Restoring hashed or encrypted passwords in settings and policy from backed up archive manually (via CLI).


<< Back to Knowledge Search

Solution

Overview

An archived configuration includes encrypted (or hashed) passwords which require the key installed on the ProxySG to install. Transferring the configuration on a new unit will prevent those encrypted passwords from being imported properly; they need to be changed back to clear text before they can be imported.
 

Cause
Resolution
Before an archive can be restored onto a proxy modifications must be made to it.  The file will contain encrypted or hashed passwords and these must be changed to clear text passwords.  If the archive is restored with the encrypted passwords the proxy will not be able to decode these because the proxy keys will be different.

Throughout the text copy of the configuration, you will see instances of “hashed-password” or “encrypted-password” followed by the password in a hashed or encrypted format.  This is encrypted or hashed using the default keyring stored by the hardware on the proxy.  Therefore, to load this configuration on another proxy, these will need to be changed.  To modify these correctly, you modify the line to remove the “hashed“, or “encrypted“, and change the hashed-password or encrypted-password to the clear text password.

Example 1: Will see entries such as this:
security hashed-enable-password "$1$HeLpin$X.q0H5s3XEiCyHmGGVwzF1"
security hashed-password "$1$rWzR$BT5c6F/RHLPK7uU9Lx27J."


If the real password is “bluecoat” then these must be changed as follows:

security enable-password “bluecoat”
security password “bluecoat”


Notice that the “hashed“ text has been removed and the real password has been entered.

Example 2: Content filtering download configuration.
content-filter ;mode
provider bluecoat enable
bluecoat ;mode
download username "CRB-APR1506"
download encrypted-password “K=WShq/gaEtubhfcfuIhhHJ3AG+/AnTHVJwQ="

content-filter ;mode
provider bluecoat enable
bluecoat ;mode
download username "CRB-APR1506"
download password  “ABCDEFG”


Notice that the “hashed“ text has been removed and the real password has been entered.

Note: There are several other places where you can see hashed-password or encrypted-password.  You will need to manually search for every instance of “encrypted-password” and “hashed-password” in order to find them.  After you have found them all, you will need to look at the commands above it to determine exactly what the password references.  Examples of these are GUI password, enable password, password to ftp server for upload of the access logs, LDAP search user password, SNMP write-community strings, etc.

Once the “encrypted” or “hashed” passwords have been identified and the config file saved with the clear text passwords, please follow instructions in KB article ID 
000010141 6 to restore the configuration.


 
Workaround
Additional Information
Bug Number
InQuira Doc IdFAQ557
Attachment

Article Feedback

Hide Properties
First Published      10/01/2014
Last Modified      03/24/2015
Last Published      03/24/2015
Article Audience
Product      ProxySG
Software      SGOS 4, SGOS 5
Topic      Configuration / WUI / CLI, Installation / Configuration, Upgrade / Maintenance
Article Number      000013273
Summary     
Was this helpful?
Comments:
 
Previous MonthNext Month
SunMonTueWedThuFriSat