How to Decrypt an IM Global Users Password.


Article ID: 52709


Updated On:


CA Identity Manager


Once a password is encrypted there is no way to manually decrypt it.  However, with Identity Manager Administrator privileges, the Identity Manager Administrator can setup an XmlToFileExit to capture the Global Users Account Name and Password.


The differences between eTPassword and eTEncryptedPassword:

  • eTPassword will always be set.

  • When a password is set it gets Hashed in eTPassword.

  • Identity Manager does not decrypt the password, it just checks the Hash.

  • You cannot un-hash the Hash password.

  • eTEncryptedPassword may or may not be set, depending on the configuration.

  • eTEncryptedPassword is the encrypted version of the password you set.

    This does get decrypted by Identity Manager internally for internal processes to complete, such as account creations that auto assign Roles, etc. However, this cannot be decrypted manually.



Component: IDMGR 12.x


We do not provide a utility to decrypt the Global User's passwords.
However, you can setup an XmlToFileExit to capture the Global Users Account Name and Password:

  1. Review the sample program exit source for the XmlToFileExit which is delivered with the C++ SDK.

  2. Adjust the output of the exit to only capture account name and password.

  3. Configure the exit as a PRE_ADD_ACCOUNT exit on a UPO endpoint.

  4. Assign all Global Users with a UPO Role/Template.

  5. This will capture the account name and password in the exit output since the Provisioning Server will decrypt the Global User's eTEncryptedPassword value and pass it into the UPO Account Creation for the %P% rule string.