Solutions

Preserving encrypted passwords during configuration archive and restore

Solutions ID:    KB2880
Version:    4.0
Status:    Published
Published date:    05/07/2009
Updated:    01/19/2012
 

Problem Description

Preserving encrypted passwords during configuration archive and restore
 

Resolution

The "configuration-password-key" is used to encrypt all the various passwords stored on the ProxySG.  For example:

Encrypted passwords:

  1. Administrator console passwords (not needed for shared configurations)
  2. Privileged-mode (enable) passwords (not needed for shared configurations)
  3. The front-panel PIN (recommended for limiting physical access to the system)
  4. Failover group secret
  5. Access log FTP client passwords (primary, alternate)
  6. Archive configuration FTP password
  7. RADIUS primary and alternate secret
  8. LDAP search password
  9. SmartFilter download password
  10. Websense3 download password
  11. SNMP read, write, and trap community strings
  12. RADIUS and TACACS+ secrets for splash pages

A ProxySG's archived configuration contains these passwords which have all been encrypted with the configuration-passwords-key.  Upon restoring an archive the ProxySG attempts to decrypt these passwords using its current configuration-passwords-key.  Since this is not the original key, this process will fail (see ftp-client example below). 

There are several remedies to this problem.  The passwords can be manually reset one by one via the Management Console.  Also, it is possible to edit the configuration file and replace these encrypted passwords with their "clear text" versions which will then be encrypted with the new configuration-passwords-key as the archived configuration is imported.  However, these steps can be avoided by simply backing up the original key and restoring it to the new (or newly restored) ProxySG before restoring the configuration file.  This will allow all previously configured passwords to remain valid after the restore is complete without any further manual intervention.

This is especially helpful when reinitializing a single disk system or whenever any system is restored to factory defaults as this will always result in the creation of a new configuration-passwords-key, thereby rendering the previously configured passwords invalid.

Below are instructions on how to backup and restore the "configuration-passwords-key".

I.  Backing up the original key:

Here is the output from the serial console, or SSH console running from the command line interface:

  1. Go into the command line interface, either through SSH, serial console, or telnet.
  2. Enter enable mode (enable) and go to the configuration terminal (config t).
  3. ssl
  4. view keyring
    1. A listing of keyrings is displayed
  5. view keypair des3 configuration-passwords-key
    1. Encryption password (Write down this password...  It will be used later to restore the key)
  6. Copy and paste the private key to a text file

Here is the console output while performing these steps on a ProxySG:

ProxySG>enable
Enable Password:
ProxySG#config t
Enter configuration commands, one per line.  End with CTRL-Z.
ProxySG#(config)ssl
ProxySG#(config ssl)
view keyring

Keyring ID:               configuration-passwords-key
Private key showability:  show
Signing request:          absent
Certificate:              absent


ProxySG#(config ssl)view keypair des3 configuration-passwords-key
  Encryption password: ******
  Confirm encryption password: ******
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,F7764081EA599B91

YD8C7eAnkiikacn7uez0wHV02dD0sieFwFEMtOSkWmetCrp0Q5wZQEE+1PKHZgnM
K3VckXPcG6I2l6QO7YoN+BTFGVuPTB/a6FCd+hxAh94npN671mvkPAV+v2B9n4FO
kXQgcfNPH/2mDk7lXcEphQ9WB2JgkeuW5QJNQJIQqFzYG4ETNJAcU4gioKP6D/ys
xarTBSjqppYJQ2sY4nXsnWRQnN3xe9aPF+uq3D2HM0XOJz9ynmxfSVEpWtit6OHp
my7Z+w9oAv9xTyFxG10LZiEFMi82P4CzfFPwWIJEh+PLBmjmpvfpK5wlAlvfGuJO
kdwY5lf4Elcz9XUlZ58Mpe9wo5EfSe/5185ZUG+EJc/mp7kqzDr5tljNRE2PwR6G
5mt8p+kCP3CTrjhDUNv+1WtxhmSiUH6qRZMkae769pzmwYw7HXYdI246+H2Uye1W
dUMjxQ8J5Ki8Wn7vYnNieYo1KCF3VZzQB96P1ltp96617nKjlXDaGTja8XHU0Kv0
2aO2Gb9zM5PM6uEWgKKlniFtBfsfZjOiuqYbUGXYL7Epr/JaMMdnhstYBe/TvDiH
U+uMJcJbolQQJrrFyG75ynNUy3j2UGgKEjEUg19CctiMedVNG/V7l334u2NoGK2v
uEXxQhchmhcnIcQEczo5QpSfpXHr29oMRmrwxvqS3odN42p6SJhex9J1g2ZO9rpU
Gvo5wg5rHUP2+BKAWhbXMk7KYs7asJG73ebB5PPqAcatV8l47xttKIn09IOELyrU
oeHjgi6rBJa+MnnepvJK5FRGIQqjPESva1KpH8V3no8=
-----END RSA PRIVATE KEY-----
ProxySG#(config ssl)

