AES encrypt and decrypt in NetIQ Identity Manager policies



By: kuronen

December 11, 2013 11:16 am

Reads: 770

Comments:1

Rating:5.0

How to implement AES encrypt and decrypt to NetIQ Identity Manager policies using standard ecmascript tools

AES stands for Advanced Encryption Standard and is used as an encryption method in high security environments such as governmental data archives. It is a symmetric cryptographic algorithm meaning it can do crypting and decrypting making is quite useful in identity management scenarios where sensitive data can travel across network.

This example shows how to do 128-bit key AES encryption and decryption using NetIQ Identity Manager ecmascript tool utilizing standard java classes available in your IDM environment. Example has been tested in NetIQ Identity Manager 4.0.2.

Please note that today AES with 128-bit key is considered to be safe to use in securing your data but transfers across insecure networks should also include encryption on a connection level.

Also note that standard java libraries will give you maximum of 128-bit keys but you can upgrade to 256-bits by installing Java Cryptography Extensions.

Following is the implementation.

Common functions

First we add the common functions needed both in encrypting and decrypting. Do the following:

  • In your Designer create a new ecmascript object in your driver set library
  • Insert following common functions to the ecmascript editor for the newly created object (see explanation below):
function generateKey(keyValue, ALGO) {
   var key = new Packages.javax.crypto.spec.SecretKeySpec(keyValue, ALGO);
   return key;
   }

function makeBytes(keyValue) {
   var bytes = [];
   for (var i = 0; i < keyValue.length; ++i) {
      bytes.push(keyValue.charCodeAt(i));
   }
   return(bytes);
   }

Explanations for the functions:

  • Function generateKey will create a valid key object from the array of bytes and algorithm it is given. This would be AES for us now.
  • Function makeBytes creates a byte array for the encryption process from the key string we use.

Encrypt

Now we are using the functions provided above and we can insert following code to the Ecmascript editor:

function encrypt(Data, keyValue) {
   var keyValue = makeBytes(keyValue);
   var ALGO = "AES";
   var key = generateKey(keyValue,ALGO);
   var c = new Packages.javax.crypto.Cipher.getInstance(ALGO);
   c.init(Packages.javax.crypto.Cipher.ENCRYPT_MODE, key);
   var encVal = c.doFinal(makeBytes(Data));
   var encryptedValue = new Packages.sun.misc.BASE64Encoder().encode(encVal);
   return encryptedValue;
   }

Explanations for the operations above:

  • Form a key array of bytes from the given key string
  • Define the algorithm
  • Generate a key based on byte array and algorithm
  • Initialize the engine encrypt mode
  • Encode the result with Base64 and return the value

Decrypt

Again using the common functions we are ready to insert the decrypt code to the Ecmascript editor:

function decrypt(encryptedData, keyValue) {
   var keyValue = makeBytes(keyValue);
   var ALGO = "AES";
   var key = generateKey(keyValue,ALGO);
   var c = new Packages.javax.crypto.Cipher.getInstance(ALGO);
   c.init(Packages.javax.crypto.Cipher.DECRYPT_MODE, key);
   var decodedValue = new 	Packages.sun.misc.BASE64Decoder().decodeBuffer(encryptedData);
   var decValue = c.doFinal(decodedValue);
   var decryptedValue = new java.lang.String(decValue);
   return decryptedValue;
   }

Explanations for the operations above:

  • Form a key array of bytes from the given key string
  • Define the algorithm
  • Generate a key based on byte array and algorithm
  • Initialize the engine with decrypt mode
  • Decode the encrypted string data
  • Use java String to do a very simple conversion from byte array to string
  • Return the decrypted value

Usage

Now all we need is to deploy and start using our brand new bulletproof crypting! Do the following:

  • Deploy the ecmascript library
  • Store your key in Named password of your driver set or driver. There might be better ways to hide it but this is by far the simplest and does not expose it to the naked eye.
  • Remember to secure the key on the other end aswell. Do not leave it as a string in the middle of script code
  • Create / modify an rule to use the functions above. Use xpath expressions encrypt(string,key) to retrieve encrypted value and decrypt(string,key) to retrieve the cleartext value
  • Use hidden / encrypted / temporary attributes to increase security
  • Disable tracing for relevant actions

Example use in policy:

<do-set-local-variable notrace="true" name="encrypted_string">
   <arg-string>
      <token-xpath expression="myNameSpace:retrieveMyEncryptedString()"/>
   </arg-string>
</do-set-local-variable>
<do-set-local-variable name="mykey" notrace="true" scope="policy">
   <arg-string>
      <token-named-password name="mySecretKey"/>
   </arg-string>
</do-set-local-variable>
<do-set-src-password class-name="User" notrace="true">
   <arg-string>
   <token-xpath expression="es:decrypt($encrypted_string, $mykey)"/>
   </arg-string>
</do-set-src-password>

That’s it! I hope you find this article useful and wouldn’t mind if you drop me a note about your thoughts on this.

VN:F [1.9.22_1171]
Rating: 5.0/5 (1 vote cast)
AES encrypt and decrypt in NetIQ Identity Manager policies, 5.0 out of 5 based on 1 rating

Tags: , , ,
Categories: Identity Manager, IDM Designer, iManager, Technical Solutions

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

1 Comment

  1. By:geoffc

    In your example, you do not explain this function:
    “myNameSpace:retrieveMyEncryptedString()

    I assume you mean, get your encrypted string, with whatever function you use to get the string.

Comment