password-map

This command manages the encrypted passwords to a password aliases in a password map file.

Syntax

Interactively add an entry to the password map file.
password-map
Delete an entry from the password map file.
delete password-map alias
Delete the password map file.
no password-map

Parameters

alias
The alias is the reference to a password.

Guidelines

The password-map command maps the encrypted password to a password alias in a password map file.

The password map and the locally generated key are saved to separate files on the appliance. Plaintext passwords are not saved on the appliance. Password maps are typically used to protect key and certificate files.

  • In commands that use plaintext, or unencrypted passwords, the password argument is used to open and read the corresponding file.
  • In commands that use encrypted passwords, the password-alias argument is the search criteria for the password map file to identify its associated encrypted password. Then the encrypted password is decrypted with the locally generated host key to yield the plaintext password. This password is used to open and read the corresponding file.

An attempt to reference an encrypted password that is not found in the password map results in command failure.

The password-map command interactively prompts for alias:password pairs.
alias
Specifies the name of the alias. This name must consist of alphanumeric characters and cannot contain white space. The length is limited to 127 characters.
password
Specifies the plaintext password. This password must consist of alphanumeric characters but can contain white space (spaces or tabs). Leading and trailing white space is ignored. The length is limited to 127 characters.

You must ensure that synchronization is maintained between the startup configuration and the password map file. You must use the password-map command to generate and encrypt aliases for certificate or key passwords before the certificate or key commands can access files that are protected by an encrypted password. An attempt to reference an encrypted password that is not in the password map results in failure.

Deletion of the password map and host key file has no immediate effect on keys and certificates that are in memory. At restart, however, key and certificate commands that contain references to aliases in the deleted password map fail unless a new password map was created with the same aliases.

Note: The password-map command cannot be used in a configuration script. When found, the command is ignored.

Use the no password-map command to delete the password map and host key files.

Examples

  • Create a password map and generate the host key to encrypt the two plaintext passwords.
    
    # password-map
    Please enter alias-name and plaintext password pairs
    - Enter a blank alias name to finish
    Alias-name: towson
    Plaintext password: ********
    Re-enter plaintext password: ********
    Alias-name: dundaulk
    Plaintext password: ********
    Re-enter plaintext password: ********
    Alias-name:
    Password-map saved (2 entries)
    
  • Confirm the creation of the password map.
    
    # show password-map
    2 password-map aliases
      towson
      dundaulk
    
  • Add another alias-password pair to the password map.
    
    # password-map
    A password-map already exists, overwrite? Yes/No [y/n]: n
    Appending to current password map...
    Please enter alias-name and plaintext password pairs
    - Leading and trailing white space is removed
    Alias-name: columbia
    Plaintext password: ********
    Re-enter plaintext password: ********
    Alias-name:
    Password-map saved (3 entries)
    
  • Delete the entry associated with the columbia alias.
    
    # delete password-map columbia
    Deleted passwrod-map alias 'columbia'
    password-map saved : 2 entry(s)
    
  • Delete the password map.
    
    # no password-map
    Are you sure you want to remove the password-map? Yes/No [y/n]: y
    Deleted saved password-map