Space banner This version of the product is in limited support. However, the documentation is available for your convenience. You will not be able to leave comments.

Updating device passwords

BMC recommends two methods for updating enable and local passwords. Method 1 updates a password independent of its current value. Method 2 updates a password only if the current password does not equal the required password. The second method is particularly useful as an efficient means of standardizing on passwords and subsequently auditing the password values.

Method 1: Updating a password independently of its current value

Use a template with hidden global substitution parameters (for example, ${global.enablepwd} or ${global.localpwd}) to ensure passwords are not shown in clear-text during the update.

  1. Update the global substitution parameters with the new clear text passwords.

  2. Create the template (or use an ad-hoc template on the Deploy to Active span action), as follows:

    enable secret 0 ${global.enablepwd}
    username admin password 0 ${global.localpwd}
    end
  3. Submit a Deploy to Active span action by using the template. Select the network span.
  4. After the Deploy to Active span action has completed, update the login information and enable passwords in the DSPs used by TrueSight Network Automation for device access.

Method 2: Updating a password to a new string

This method updates the password only if it does not match a required password. Network Automation supports internal function substitution parameters for this purpose.

These internal function substitution parameters evaluate if an encrypted password matches a clear-text password encrypted with the same algorithm.

${eval encrypt_cisco_vigenere_b64 p1 p2}
${eval encrypt_gnu_md5_b64 p1 p2}
${eval encrypt_cisco p3 p1 p2}

where

  • p1 is clear-text password (for example, references a hidden global substitution parameter). If the clear-text password is a literal string in this context, it cannot contain a blank space.
  • p2 is salt string required for these algorithms.
  • p3 is the encryption type and can have the following values:
    • 4 – Specifies a SHA-256 encrypted secret string.
    • 5 – Specifies a message digest algorithm 5 (MD5) encrypted secret.
    • 8 – Specifies a Password-Based Key Derivation Function 2 (PBKDF2) with SHA-256 hashed secret.
    • 9 – Specifies an scrypt hashed secret.

The applicable internal function (if any) for a particular device type can be found via the Device Adapter Capabilities report. While generating the report, select to display Password Encryption Functions.

The rules below use hidden global substitution parameters to ensure passwords are not shown in clear-text during the update. Perform the following steps:

  1. Update the hidden global substitution parameters with the new clear text password.
  2. Create the rule.
  3. Submit a Deploy to Active span action by using Remediate With... and the rule. Select the network span.
  4. After the Deploy to Active span action has completed, update the login information and enable passwords in the DSPs used by TrueSight Network Automation for device access.

 

Examples

The rules below are used to update passwords, therefore they assume that the enable secret and username commands already exist in the configuration.

The following rule implements "If the Cisco IOS enable password is not set to X, then set to X". Password is encrypted using the MD5 encryption algorithm.

  • Trigger pattern: enable secret 5 (.*)
  • Domain: Entire Configuration, unselect Exclude Trigger Line
  • Subject line: enable secret 5 ${eval encrypt_gnu_md5_b64 ${global.enablepw} ${trigger.1}}

The following rule implements "If the Cisco IOS enable password is not set to X, then set to X". Password is encrypted using the PBKDF2 encryption algorithm.

  • Trigger pattern: enable secret 8 (.*)
  • Domain: Entire Configuration, unselect Exclude Trigger Line
  • Subject line: enable secret 8 ${eval encrypt_cisco 8 ${global.enablepw} ${trigger.1}}

The following rule implements "If the local password is not set to X, then set to X". Password is encrypted using the vigenere encryption algorithm.

  • Trigger pattern: username (.) password 7 (.)
  • Domain: Entire Configuration, unselect Exclude Trigger Line
  • Subject line: username ${trigger.1} password 7 ${eval encrypt_cisco_vigenere_b64 ${global.localpw} ${trigger.2}}

Related topics

Managing-templates
Managing-global-substitution-parameters
Managing-jobs
Managing-device-security-profiles
Managing-policies

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*