Managing password aliases in the password map

In a password map, a password alias provides the mapping between an alias and its plaintext value in an encrypted file. A password alias keeps the real password a secret. When a configuration uses an alias instead of a password, the alias must be defined in the password map.

About this task

Each domain has a password map. When necessary, the DataPower® Gateway extracts the passwords in a password map. Passwords are commonly used to secure connections with basic authentication and to protect crypto files for keys and certificates.

  • When you create an application domain, the password map for this domain inherits any defined password aliases from the default domain. When you do not need these password aliases in this application domain, delete them.
  • When password aliases in the default are changed, the password aliases in the application domains are not changed. Therefore, you must independently manage the password map in each domain after initial creation.
When you use a password map, the following behavior applies.
  • The alias is a publicly known reference and included in configuration files and exports.
  • No one can view or access the password. Only the DataPower Gateway can extract the password that it uses internally.
  • By default, no password aliases in a map are written to configuration files, and the password-to-alias map is not part of a backup or export operation.
    Note: When you obfuscate passwords by setting the domain settings Password treatment property to masked, the passwords are obfuscated with the value set with the Passphrase property. When you persist the configuration with masked passwords, the obfuscated passwords are emitted and stored in the startup configuration. For more information, see Managing domain settings.
  • The password-to-alias map is part of the secure backup-restore operations.

Procedure

  1. In the search field, enter password.
  2. From the search results, click Password map alias.
  3. Click Add.
  4. Define the basic properties - Name, administrative state, and comments.
  5. In the Password fields, enter the plaintext password to encrypt. The password must consist of alphanumeric characters but can contain whitespace. Leading and trailing whitespace is ignored. The length is limited to 512 characters.
  6. Click Apply to save changes to the running configuration.
  7. Click Save to save changes to the persisted configuration.