Using crm secret to obfuscate passwords and other resource attributes

This document (7018546) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise High Availability Extension 11 Service Pack 4
SUSE Linux Enterprise High Availability Extension 11 Service Pack 3
SUSE Linux Enterprise High Availability Extension 12
SUSE Linux Enterprise High Availability Extension 12 SP1
SUSE Linux Enterprise High Availability Extension 12 SP2
SUSE Linux Enterprise High Availability Extension 12 SP3
SUSE Linux Enterprise High Availability Extension 12 SP4
SUSE Linux Enterprise High Availability Extension 15


Situation

Passwords are stored in the cluster information base in clear text and are often displayed when viewing the cluster configuration or running cluster reports.

Resolution

crm secret can be used to move passwords and other sensitive attribute data out of the CIB and in to separate files.

secret

Sensitive parameters can be kept in local files rather than CIB in order to prevent accidental data exposure. Use the secret
 command to manage such parameters. stash and unstash move the value from the CIB and back to the CIB respectively. The set
 subcommand sets the parameter to the provided value. delete removes the parameter completely. show displays the value of
 the parameter from the local file. Use check to verify if the local file content is valid.

Usage:

secret <rsc> set <param> <value>
secret <rsc> stash <param>
secret <rsc> unstash <param>
secret <rsc> delete <param>
secret <rsc> show <param>
secret <rsc> check <param>

Example:

secret fence_1 show password
secret fence_1 stash password
secret fence_1 set password secret_value



 Before using secret, better run the show command first to get an overview of all your resources:

crm configure show
primitive mydb ocf:heartbeat:mysql \
   params replication_user=admin ...

If you want to set a password for the above mydb resource, use the following commands:

crm resource secret mydb set passwd linux
INFO: syncing /var/lib/heartbeat/lrm/secrets/mydb/passwd to [your node list]

You can get the saved password back with:

crm resource secret mydb show passwd
linux

Note that the parameters need to be synchronized between nodes; the crm resource secret command will take care of that. We
 highly recommend to only use this command to manage secret parameters.


Example:-
------------------------------------------------------------

# crm configure
crm(live)configure# show

primitive orcl_db oracle \
    meta is-managed=true \
    operations $id=orcl_db-operations \
    op monitor interval=120 timeout=30 \
    op start interval=0 start-delay=30 timeout=120 \
    params sid=orcl home="/opt/oracle/product/12cR1/db" monprofile="C##monprof2" monuser="C##monitor2" monpassword=Chrispass2


* * * * *   You MUST set up SSH keys between all nodes first!   * * * * * *

# crm resource secret orcl_db set monpassword Chrispass2
INFO: syncing /var/lib/heartbeat/lrm/secrets/orcl_db/monpassword to hanode2 ...

# crm resource secret orcl_db show monpassword
Chrispass2



# crm configure
crm(live)configure# show

primitive orcl_db oracle \
    meta is-managed=true \
    operations $id=orcl_db-operations \
    op monitor interval=120 timeout=30 \
    op start interval=0 start-delay=30 timeout=120 \
    params sid=orcl home="/opt/oracle/product/12cR1/db" monprofile="C##monprof2" monuser="C##monitor2" monpassword="lrm://"



hanode1:/var/lib/heartbeat/lrm/secrets/orcl_db # ls -l
total 8
-rw------- 1 root root 11 Jan 29 06:07 monpassword
-rw------- 1 root root 33 Jan 29 06:07 monpassword.sign

hanode1:/var/lib/heartbeat/lrm/secrets/orcl_db # cat monpassword
Chrispass2

hanode1:/var/lib/heartbeat/lrm/secrets/orcl_db # cat monpassword.sign
023e4811957e0d78e1f758cc6c9d421f


hanode2:/var/lib/heartbeat/lrm/secrets/orcl_db # ls -l
total 8
-rw------- 1 root root 11 Jan 29 06:07 monpassword
-rw------- 1 root root 33 Jan 29 06:07 monpassword.sign

hanode2:/var/lib/heartbeat/lrm/secrets/orcl_db # cat monpassword
Chrispass2

hanode2:/var/lib/heartbeat/lrm/secrets/orcl_db # cat monpassword.sign
023e4811957e0d78e1f758cc6c9d421f



# crm resource secret orcl_db delete monpassword
INFO: syncing /var/lib/heartbeat/lrm/secrets/orcl_db/monpassword to hanode2 ...
Deleted orcl_db option: id=orcl_db-instance_attributes-monpassword name=monpassword

primitive orcl_db oracle \
    meta is-managed=true \
    operations $id=orcl_db-operations \
    op monitor interval=120 timeout=30 \
    op start interval=0 start-delay=30 timeout=120 \
    params sid=orcl home="/opt/oracle/product/12cR1/db" monprofile="C##monprof2" monuser="C##monitor2"




Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7018546
  • Creation Date: 30-Jan-2017
  • Modified Date:03-Mar-2020
    • SUSE Linux Enterprise High Availability Extension

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center