Sorry, sharathbabu yeramalla ,
The above is the common way, but not the only way.
Stephen_Hughes in previous comment shows another way that can be done on gateway site.
Here are the steps,
1. add AMF policy
2. build the AMF policy , only one assertion in the policy (the regex is as per your request, if your request has different format, we may need to change accordingly to replace the password value to *****)
3. a simple test api
4. test result in audit event viewer, -- both request and response are masked
That could be easier than doing it on client side.
But keep in mind that, if you don't do it on client side, you would have chance to leak the password during data transfer. (although you require ssl connection in your policy, it still has a chance that the client sends the request with http, on service side you can reject it but cannot stop it to do so.)
Regards,
Mark