Where is the documentation to describe how IIQ can find encrypted passwords? It does not make sense how String password = "2:ACP: [insert encrypted bytes]" gets picked up by IIQ to decrypt it before passing it on.
I dont think exist a documentation on Encryption/Decryption, but you can refer to documentation of Keystore.
Generally in IIQ there 2 level of security for pwds. Every pwd saved in IIQ that starts with “1:” means is encrypted but you can decrypt in every instance of IIQ.
If set the keystore, you can encrypt each pwd with an other key and you can decrypt only if are present the keystore files which you have encrypted the pwd. Usually those pwd starts with “2:” (or 3 or 4, depending the configuration of keystore, because you set more than one key).
In everycase, to encrypt\decrypt pwds are those:
context.encrypt("clearpwd"); → return the encrypted pwd
context.decrypt("2:XXXXXXXXXXXXXXXXXX"); → return the decrypted pwd
so question. if that code above works. does this mean that my password is technically plaintext?
Meaning the encrypted value has been used as the actual password on the database.
for example, if I encrypt the word “cat” i get something like “2:475980237409807” and use that literal value as my password, then if that literal value works when I try and connect to the database, then my password in my code is really a plaintext one.
I’m trying to find out if IIQ decrypts that literal string value in the background, or the encrypt() functionality has been wildly miss-used.
IIQ encrypt every field marked as password on connectors, on forms, on identity.
In every part of your code, you can decrypt end encrypt every value, even passwords.
In your case, you must decrypt the pwd to use DriverManager.getConnection(), because this funcion wants a clear pwd.
Also, if this connection regard a connector you can read the data directly from the application and you dont need to put any clear data in your rule, even username and ip.