7.8 Imxclient

10 октября 2025 г.

18:13

Our database layer (VI.DB) automatically detects statetements that may be "harmful" or allow to access data bypassing security settings.

Unfortunately some of the statements the API server uses fall under this category.

One solution for this problem is to tell the database layer, that the statements come from a web application and that the web application takes care of preventing harmful access. To do so, the web application's entry in the database table QBMWebApplicationn stores a Trusted Source Key and the web application stores the same TrustedSourceKey in its web.config connectionStrings section.

This source key is automatically added to the database and the web.config during the installation of the web application with the web installer and so you normally don't get bothered with that whole topic.

When starting an API server locally using the ImxClient you can basically use the same mechanism but you have do configure it manually. This article tells you how to achieve that.

Determine the TrustedSourceKey

The easiest way is to install a web application and then copy the raw value from the deciphered web.config and the crypted value from the db table QBMWebApplication.

Store the TrustedSourceKey in ImxClient.exe.config

1. If not present, add this section definition for the connectionbehavior section to the configSections node.
   Here's an example of how this might look like:
   \<configSections>
   \<section name="connectionbehaviour" type="System.Configuration.NameValueSectionHandler" />
   \</configSections>

2. If not present add a section named connectionbehaviour to your configuration.

3. Within the connectionbehavior section add a value for the key TrustedSourceKey.
   Here's an example of how the connectionbehaviour section could look like:
   \<connectionbehaviour>
   \<add key="TrustedSourceKey" value="ELLZ5Z6VZ5ERGHIC1SQSEHFHNSV5444S" />
   \</connectionbehaviour >

Store the TrustedSourceKey in the database

In the database you want to connect to create an entry in the table QBMWebApplication with the following column values

• BaseURL: http://localhost:8182

• TrustedSourceKey: \<the crypted trusted source key>

You could use the ObjectBrowser to create this data or the Designer.exe.

If you use the Designer.exe go to Base data > Security settings > Web server configurations.

Start the local API server

When starting the local APIServer you have to make sure to give the paramater for baseurl: /baseurl

Even if you just use the default base url http://localhost:8182 you have to pass /baseurl http://localhost:8182 to make this solution work.

So your call looks something like this:

ImxClient.exe run-apiserver -B /htmldir ixweb /baseurl http://localhost:8182

From \<https://www.oneidentity.com/community/identity-manager/f/forum/36470/angular-development-and-potential-sql-injection-attack-imxclient-exe-config-settings-help/86223>

---

ImxClient.exe run-apiserver -B

You need to provide a file named application.json in your binary directory where you start the imxclient.exe.

{

"ConnectionStrings": {

"TrustedSourceKey": "YOURTRUSTEDSOURCEKEY"

}

}

From \<https://www.oneidentity.com/community/identity-manager/f/forum/37740/potentially-dangerous-behaviour-was-detected-the-request-will-be-ignored-810452/90951>