password-map
This command manages the mapping between password aliases and their plaintext values in an encrypted file.
Syntax
- Interactively add an entry to the password map file.
- password-map
- Delete an entry from the password map file.
- delete password-map alias
- Clear the entries in the password map file.
- no password-map
Parameters
- alias
- The alias is the reference to a password.
Guidelines
The password-map command manages the mapping between password aliases and their plaintext values in an encrypted file. When you create a password alias, the password map generates the host key to encrypt the plaintext password. The password map and the locally generated key are saved to separate files.
- The alias is a publicly known reference and included in configuration files and exports.
- No one can view or access the password. Only the DataPower® Gateway can extract the password that it uses internally.
- By default, no password aliases in a map are written to configuration files, and the
password-to-alias map is not part of a backup or export operation.Note: When you obfuscate passwords by setting the domain settings password-treatment command to
masked
, the passwords are obfuscated with the value set with the passphrase command. When you persist the configuration with masked passwords, the obfuscated passwords are emitted and stored in the startup configuration under the password-encrypted command. For more information, see Managing domain settings. - The password-to-alias map is part of the secure backup-restore operations.
Password maps protect passwords that the DataPower Gateway uses to access locally stored key files and certificate files or to access remote resources.
- In commands that use plaintext passwords, the
password
argument is used to open and read the corresponding file or to send as the credentials to access the remote resource. - In commands that use encrypted passwords, the
password-alias
argument is the search criteria for the password map file to identify its associated encrypted password. Then, the encrypted password is decrypted with the locally generated host key to yield the plaintext password. This password is used to open and read the corresponding file or to send as the credentials to access the remote resource.
An attempt to reference an encrypted password that is not in the password map results in command failure.
alias:password
pairs.alias
- The name of the alias. This name must consist of alphanumeric characters and cannot contain whitespace.
password
- The plaintext password to encrypt. This password must consist of alphanumeric characters but can contain whitespace (spaces or tabs). Leading and trailing whitespace is ignored. The length is limited to 512 characters.
Make sure that synchronization is maintained between the startup configuration and the password map file. Use the password-map command to generate and encrypt aliases to access files or send as credentials to access remote resources that are protected by an encrypted password. An attempt to reference an encrypted password that is not in the password map results in failure.
Deletion of the password map to access key or certificate files has no immediate effect on keys and certificates that are in memory. At restart, any key or certificate command that contains a reference to its alias in the deleted password map fails unless you create the same alias in the password map.
Use the no password-map command to clear the entries in the password map.
Examples
- Create a password map and generate the host key to encrypt the plaintext
password.
# password-map Please enter alias-name and plaintext passwords pairs - Enter a blank alias name to finish Alias-name: towson Plaintext password: ******** Re-enter plaintext password: ******** Alias-name: dundaulk Plaintext password: ******** Re-enter plaintext password: ******** Alias-name: Password-map updated (2 entries)
- Confirm the creation of the password map.
# show password-map 2 password-map aliases towson dundaulk
- Add another alias-password pair to the password map.
# password-map A password-map already exists, overwrite? Yes/No [y/n]: n Appending to current password map... Please enter alias-name and plaintext passwords pairs - Leading and trailing whitespace is removed Alias-name: columbia Plaintext password: ******** Re-enter plaintext password: ******** Alias-name: Password-map updated (3 entries)
- Change the password that is associated with the
columbia
alias.# delete password-map columbia Deleted password-map alias 'columbia' password-map saved : 2 entry(s) # password-map A password-map already exists, overwrite? Yes/No [y/n]: n Appending to current password map... Please enter alias-name and plaintext password pairs - Leading and trailing whitespace is removed Alias-name: columbia Plaintext password: ******** Re-enter plaintext password: ******** Alias-name: Password-map updated (3 entries)
- Delete the entry that is associated with the
columbia
alias.# delete password-map columbia Deleted password-map alias 'columbia' password-map saved : 2 entry(s)
- Delete the password map.
# no password-map Are you sure you want to remove the password-map? Yes/No [y/n]: y Cleared password-map