Handling Encryption Keys in SSB Integration

Hello Experts,I hope you’re all doing well.

We recently integrated SSB for one of our customers and have successfully managed to push Rules, Workflows, and Reports from one environment to another without issues. However, we’ve encountered a challenge with Applications due to differing encryption keys.

Note: We have implemented Site-Specific Encryption for enhanced security.

Could you please advise if there’s a way to pass decrypted passwords into the target environment so that they can be re-encrypted? Alternatively, if you have any other potential solutions, I would greatly appreciate your suggestions.

Thank you in advance!

@LohithHarish

Ideally these should be tokenized and you should have separate target.properities file specific to environment , this would help you

Hi @LohithHarish,

with SSB you can use the target files. In this file you can set the token. Usually the tokes are everything could be change in application for different environment: user, pwd, connectionstring, query, configuration ecc…

You can use it for deploy pwds encrypted or not. Better if you store on it encrypted password, for security on first.

If you have activated the keystore, you need to set it into iiq.properties, like this:

# file location of the CIB keystore
# (override of the default $SPHOME/WEB-INF/classes/iiq.dat )
#
#keyStore.file=/example/path/filename
keyStore.file  = /var/lib/CloudGateway/iiq.dat

# encrypted master password
#
#keyStore.password=1:p+qvPBo4==
keyStore.passwordFile = /var/lib/CloudGateway/iiq.cfg

Thanks for the swift response @enistri.I’ll give it a try

Thanks for the swift response @iamksatish .I’ll give it a try

Hi @iamksatish and @enistri_devo.
I appreciate you both so much; I was able to pass the passwords by using tokenisation.
I’m attempting to deploy an object along with envname.iiq.cfg and envname.iiq.dat files in the ssb subdirectory so that the encrypted password in the object gets decrypted using above files.But I’ve been seeing the following issue when I run the ./build.sh import-custom-delta script.Would you kindly assist me with this? i I’ve tried adding the (iiq.cfg,iiq.dat)files path in iiq.properties as well but it didn’t work

image1920×1241 263 KB

undefined1920×1241 52.2 KB

@LohithHarish
Are you sure the file path mentioned in properties file with exact name exists, looks like it doesn’t , can you please recheck or provide the properties file to check.

Hello @iamksatish
Below is the screenshot of sandbox.iiq.properties file

undefined1920×1241 150 KB

I tried copying iiq.cfg,iiq,dat files in external location and referencing them through iiq.properties file and directly including those files in ssb folder as well but it didn’t work.

Hi @LohithHarish,

Can you please check if you target environment variable is being set properly to ensure correct property file is being used.

Thanks

Targetvariables were set accurately @ashutosh08

image1920×1241 45.5 KB

Hello @iamksatish @enistri_devo @ashutosh08

The issue has been resolved after setting buildSubset as true in the build.properties file. But a new issue has shown up.If I set keyStoreFile,keyStorePassword as iiq.cfg,iiq.dat files of the current environment, it works seamlessly, but if I get the external environment’s iiq.cfg,dat files, build fails with 2024-08-06T15:08:43,983 ERROR main sailpoint.api. EncodingUtil:185 Error in isMatch:
[java] sailpoint.tools. GeneralException: Given the final block is not properly padded. Such issues can arise if a bad key is used during decryption.

image1920×1241 315 KB

@LohithHarish

This is expected if your encryption mechanism is different across the environments

Yeah got it @iamksatish

Hello everyone,

I’m wondering if there’s a way to automatically decrypt passwords encrypted with source encryption keys at the time of build, and then re-encrypt them using the target’s encryption keys. For example, when exporting an application, it needs to decrypt the passwords to plain text and then re-encrypt them with the target’s encryption keys.

Hi @LohithHarish,

the guide say that:

image1166×156 21.8 KB

So, teorically you cant do what you want. But wit SSB you can manage this, with some limitations.

There you can find the guide:
https://community.sailpoint.com/t5/Professional-Services/Services-Standard-Build-SSB-v7-0-2/ta-p/190496?attachment-id=12921
On page 45 you can find the procedure for manage the encryption for multple environment.
The limitations are that SSB work only if the keystore’s files are in the default path and you need to stored them in you project.

Take a look to the doc, maybe can resolve your requirement

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.