Password shows as –suppressed– when writing a trace message in IDM 4.6

While upgrading a client to NetIQ IDM 4.6, I ran across some debug code that I had written to display a trace message with a user’s password that was no longer working as intended.  When trying to track down password sync issues, this type of policy can be extremely useful.  The problem is that in NetIQ IDM 4.6 they had implemented a change that stopped this, in to meet a compliance requirement, at least that is what back-line support said.

Here are some example traces the illustrate what shows now up in trace.

[04/11/17 09:07:59.690]:Null ST:    Evaluating selection criteria for rule 'Print User Password'.
[04/11/17 09:07:59.690]:Null ST:      (if-class-name equal "User") = TRUE.
[04/11/17 09:07:59.691]:Null ST:    Rule selected.
[04/11/17 09:07:59.691]:Null ST:    Applying rule 'Print User Password'.
[04/11/17 09:07:59.692]:Null ST:      Action: do-set-local-variable("var_pwdtest1",scope="policy",token-op-attr("nspmDistributionPassword")).
[04/11/17 09:07:59.693]:Null ST:        arg-string(token-op-attr("nspmDistributionPassword"))
[04/11/17 09:07:59.693]:Null ST:          token-op-attr("nspmDistributionPassword")
[04/11/17 09:07:59.694]:Null ST:            Token Value: "-- suppressed --".
[04/11/17 09:07:59.694]:Null ST:          Arg Value: "-- suppressed --".
[04/11/17 09:07:59.695]:Null ST:      Action: do-set-local-variable("var_pwdtest2",scope="policy",token-xpath("descendant::*[ @attr-name='nspmDistributionPassword' ]")).
[04/11/17 09:07:59.695]:Null ST:        arg-string(token-xpath("descendant::*[ @attr-name='nspmDistributionPassword' ]"))
[04/11/17 09:07:59.696]:Null ST:          token-xpath("descendant::*[ @attr-name='nspmDistributionPassword' ]")
[04/11/17 09:07:59.697]:Null ST:            Token Value: "-- suppressed --".
[04/11/17 09:07:59.698]:Null ST:          Arg Value: "-- suppressed --".
[04/11/17 09:07:59.698]:Null ST:      Action: do-set-local-variable("var_pwdtest3",scope="policy",arg-node-set(token-xpath("descendant::*[ @attr-name='nspmDistributionPassword' ]"))).
[04/11/17 09:07:59.699]:Null ST:        arg-node-set(token-xpath("descendant::*[ @attr-name='nspmDistributionPassword' ]"))
[04/11/17 09:07:59.700]:Null ST:          token-xpath("descendant::*[ @attr-name='nspmDistributionPassword' ]")
[04/11/17 09:07:59.701]:Null ST:          Token Value: {<modify-attr> @attr-name = "nspmDistributionPassword" @is-sensitive = "true"}.
[04/11/17 09:07:59.702]:Null ST:          Arg Value: {<modify-attr> @attr-name = "nspmDistributionPassword" @is-sensitive = "true"}.
[04/11/17 09:07:59.702]:Null ST:      Action: do-trace-message(level="0",token-local-variable("var_pwdtest1")).
[04/11/17 09:07:59.703]:Null ST:        arg-string(token-local-variable("var_pwdtest1"))
[04/11/17 09:07:59.704]:Null ST:          token-local-variable("var_pwdtest1")
[04/11/17 09:07:59.704]:Null ST:            Token Value: "-- suppressed --".
[04/11/17 09:07:59.705]:Null ST:          Arg Value: "-- suppressed --".
[04/11/17 09:07:59.706]:Null ST:-- content suppressed --
[04/11/17 09:07:59.706]:Null ST:      Action: do-trace-message(level="0",token-local-variable("var_pwdtest2")).
[04/11/17 09:07:59.707]:Null ST:        arg-string(token-local-variable("var_pwdtest2"))
[04/11/17 09:07:59.708]:Null ST:          token-local-variable("var_pwdtest2")
[04/11/17 09:07:59.709]:Null ST:            Token Value: "-- suppressed --".
[04/11/17 09:07:59.709]:Null ST:          Arg Value: "-- suppressed --".
[04/11/17 09:07:59.710]:Null ST:-- content suppressed --
[04/11/17 09:07:59.710]:Null ST:      Action: do-trace-message(level="0",token-xml-serialize(token-local-variable("var_pwdtest3"))).
[04/11/17 09:07:59.711]:Null ST:        arg-string(token-xml-serialize(token-local-variable("var_pwdtest3")))
[04/11/17 09:07:59.712]:Null ST:          token-xml-serialize(token-local-variable("var_pwdtest3"))
[04/11/17 09:07:59.713]:Null ST:            token-xml-serialize(token-local-variable("var_pwdtest3"))
[04/11/17 09:07:59.713]:Null ST:              token-local-variable("var_pwdtest3")
[04/11/17 09:07:59.714]:Null ST:              Token Value: {<modify-attr> @attr-name = "nspmDistributionPassword" @is-sensitive = "true"}.
[04/11/17 09:07:59.715]:Null ST:              Arg Value: {<modify-attr> @attr-name = "nspmDistributionPassword" @is-sensitive = "true"}.
[04/11/17 09:07:59.716]:Null ST:            Token Value: "<modify-attr attr-name="nspmDistributionPassword" is-sensitive="true">
                <value type="string">Novell1</value>
[04/11/17 09:07:59.717]:Null ST:          Arg Value: "<modify-attr attr-name="nspmDistributionPassword" is-sensitive="true">
                <value type="string">Novell1</value>
[04/11/17 09:07:59.718]:Null ST:<modify-attr attr-name="nspmDistributionPassword" is-sensitive="true">
                <value type="string">Novell1</value>

There are a few different ways I found to solve this problem.  The first involves using the XML Serialize verb in argument builder.  This action could be utilized for a job or sync event, as nspmDistributionPassword will not be in the document.   I have provided some sample code below.

<do-trace-message level="4">
		<token-text xml:space="preserve">The password for </token-text>
		<token-text xml:space="preserve"> is: </token-text>
			<token-src-attr name="nspmDistributionPassword"/>

The second would use XPath to read nspmDistributionPassword from the local document

<description>Pull password when it's in the document</description>
			<if-class-name mode="nocase" op="equal">User</if-class-name>
			<if-op-attr name="nspmDistributionPassword" op="available"/>
	<do-trace-message level="4">
			<token-text xml:space="preserve">The password for</token-text>
			<token-text xml:space="preserve"> is: </token-text>
				<token-xpath expression="descendant::*[ @attr-name='nspmDistributionPassword' ]"/>

The last involves writing the password value in clear text to any Case Ignore String attribute.  I strongly recommend that is you choose to use this method that you clear the value as quickly as possible.  For this example I chose to use the businessCategory attribute.

<do-add-src-attr-value name="businessCategory">
	<arg-value type="string">
		<token-src-attr name="nspmDistributionPassword"/>


Questions, comments or concerns? Feel free to reach out to us below, or email us at IDMWORKS to learn more about how you can protect your organization and customers.

Leave a Reply

Your email address will not be published. Required fields are marked *