Encrypted variable value automatically decrypted to cleartext in debug page

IdentityIQ (IIQ) IIQ Discussion and Questions
, ,
1

Which IIQ version are you inquiring about?

8.4p3

Share all details about your problem, including any error messages you may have received.

*I has a web service connector where I am trying to define variable to store API secret, namely “x_api_key_secret”

And i have added this variable into “encrypted” list as well.

Weirdly, everytime I saved the application definition in debug page with the encrypted value which looks someting like this “2:ACP:abcdeft*…..

It will show me in clear text (decrypted value) when i reopen the definition. Any one has any clue? I don’t see this issue in my another environment.

2

Hi @jolan ,

Could you elaborate where exactly you are storing this value, is it schema attribute or OOTB password field ?

For password fields, can you try entering plaintext value and save it.

Then, IIQ should show decrypted value in debug page.

4

It should shows in encrypted value.

Here what I have did :

In application definition (in debug page)

Defined this variable.

"<<entry key=“X-Api-Key-Secret_CA” value=“2:ACP:LsYvazQEuNPe……………………………..aFjw4t7WY9Pvtrdn4qh1eNKLkYYr01z+nxuYvg==”/

And added it into encrypted list.

"<<entry key=“encrypted” value=“accesstoken,refresh_token,oauth_token_info,client_secret,private_key,private_key_password,clientCertificate,clientKeySpec,resourceOwnerPassword,custom_auth_token_info,X-Api-Key-Secret_CA”/

Upon saved. It will decrypt into clear text again.

I done the same steps by save in clear text, it does not encrypt the value.

5

In your xml, can you please update below

Instead of:

please update it to clear text:

<entry key="X-Api-Key-Secret_CA" value="MyRealSecret"/>

and ensure the encrypted list includes this key, like below

<entry key="encrypted" value="accesstoken,...,X-Api-Key-Secret_CA"/>

After saving the application, export the XML and verify the stored value.
You should then see the value encrypted (starting with 2:ACP:).

6

@jolan Adding keys in below format should encrypt the value as soon as you save:

If you mentioned, even after doing this, it is not encrypting.. something is wrong with your configuration or iiq is not able to encrypt it properly. could you please share your app xml to validate your attributes and also, please check if there are any error logs being captured.

Note: Found a fix?Help the community by marking the comment as solution. Feel free to react(:heart:,:+1:, etc.)with an emoji to show your appreciation or message me directly if your problem requires a deeper dive.

7

Indeed there is an error thrown.

2026-02-25 10:02:36,236 ERROR https-openssl-nio-443-exec-9 sailpoint.server.InternalContext:768 - org.hibernate.LazyInitializationException: failed to lazily initialize a collection of role: sailpoint.object.Application.activityDataSources, could not initialize proxy - no Session
org.hibernate.LazyInitializationException: failed to lazily initialize a collection of role: sailpoint.object.Application.activityDataSources, could not initialize proxy - no Session

Not sure what’s exact issue behind it, have created support case for this.

8

Are you using any customization rule or any other rule in our application?

9

@jolan , did you try this one??

10

Hi, did you manage to fix this?

11

Ohhh I might have seen this before. This could mean your correlation model is corrupt. If this is the case restarting IIQ should help as it will rebuild the correlation model.

Does this go away after restart?

I have reported this to SailPoint long time ago but I think this was na yet fixed.

1 Like
12

@jolan I have tested this, I have not noticed the issue. I have done for Identity level object. Is this occurring consistently, or was it a one-time issue? In some cases, encryption may not be applied immediately because of caching issues. Restarting the IIQ application server can help resolve this.

13

Hi all,

At this point, I have not yet identified the root cause. However, the issue is occurring consistently across all applications/connectors that use the Cloud Gateway.

I did find a workaround:

  1. Save your changes on the Debug page. At this stage, the value may still appear in cleartext.
  2. Navigate to the Application Definition page and click Save without making any changes.
  3. Return to the Debug page. You should then see that the variable is stored in encrypted form.

For now, whenever changes are made directly in Debug, please ensure the above steps are followed so that the value is properly encrypted.

I will update this thread again once Support has identified the root cause. Troubleshooting is still ongoing.

14

@jolan Could it be related to Cloud Gateway? Have you checked it?