password-map

This command manages the mapping between password aliases and their plaintext values in an encrypted file.

Syntax

Interactively add an entry to the password map file.: password-map
Delete an entry from the password map file.: delete password-map alias
Clear the entries in the password map file.: no password-map

Parameters

alias: The alias is the reference to a password.

Guidelines

The password-map command manages the mapping between password aliases and their plaintext values in an encrypted file. When you create a password alias, the password map generates the host key to encrypt the plaintext password. The password map and the locally generated key are saved to separate files.

When you use a password map, the following behavior applies.

The alias is a publicly known reference and included in configuration files and exports.
No one can view or access the password. Only the DataPower® Gateway can extract the password that it uses internally.
By default, no password aliases in a map are written to configuration files, and the password-to-alias map is not part of a backup or export operation.
Note: When you obfuscate passwords by setting the domain settings password-treatment command to masked, the passwords are obfuscated with the value set with the passphrase command. When you persist the configuration with masked passwords, the obfuscated passwords are emitted and stored in the startup configuration under the password-encrypted command. For more information, see Managing domain settings.
The password-to-alias map is part of the secure backup-restore operations.

Password maps protect passwords that the DataPower Gateway uses to access locally stored key files and certificate files or to access remote resources.

In commands that use plaintext passwords, the password argument is used to open and read the corresponding file or to send as the credentials to access the remote resource.
In commands that use encrypted passwords, the password-alias argument is the search criteria for the password map file to identify its associated encrypted password. Then, the encrypted password is decrypted with the locally generated host key to yield the plaintext password. This password is used to open and read the corresponding file or to send as the credentials to access the remote resource.

An attempt to reference an encrypted password that is not in the password map results in command failure.

The password-map command interactively prompts for alias:password pairs.

alias: The name of the alias. This name must consist of alphanumeric characters and cannot contain whitespace.
password: The plaintext password to encrypt. This password must consist of alphanumeric characters but can contain whitespace (spaces or tabs). Leading and trailing whitespace is ignored. The length is limited to 512 characters.

Make sure that synchronization is maintained between the startup configuration and the password map file. Use the password-map command to generate and encrypt aliases to access files or send as credentials to access remote resources that are protected by an encrypted password. An attempt to reference an encrypted password that is not in the password map results in failure.

Deletion of the password map to access key or certificate files has no immediate effect on keys and certificates that are in memory. At restart, any key or certificate command that contains a reference to its alias in the deleted password map fails unless you create the same alias in the password map.

Note: You cannot use the password-map command in a configuration script. When found, the command is ignored.

Use the no password-map command to clear the entries in the password map.

Examples

Create a password map and generate the host key to encrypt the plaintext password.

# password-map
Please enter alias-name and plaintext passwords pairs
- Enter a blank alias name to finish
Alias-name: towson
Plaintext password: ********
Re-enter plaintext password: ********
Alias-name: dundaulk
Plaintext password: ********
Re-enter plaintext password: ********
Alias-name:
Password-map updated (2 entries)

Confirm the creation of the password map.

# show password-map
2 password-map aliases
  towson
  dundaulk

Add another alias-password pair to the password map.

# password-map
A password-map already exists, overwrite? Yes/No [y/n]: n
Appending to current password map...
Please enter alias-name and plaintext passwords pairs
- Leading and trailing whitespace is removed
Alias-name: columbia
Plaintext password: ********
Re-enter plaintext password: ********
Alias-name:
Password-map updated (3 entries)

Change the password that is associated with the columbia alias.

# delete password-map columbia
Deleted password-map alias 'columbia'
password-map saved : 2 entry(s)
# password-map
A password-map already exists, overwrite? Yes/No [y/n]: n
Appending to current password map...
Please enter alias-name and plaintext password pairs
- Leading and trailing whitespace is removed
Alias-name: columbia
Plaintext password: ********
Re-enter plaintext password: ********
Alias-name:
Password-map updated (3 entries)

Delete the entry that is associated with the columbia alias.

# delete password-map columbia
Deleted password-map alias 'columbia'
password-map saved : 2 entry(s)

Delete the password map.

# no password-map
Are you sure you want to remove the password-map? Yes/No [y/n]: y
Cleared password-map