Decrypting Sailpoint IdentityIQ (IIQ) "encrypted" passwords

, posted: 21-Feb-2019 14:27

Sailpoint IdentityIQ IIQ allows you create "encrypted" passwords so then you store those encrypted passwords in config files such as the database credentials that are stored within the iiq.properties file.

 

dataSource.username=identityiq
dataSource.password=1:iCAlakm5CVUe7+Q6hVJIBA==

 

There are two versions of the symmetrical encryption either "AES" or "AES/CBC/PKCS5Padding". 

If it's a legacy AES one then the format is as above, "key number : encrypted password"

If it's a new "AES/CBC/PKCS5Padding" format then they insert "ACP" as an additional field with the same colon separator so it becomes: "1:ACP:JaGpXuLFE2btMQjnrggkdju449U/qfp1HLQA1rgSGno="

 

Sailpoint cleverly supports decrypting the "encrypted" passwords if you pass a "special" system property via the command line when calling the identityiq.jar which is called by the iiq command line tool. I found this decompiling the identityiq.jar under sailpoint.server.KeyStoreConsole where they had byte encoded the string they required (facepalm).

 

sailpoint.keyStore.consoleContext=magellan

 

So you call Sailpoint command line using:

java -cp WEB-INF/lib/identityiq.jar -Dsailpoint.keyStore.consoleContext=magellan sailpoint.launch.Launcher keystore

 

You will see there are two new commands at then end "encrypt" and "decrypt"

> ?

Console Commands

? display command help
help display command help
echo display a line of text
quit quit the shell (same as exit)
exit exit the shell (same as quit)
source execute a file of commands
properties display system properties
time show how much time a command takes to run.
xtimes Run a command x times.
about
addKey Generate a new encryption key, the key will be securly generated and random.
list List the contents of the keystore.
master Change the master password and re-encrypt the keystore using the new master.
use Specify the keystore and master file to use when interacting with an alternate keystore.
encrypt
decrypt

> decrypt
decrypt <string>

If you have created a custom key rather than the standard supplied one it will default to use the latest key.

> encrypt hello
2:ACP:GmOPFExdXOZXjq69jlIujgk0JhfTxEbl9zF4BtK2MKo=

But you can encrypt using key 1

> encrypt hello 1
1:ACP:JaGpXuLFE2btMQjnrggkdju449U/qfp1HLQA1rgSGno=

Or specify key 2

> encrypt hello 2
2:ACP:VaziygP3Bmu/rwKayN4iWyjATKcJKlASg/8x4PRYnZg=

Then decrypt by just pasting the whole string in.

> decrypt 1:ACP:JaGpXuLFE2btMQjnrggkdju449U/qfp1HLQA1rgSGno=
hello

Or the standard password stored within the iiq.properties for the database password:

> decrypt 1:iCAlakm5CVUe7+Q6hVJIBA==
identityiq

You'll also notice that the list option displays generated AES keys in base64 format which is kinda hand.

> addKey
Generate a new encryption key (y/n)?
y
Generating a new encryption key for keystore [/data/sailpoint/WEB-INF/classes/iiq.dat].
New encrpytion key successfully saved to keystore.
All application servers must be restarted for changes to take effect.
> list
Listing contents for keystore [/data/sailpoint/WEB-INF/classes/iiq.dat].
KeyAlias Algorithm Format Object

2 AES RAW lcECExlG4AF/ehwvZ9SIKw==
>

 

Thanks sailpoint for making decrypting passwords so easy.

Other related posts:
Extracting encrypted passwords from Sun Identity Manager






BarTender's profile

Bar Tender
Wellington
New Zealand