Password Handling and Encryption When Adding Users through Cisco Catalyst SD-WAN Manager APIs

Password Encryption Mechanism

When adding a user through the API, you must provide passwords in clear text within the API request payload. Password encryption from clear text to Type 9 is performed only within the browser using JavaScript and is not available through the API. Cisco SD-WAN Manager encrypts the password before pushing the configuration to the routers.

Recommended Practices for Password Management

Secure Storage

It is recommended to store passwords in a local YAML file with restricted file access, or to generate passwords on-demand. This helps prevent hardcoding sensitive credentials in scripts while allowing secure transmission of passwords in API calls.

Configuration Groups and Device-Specific Variables

When using Configuration Groups, you can define username and password as device specific variables. These values can be provided through the user interface at the time of configuration group deployment.

Note: Feature templates do not support defining username and password as device specific variables.

Securely Managing User Credentials

• Store user credentials in a secure YAML file (example, credentials.yaml) and reference them in your automation scripts when adding a user through the API.
• Alternatively, prompt for credentials at runtime and pass them dynamically in your API requests.

Important Considerations

• Avoid storing passwords in plain text within scripts.
• Restrict access to files containing sensitive information.
• Prioritize on-demand generation or secure storage of credentials for improved security.