Repository password is not encrypted in OpenIDM 4.x log and configuration files

Last updated Oct 11, 2021

The purpose of this article is to provide information on encrypting the repository password in OpenIDM. The repository password is shown in clear text in the OpenIDM log and the configuration files (repo.jdbc.json or datasource.jdbc-default.json).


This article has been archived and is no longer maintained by ForgeRock.


The repository password is shown in clear text in the following files:


There is a known security issue, which is detailed as issue #201602-01: Unencrypted Repo JDBC Password: OpenIDM Security Advisory #201602

Recent Changes

Upgraded to OpenIDM 4.x.


Passwords specified in the repo.jdbc.json file or the datasource.jdbc-default.json file are no longer automatically encrypted during the initial startup of OpenIDM. 


This issue can be resolved by upgrading to IDM 5 or later; you can download this from BackStage.


Alternatively, you can encrypt the repository password using the OpenIDM Command-Line Interface (CLI). This is accessed using the command (Linux® and Unix®) or the cli.bat command (Microsoft® Windows®). The following process uses the command; substitute cli.bat instead if you use Microsoft Windows.

To encrypt the repository password:

  1. Ensure you have performed an initial start of the OpenIDM instance with the correct JDBC password specified in the repo.jdbc.json file or the datasource.jdbc-default.json file and that the instance started and functions correctly.
  2. Shutdown the OpenIDM instance.
  3. Execute the ./ encrypt command within the root of the OpenIDM installation: $ cd /path/to/openidm $ ./ encrypt [JDBCpassword]
  4. Copy the encrypted value from the output of the CLI. This includes everything between the ----- BEGIN ENCRYPTED VALUE ---- and ----- END ENCRYPTED VALUE ------ lines. For example: -----BEGIN ENCRYPTED VALUE----- { "$crypto" : {     "value" : {       "iv" : "5UWV+SLe/Z9gg/7lZRO+Ng==",       "data" : "7rol/iYruQ4xauop0hq6cQ==",       "cipher" : "AES/CBC/PKCS5Padding",       "key" : "openidm-sym-default"     },     "type" : "x-simple-encryption"   } } ------END ENCRYPTED VALUE------
  5. Edit the repo.jdbc.json file or the datasource.jdbc-default.json file and replace the value for the password property with the encrypted value you copied in step 4. For example, the password property would now look like this: "password" : {        "$crypto" : {             "value" : {                 "iv" : "5UWV+SLe/Z9gg/7lZRO+Ng==",                 "data" : "7rol/iYruQ4xauop0hq6cQ==",                 "cipher" : "AES/CBC/PKCS5Padding",                 "key" : "openidm-sym-default"            },             "type" : "x-simple-encryption"         }     },
  6. Save the changes you made to the repo.jdbc.json file or the datasource.jdbc-default.json file.
  7. Start the OpenIDM instance. It will now read the encrypted value from the repo.jdbc.json file or the datasource.jdbc-default.json file and will no longer output clear text in the log file.

If you are running a cluster, you will need to perform the above process on each of the nodes in the cluster.

See Also

OpenIDM Integrator's Guide › OpenIDM Command-Line Interface

OpenIDM Integrator's Guide › Using the encrypt Subcommand

Related Training


Related Issue Tracker IDs


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.