Disclaimer: I do not accept responsibility for any issues arising from scripts being run without adequate understanding. It is the user's responsibility to review and assess any code before execution. More information

Fixing SMS OTP Delivery Issues in Entrust IdentityGuard

byartic6 -
0

The Problem

I recently encountered an issue with SMS OTP delivery failing in Entrust Identity Guard. Users were not receiving SMS authentication codes and the system logs showed delivery failures to the SMS gateway. This was particularly puzzling because I had a working configuration on another server that was functioning perfectly.

The Investigation

When comparing the two servers, I noticed a key difference in the SMS gateway configuration:

  • Working server: SMS gateway password was encrypted
  • Failing server: SMS gateway password was stored in plain text

Both servers were using the same SMS provider and had identical network connectivity, so the issue had to be in the configuration itself, this was the error noticed in the audit log:

[2025-08-25 11:38:21,142] [IG Audit Writer] [ERROR] [IG.AUDIT] [AUD3010] [OTP/bear.user] One time password delivery failed for user OTP/bear.user. Contact info label: Mobile Phone, Contact info value: <mobile_number>, Delivery configuration label: SMS.OTP
This was made a little bit more obvious by the fact that my monitoring fired to say the servers were not authenticating correctly, this particular monitoring script looks at the last successful authentication request.

The Solution

The fix was straightforward but not immediately obvious from the error messages. In the Entrust IdentityGuard configuration editor, when setting up SMS gateway credentials:

  1. Start the Properties Editor from Entrust:


  2. Login to Properties Editor with administrative account
  3. Navigate to the out-of-band SMS delivery configuration, this is Option 26:


  4. Select the appropriate profile for SMS sending (obtained from User details)


  5. Look for the Password option for the SMS gateway as below, notice that the "Encrypt" is not selected:
  6. Select the "encrypt" checkbox next to the password field, you do not need to reenter the password



  7. Save the configuration which will be at the end of the SMS delivery section as below, use the Validate and Save button:


  8. You will then notice on reload the password will not be encrypted:


This will be confirmed in the audit logs with:
[2025-08-25 12:10:57,758] [IG Audit Writer] [INFO ] [IG.AUDIT] [AUD7003] [OTP/entrust.admin] Property identityguard.oobdelivery.smsgateway.smsotp.password changed from being unencrypted to encrypted.

When you save the form with the encrypt option enabled, the system automatically encrypts the password before storing it. This encrypted password is then used for all communications with the SMS gateway.

When this change was applied to the server and the services restarted this then changed in the audit log to this:

[2025-08-25 12:14:45,714] [IG Audit Writer] [INFO ] [IG.AUDIT] [AUD3008] [OTP/bear.user] One time password delivered to user OTP/bear.user. Contact info label: Mobile Phone, Contact info value: <mobile_number>, Delivery configuration label: SMS.OTP

Why does this happen?

If the encrypt checkbox is not selected, the password remains in plain text and the SMS gateway authentication fails. The system correctly refuses to send unencrypted credentials to external SMS providers, which is actually good security design.

The error logs will show SMS delivery failures, but they don't clearly indicate that the root cause is the unencrypted password storage. This security-first approach protects against credential exposure in logs, configuration backups, or network traffic.

Conclusion

For anyone configuring Entrust Identity Guard SMS delivery: always check the encrypt checkbox next to the SMS gateway password field. Without this step, SMS OTP delivery will fail even if all other configuration parameters are correct.

Tags
Previous Post Next Post

نموذج الاتصال