×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')
BMC Network Automation 8.8 Using

Updating device passwords

BMC recommends two methods for updating enable and local passwords. Method 1 updates a password independent of its current value. Method 2 updates a password only if the current password does not equal the required password. The second method is particularly useful as an efficient means of standardizing on passwords and subsequently auditing the password values.

Method 1: Updating a password independently of its current value

Use a template with hidden global substitution parameters (for example, ${global.enablepwd} or ${global.localpwd}) to ensure passwords are not shown in clear-text during the update.

  1. Update the global substitution parameters with the new clear text passwords.

  2. Create the template (or use an ad-hoc template on the Deploy to Active span action), as follows:

    enable secret 0 ${global.enablepwd}
username admin password 0 ${global.localpwd}
end
  3. Submit a Deploy to Active span action by using the template. Select the network span.
  4. After the Deploy to Active span action has completed, update the login information and enable passwords in the DSPs used by BMC Network Automation for device access.

Method 2: Updating a password to a new string

This method updates the password only if it does not match a required password. BMC Network Automation supports internal function substitution parameters for this purpose.

These internal function substitution parameters evaluate if an MD5 or Vingenere encrypted password matches a clear-text password encrypted with the same algorithm.

${eval encrypt_cisco_vigenere_b64 p1 p2}
${eval encrypt_gnu_md5_b64 p1 p2}

where

  • p1 = clear-text password (for example, references a hidden global substitution parameter). If the clear-text password is a literal string in this context, it cannot contain a blank space.
  • p2 = salt string required for these algorithms

The applicable internal function (if any) for a particular device type can be found via the Device Adapter Capabilities report; select to display the "Password Encryption Functions."

The rules below use hidden global substitution parameters to ensure passwords are not shown in clear-text during the update. Perform the following steps:

  1. Update the hidden global substitution parameters with the new clear text password.
  2. Create the rule.
  3. Submit a Deploy to Active span action by using Remediate With... and the rule. Select the network span.
  4. After the Deploy to Active span action has completed, update the login information and enable passwords in the DSPs used by BMC Network Automation for device access.

Examples

The rules below are used to update passwords, therefore they assume that the enable secret and username commands already exist in the configuration.

The following rule implements "If the Cisco IOS enable password is not set to X, then set to X".

  • Trigger pattern: enable secret 5 (.*)
  • Domain: Entire Configuration, unselect Exclude Trigger Line
  • Subject line: enable secret 5 ${eval encrypt_gnu_md5_b64 ${global.enablepw} ${trigger.1}}

The following rule implements "If the local password is not set to X, then set to X".

  • Trigger pattern: username (.) password 7 (.)
  • Domain: Entire Configuration, unselect Exclude Trigger Line
  • Subject line: username ${trigger.1} password 7 ${eval encrypt_cisco_vigenere_b64 ${global.localpw} ${trigger.2}}

Related topics

Managing templates
Managing global substitution parameters
Managing jobs
Managing device security profiles
Managing policies

Was this page helpful? Yes No Submitting... Thank you
Last modified by Sulekha Gulati on Dec 03, 2015
template updating policy task dsp contributor-updated span_action device device_password snapshot deploy_to_active best_practices recommendations

Comments

Log in or register to comment.

Sending policy-based hardware change notifications
About device configuration management
© Copyright 2013 - 2016 BMC Software, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.