There are two versions of the symmetrical encryption either "AES" or "AES/CBC/PKCS5Padding".
If it's a legacy AES one then the format is as above, "key number : encrypted password"
If it's a new "AES/CBC/PKCS5Padding" format then they insert "ACP" as an additional field with the same colon separator so it becomes: "1:ACP:JaGpXuLFE2btMQjnrggkdju449U/qfp1HLQA1rgSGno="
Sailpoint cleverly supports decrypting the "encrypted" passwords if you pass a "special" system property via the command line when calling the identityiq.jar which is called by the iiq command line tool. I found this decompiling the identityiq.jar under sailpoint.server.KeyStoreConsole where they had byte encoded the string they required (facepalm).
So you call Sailpoint command line using:
java -cp WEB-INF/lib/identityiq.jar -Dsailpoint.keyStore.consoleContext=magellan sailpoint.launch.Launcher keystore
You will see there are two new commands at then end "encrypt" and "decrypt"
? display command help
help display command help
echo display a line of text
quit quit the shell (same as exit)
exit exit the shell (same as quit)
source execute a file of commands
properties display system properties
time show how much time a command takes to run.
xtimes Run a command x times.
addKey Generate a new encryption key, the key will be securly generated and random.
list List the contents of the keystore.
master Change the master password and re-encrypt the keystore using the new master.
use Specify the keystore and master file to use when interacting with an alternate keystore.
If you have created a custom key rather than the standard supplied one it will default to use the latest key.
> encrypt hello
But you can encrypt using key 1
> encrypt hello 1
Or specify key 2
> encrypt hello 2
Then decrypt by just pasting the whole string in.
> decrypt 1:ACP:JaGpXuLFE2btMQjnrggkdju449U/qfp1HLQA1rgSGno=
Or the standard password stored within the iiq.properties for the database password:
> decrypt 1:iCAlakm5CVUe7+Q6hVJIBA==
You'll also notice that the list option displays generated AES keys in base64 format which is kinda hand.
Generate a new encryption key (y/n)?
Generating a new encryption key for keystore [/data/sailpoint/WEB-INF/classes/iiq.dat].
New encrpytion key successfully saved to keystore.
All application servers must be restarted for changes to take effect.
Listing contents for keystore [/data/sailpoint/WEB-INF/classes/iiq.dat].
KeyAlias Algorithm Format Object
2 AES RAW lcECExlG4AF/ehwvZ9SIKw==
Thanks sailpoint for making decrypting passwords so easy.
Other related posts:
Extracting encrypted passwords from Sun Identity Manager