Solutions
Archived

Repository password is not encrypted in OpenIDM 4.x log and configuration files

Last updated Oct 11, 2021

The purpose of this article is to provide information on encrypting the repository password in OpenIDM. The repository password is shown in clear text in the OpenIDM log and the configuration files (repo.jdbc.json or datasource.jdbc-default.json).


Archived

This article has been archived and is no longer maintained by ForgeRock.

Symptoms

The repository password is shown in clear text in the following files:

Caution

There is a known security issue, which is detailed as issue #201602-01: Unencrypted Repo JDBC Password: OpenIDM Security Advisory #201602

Recent Changes

Upgraded to OpenIDM 4.x.

Causes

Passwords specified in the repo.jdbc.json file or the datasource.jdbc-default.json file are no longer automatically encrypted during the initial startup of OpenIDM. 

Solution

This issue can be resolved by upgrading to IDM 5 or later; you can download this from BackStage.

Workaround

Alternatively, you can encrypt the repository password using the OpenIDM Command-Line Interface (CLI). This is accessed using the cli.sh command (Linux® and Unix®) or the cli.bat command (Microsoft® Windows®). The following process uses the cli.sh command; substitute cli.bat instead if you use Microsoft Windows.

To encrypt the repository password:

  1. Ensure you have performed an initial start of the OpenIDM instance with the correct JDBC password specified in the repo.jdbc.json file or the datasource.jdbc-default.json file and that the instance started and functions correctly.
  2. Shutdown the OpenIDM instance.
  3. Execute the ./cli.sh encrypt command within the root of the OpenIDM installation: $ cd /path/to/openidm $ ./cli.sh encrypt [JDBCpassword]
  4. Copy the encrypted value from the output of the CLI. This includes everything between the ----- BEGIN ENCRYPTED VALUE ---- and ----- END ENCRYPTED VALUE ------ lines. For example: -----BEGIN ENCRYPTED VALUE----- { "$crypto" : {     "value" : {       "iv" : "5UWV+SLe/Z9gg/7lZRO+Ng==",       "data" : "7rol/iYruQ4xauop0hq6cQ==",       "cipher" : "AES/CBC/PKCS5Padding",       "key" : "openidm-sym-default"     },     "type" : "x-simple-encryption"   } } ------END ENCRYPTED VALUE------
  5. Edit the repo.jdbc.json file or the datasource.jdbc-default.json file and replace the value for the password property with the encrypted value you copied in step 4. For example, the password property would now look like this: "password" : {        "$crypto" : {             "value" : {                 "iv" : "5UWV+SLe/Z9gg/7lZRO+Ng==",                 "data" : "7rol/iYruQ4xauop0hq6cQ==",                 "cipher" : "AES/CBC/PKCS5Padding",                 "key" : "openidm-sym-default"            },             "type" : "x-simple-encryption"         }     },
  6. Save the changes you made to the repo.jdbc.json file or the datasource.jdbc-default.json file.
  7. Start the OpenIDM instance. It will now read the encrypted value from the repo.jdbc.json file or the datasource.jdbc-default.json file and will no longer output clear text in the log file.
Note

If you are running a cluster, you will need to perform the above process on each of the nodes in the cluster.

See Also

OpenIDM Integrator's Guide › OpenIDM Command-Line Interface

OpenIDM Integrator's Guide › Using the encrypt Subcommand

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.