Using standard smartcard interrogation tools, I found the ATR for the USB is: "3B 69 00 FF 4A 43 4F 50 33 31 56 32 32" which means it's a JCOP 31 v22 72K as per: Ok, so it's a pretty secure card, banking quality so doing anything untoward is pretty much out. Now on to see if I can get GPShell working with it: ... Watch this space.

Gemini image blowing up Clone Dreamboxes

, posted: 19-Apr-2008 14:14

Just a FYI for you clone dreambox owners out there.

It seems that in an "Attack on the Clones" the Gemini team have released a kill switch after you have been running the image for a while as part of their 4.x (but especially 4.3 and 4.31) images that will brick your Clone DM500 to a point that you will never be able to get it back.

My recommendation is to run the PLi image, but for those looking at putting a Gemini image on your clone box ... just say no.

BarTender's profile

Bar Tender
New Zealand