8.4
Hi
When logging to the SailPoint IIQ the password is going as a plain text, we can observe it in the payload.
This is the post request form data:
Client side password Encryption is not happening.
My requirement is to encrypt the password.
Thanks!!
Hi @Akhila_2001
From iiq console you can encrypt the password with below command.
syntax:
> encrypt <string>
for example: we will configure Databse password at iiq.properties file using above syntax.
did you configure secure port at server.xml
Access URL:
https://hostname/identityiq/. If you’re using http://, the browser will send the password in plain text.<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLSv1.2,TLSv1.3"
keystoreFile="/path/to/your/keystore.jks" keystorePass="your_keystore_password" />
Hi @pattabhi I’m using self signed certificate at port 8443 during login still the password is showing as plain text in the payload, my requirement is to encrypt the password.
Hi @Akhila_2001
I am able to replicate the scenario, let me research and get back to you.
If you’re using TLS, your payload is encrypted inside of the TLS session. You’re looking at local data. Your computer knows the password because you typed the password. Can you see the password if you capture the network traffic? You shouldn’t be able to unless you have the private key that decrypts the TLS session.
The problem with this is that if HTTPS ever gets downgraded to HTTP through a configuration error or exploit or someone gains access to your private key, they can see all of this traffic in plain text.
The best way to fix this is to implement SSO and remove passwords from the equation entirely.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.