I have server and client applications communicating over the TCP socket that is desktop applications. I have enabled Windows IP-sec between server and client machine so that my network traffic would be encrypted. During the login process client application send hash of the password to server and server validate it in the database after applying server side hash that is fine. Now there is another scenario where client application request SQL server password from the server over TCP and server sends this password in plain text and then client application use this password to connect with SQL server, similarly to connect with other third party server, client application fetch password from server, server send it as plain over Ipsec. My question is does this safe to send password as plain over the ipsec enabled server and client? If not what else I have to do to make it secure?
IP-sec provides encryption, therefore it is in theory safe to send the password as plain-text over IP-sec connection.
However, it may be better practice to not send plain-text passwords if at all possible.
The method that comes to mind is using SSH keys. Client would generate key-pair and send public key to the server, which would forward it to the SQL/third-party server. In this scenario, the private key never has to leave the client. This is harder to set-up, but should be more secure in the long run.
PS: Also remember, that the password/key can be extracted from the client application, if the attacker has access to the client machine (directly or by malware on the computer). Therefore always assume that the user authenticated as client will have access to these keys and will be able to do everything these keys can be used to do, even if your client does not allow it.