Below is the portion of the key that MUST be copied and pasted to a text file (including the BEGIN and END RSA PRIVATE KEY lines):

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,F7764081EA599B91

YD8C7eAnkiikacn7uez0wHV02dD0sieFwFEMtOSkWmetCrp0Q5wZQEE+1PKHZgnM
K3VckXPcG6I2l6QO7YoN+BTFGVuPTB/a6FCd+hxAh94npN671mvkPAV+v2B9n4FO
kXQgcfNPH/2mDk7lXcEphQ9WB2JgkeuW5QJNQJIQqFzYG4ETNJAcU4gioKP6D/ys
xarTBSjqppYJQ2sY4nXsnWRQnN3xe9aPF+uq3D2HM0XOJz9ynmxfSVEpWtit6OHp
my7Z+w9oAv9xTyFxG10LZiEFMi82P4CzfFPwWIJEh+PLBmjmpvfpK5wlAlvfGuJO
kdwY5lf4Elcz9XUlZ58Mpe9wo5EfSe/5185ZUG+EJc/mp7kqzDr5tljNRE2PwR6G
5mt8p+kCP3CTrjhDUNv+1WtxhmSiUH6qRZMkae769pzmwYw7HXYdI246+H2Uye1W
dUMjxQ8J5Ki8Wn7vYnNieYo1KCF3VZzQB96P1ltp96617nKjlXDaGTja8XHU0Kv0
2aO2Gb9zM5PM6uEWgKKlniFtBfsfZjOiuqYbUGXYL7Epr/JaMMdnhstYBe/TvDiH
U+uMJcJbolQQJrrFyG75ynNUy3j2UGgKEjEUg19CctiMedVNG/V7l334u2NoGK2v
uEXxQhchmhcnIcQEczo5QpSfpXHr29oMRmrwxvqS3odN42p6SJhex9J1g2ZO9rpU
Gvo5wg5rHUP2+BKAWhbXMk7KYs7asJG73ebB5PPqAcatV8l47xttKIn09IOELyrU
oeHjgi6rBJa+MnnepvJK5FRGIQqjPESva1KpH8V3no8=
-----END RSA PRIVATE KEY-----

II.  Restoring the original key to the new (or newly restored) ProxySG:

  1. Launch the Management Console
  2. Go to the Configuration tab > SSL > Keyrings
  3. configuration-passwords-key  (NOTE:  For SGOS 4.x, the name of this keyring contains a dash "-".  If this key exists and is deleted, SGOS 4.x cannot recreate the name because of the dash "-" symbol in the name.)
    1. Delete the existing key.  Then save your changes by clicking the "Apply" button.
    2. Create a new configuration-passwords-key using the exported key.
      1. Keyring Name:  configuration-passwords-key   NOTE:  In the 4.x code branch, it is not possible to create a new keyring that contains a dash "-" in keyring name.
      2. Select "Show keypair"
      3. Leave the default as "1024" -bit keyring
      4. Click "Import Keyring"
      5. Paste the configuration-passwords-key that was saved during the backup process.  This is the data between the BEGIN and END RSA PRIVATE KEY.
      6. Enter the password used to encrypt the key in step 5a of the backup procedure.
      7. Click "OK"
      8. Click "Apply".
  4. The configuration-passwords-key is now successfully imported. 

 


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question