For better security, the EdgeSWG appliance secures passwords that are stored in configuration.
Note: In FIPS mode, the appliance encrypts all passwords. Version 6.7.x supports FIPS mode.
If you back up the EdgeSWG configuration, passwords are included in the configuration archives (see KB165985 and Archive the Configuration). If you are not creating a configuration archive, you can share a EdgeSWG appliance's hashed or encrypted passwords with another appliance. Perform the steps in the Resolution section.
Note: Before proceeding, make sure that you have already configured all the passwords that you want to share. When you enter the passwords in cleartext, the appliance hashes or encrypts them when saving them in the configuration.
Caution: Sharing encrypted passwords requires you to overwrite the destination appliance’s current configuration-passwords-key. This makes any existing encrypted passwords on the destination appliance unreadable because they are not encrypted with the imported key. After you import the key, you must ensure that passwords are encrypted correctly on the destination appliance:
On the source appliance:
On the destination appliance:
This step is required only if you are sharing encrypted passwords.
#show ssl keypair aes256-cbc configuration-passwords-key
Encryption password: ***********
Confirm encryption password: ***********
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,2C152FB9BCE5A3509D7975F3B729FC41
U7Nez8/lJpZ/VT0ayWN7zbROJnr0Vwg3gNOTfZwQrtMDXdE…
…
-----END RSA PRIVATE KEY-----
#(config)show configNote: This command is also available in privileged mode.
#(config)show config
!- Version: SGOS 7.3.8.2 SWG Edition
!- Serial number: 100... !- Local time: 2022-06-07 19:03:02-00:00UTC ... security local-user-list edit "my-list" ;mode
user create "my-user"
user edit "my-user" ;mode
hashed-password "$PBKDF2$HMAC-SHA256:100000:L2oZuEDeN...vqzZlTte2gu/+ThN8="
exit
...
!- END authentication
#(config)show config
Note: This command is also available in privileged mode.
#(config)show config
!- Version: SGOS 7.3.8.2 SWG Edition
!- Serial number: 100... !- Local time: 2022-06-07 19:03:02-00:00UTC ...
!- BEGIN authentication
security radius create-realm-encrypted my-realm "DeZzf2x9Z7J...jQPuuHHQ==" my-hostname port
...
!- END authentication
This step is required only if you are sharing encrypted passwords.
#(config ssl)inline keyring show configuration-passwords-key eof
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,2C152FB9BCE5A3509D7975F3B729FC41
U7Nez8/lJpZ/VT0ayWN7zbROJnr0Vwg3gNOTfZwQrtMDXdE…
…
-----END RSA PRIVATE KEY-----eof
Decryption password: ***********
ok
After you type the end-of-file characters, the CLI prompts you to enter the password you used to encrypt the key on the source appliance. Enter the password to import the key.
In the CLI, enter the appropriate commands to configure the passwords you copied from the source appliance. Refer to the Command Line Interface Reference documentation.
For example, enter the following commands to specify the hashed local user password:
# (config)security
# (config)security local-user-list edit other-list
# (config local-user-list other-list)user edit my-user
# (config local-user-list other-list my-user)hashed-password $PBKDF2$HMAC-SHA256:100000:L2oZuEDeN...vqzZlTte2gu/+ThN8=
ok
Replace all the encrypted passwords on the destination appliance with equivalents from the source appliance. In the CLI, enter the appropriate commands to configure the passwords you copied from the source appliance. Refer to the Command Line Interface Reference documentation.
For example, enter the following commands to specify the encrypted RADIUS secret:
# (config)security
# (config)security radius edit-realm other-realm
# (config radius other-realm)primary-server encrypted-secret DeZzf2x9Z7J...jQPuuHHQ==
ok
Re-enter the existing passwords for accounts or services that you identified as not being on the source appliance in Step 2b. Refer to the Command Line Interface Reference documentation for the appropriate commands.
For example, enter the following commands to specify the password for the primary HTTP log host.
# (config) access-log
# (config access-log)
# (config access-log)edit log_name
# (config log log_name)http-client primary password password
When you enter passwords in cleartext, the appliance encrypts the passwords using the imported configuration-passwords-key.