Important

   

Starting version 8.9.03, BMC Network Automation is renamed to TrueSight Network Automation. This space contains information about TrueSight Network Automation 8.9.03 and later. For earlier releases, see BMC Network Automation 8.9.

Updating device passwords

BMC recommends two methods for updating enable and local passwords. Method 1 updates a password independent of its current value. Method 2 updates a password only if the current password does not equal the required password. The second method is particularly useful as an efficient means of standardizing on passwords and subsequently auditing the password values.

Method 1: Updating a password independently of its current value

Use a template with hidden global substitution parameters (for example, ${global.enablepwd} or ${global.localpwd}) to ensure passwords are not shown in clear-text during the update.

  1. Update the global substitution parameters with the new clear text passwords.

  2. Create the template (or use an ad-hoc template on the Deploy to Active span action), as follows:

    enable secret 0 ${global.enablepwd}
    username admin password 0 ${global.localpwd}
    end
    
  3. Submit a Deploy to Active span action by using the template. Select the network span.
  4. After the Deploy to Active span action has completed, update the login information and enable passwords in the DSPs used by TrueSight Network Automation for device access.

Method 2: Updating a password to a new string

This method updates the password only if it does not match a required password. TrueSight Network Automation supports internal function substitution parameters for this purpose.

These internal function substitution parameters evaluate if an MD5 or Vingenere encrypted password matches a clear-text password encrypted with the same algorithm.

${eval encrypt_cisco_vigenere_b64 p1 p2}
${eval encrypt_gnu_md5_b64 p1 p2}

where

  • p1 = clear-text password (for example, references a hidden global substitution parameter). If the clear-text password is a literal string in this context, it cannot contain a blank space.
  • p2 = salt string required for these algorithms

The applicable internal function (if any) for a particular device type can be found via the Device Adapter Capabilities report. While generating the report, select to display Password Encryption Functions.

The rules below use hidden global substitution parameters to ensure passwords are not shown in clear-text during the update. Perform the following steps:

  1. Update the hidden global substitution parameters with the new clear text password.
  2. Create the rule.
  3. Submit a Deploy to Active span action by using Remediate With... and the rule. Select the network span.
  4. After the Deploy to Active span action has completed, update the login information and enable passwords in the DSPs used by TrueSight Network Automation for device access.

Examples

The rules below are used to update passwords, therefore they assume that the enable secret and username commands already exist in the configuration.

The following rule implements "If the Cisco IOS enable password is not set to X, then set to X".

  • Trigger pattern: enable secret 5 (.*)
  • Domain: Entire Configuration, unselect Exclude Trigger Line
  • Subject line: enable secret 5 ${eval encrypt_gnu_md5_b64 ${global.enablepw} ${trigger.1}}

The following rule implements "If the local password is not set to X, then set to X".

  • Trigger pattern: username (.) password 7 (.)
  • Domain: Entire Configuration, unselect Exclude Trigger Line
  • Subject line: username ${trigger.1} password 7 ${eval encrypt_cisco_vigenere_b64 ${global.localpw} ${trigger.2}}

Related topics

Managing templates
Managing global substitution parameters
Managing jobs
Managing device security profiles
Managing policies

Was this page helpful? Yes No Submitting... Thank you

Comments