[ClusterLabs] Encrypted passwords for Resource Agent Scripts

Ken Gaillot kgaillot at redhat.com
Fri Sep 21 16:32:09 EDT 2018

On Fri, 2018-09-21 at 19:01 +0530, Dileep V Nair wrote:
> Hi,
> I have written heartbeat resource agent scripts for Oracle and
> Sybase. Both the scripts take user passwords as parameters. Is there
> a way to do some encryption for the passwords so that the plain text
> passwords are not visible from the primitive also. 

One option is to put the password in a (plaintext) file and take the
file name as a resource parameter.

There's also a (sadly undocumented) optional feature in pacemaker
called CIB secrets. If pacemaker is built with ./configure --with-
cibsecrets, you can put files under
/var/lib/pacemaker/lrm/secrets/<RESOURCE-NAME>/ with the secrets, and
they will be loaded from there rather than the CIB. I'm not familiar
enough to give any more detail than that. I believe they're enabled in
the SUSE packages, so maybe SUSE has some documentation.

The topic has been discussed in the past without a better solution
being apparent. It would theoretically be possible to require a human-
entered password at boot for some sort of password manager daemon to
decrypt an encrypted file with sensitive parameters, and have the RA
query the daemon for the password as needed. However the daemon becomes
a single point of failure (though it could perhaps be managed by the
cluster), and the daemon needs to allow root (i.e. the RA) to get any
password at will (otherwise, requiring the RA to authenticate itself to
the daemon would just reintroduce the problem).

> Thanks & Regards
> Dileep Nair
> Squad Lead - SAP Base 
> IBM Services for Managed Applications
> +91 98450 22258 Mobile
> dilenair at in.ibm.com
> IBM Services
Ken Gaillot <kgaillot at redhat.com>

More information about the Users mailing list