Repository password is not encrypted in OpenIDM 4.x log and configuration files
The purpose of this article is to provide information on encrypting the repository password in OpenIDM. The repository password is shown in clear text in the OpenIDM log and the configuration files (repo.jdbc.json or datasource.jdbc-default.json).
Archived
This article has been archived and is no longer maintained by ForgeRock.
Symptoms
The repository password is shown in clear text in the following files:
- repo.jdbc.json or datasource.jdbc-default.json (located in the /path/to/openidm/conf directory) depending on which version of OpenIDM you are using. As of OpenIDM 4, the repository password has moved to the datasource.jdbc-default.json file as detailed in OpenIDM Integrator's Guide › Understanding the JDBC Repository Configuration File.
- OpenIDM log (located in the /path/to/openidm/logs directory).
Caution
There is a known security issue, which is detailed as issue #201602-01: Unencrypted Repo JDBC Password: OpenIDM Security Advisory #201602
Recent Changes
Upgraded to OpenIDM 4.x.
Causes
Passwords specified in the repo.jdbc.json file or the datasource.jdbc-default.json file are no longer automatically encrypted during the initial startup of OpenIDM.
Solution
This issue can be resolved by upgrading to IDM 5 or later; you can download this from BackStage.
Workaround
Alternatively, you can encrypt the repository password using the OpenIDM Command-Line Interface (CLI). This is accessed using the cli.sh command (Linux® and Unix®) or the cli.bat command (Microsoft® Windows®). The following process uses the cli.sh command; substitute cli.bat instead if you use Microsoft Windows.
To encrypt the repository password:
- Ensure you have performed an initial start of the OpenIDM instance with the correct JDBC password specified in the repo.jdbc.json file or the datasource.jdbc-default.json file and that the instance started and functions correctly.
- Shutdown the OpenIDM instance.
- Execute the ./cli.sh encrypt command within the root of the OpenIDM installation: $ cd /path/to/openidm $ ./cli.sh encrypt [JDBCpassword]
- Copy the encrypted value from the output of the CLI. This includes everything between the ----- BEGIN ENCRYPTED VALUE ---- and ----- END ENCRYPTED VALUE ------ lines. For example: -----BEGIN ENCRYPTED VALUE----- { "$crypto" : { "value" : { "iv" : "5UWV+SLe/Z9gg/7lZRO+Ng==", "data" : "7rol/iYruQ4xauop0hq6cQ==", "cipher" : "AES/CBC/PKCS5Padding", "key" : "openidm-sym-default" }, "type" : "x-simple-encryption" } } ------END ENCRYPTED VALUE------
- Edit the repo.jdbc.json file or the datasource.jdbc-default.json file and replace the value for the password property with the encrypted value you copied in step 4. For example, the password property would now look like this: "password" : { "$crypto" : { "value" : { "iv" : "5UWV+SLe/Z9gg/7lZRO+Ng==", "data" : "7rol/iYruQ4xauop0hq6cQ==", "cipher" : "AES/CBC/PKCS5Padding", "key" : "openidm-sym-default" }, "type" : "x-simple-encryption" } },
- Save the changes you made to the repo.jdbc.json file or the datasource.jdbc-default.json file.
- Start the OpenIDM instance. It will now read the encrypted value from the repo.jdbc.json file or the datasource.jdbc-default.json file and will no longer output clear text in the log file.
Note
If you are running a cluster, you will need to perform the above process on each of the nodes in the cluster.
See Also
OpenIDM Integrator's Guide › OpenIDM Command-Line Interface
OpenIDM Integrator's Guide › Using the encrypt Subcommand
Related Training
N/A
Related Issue Tracker IDs
N/A