Storing Application Passwords in Private Strings

Oracle Solaris Cluster provides the clpstring command to enable you to securely store and retrieve private character strings in the cluster file system. These private strings can be used for any purpose, but might typically be used to store a password. For example, a data service agent might retrieve the private string to log in as a privileged user to perform an orderly shut down of the managed application running in the cluster. The private string capability might also be useful for other aspects of the cluster framework, such as to interact with an external storage device.

You create the private string by using the clpstring command to assign a unique name to reference the string. The value of the string can be specified in several different ways at the time of creation, and changed at a later time if necessary. The private string is encoded and stored in a protected location that is readable only by root. You can use the clpstring command to list the names and other information about private strings that have been created, but the encoded value can only be obtained by using the scha_cluster_get(1HA) command.

Use the clpstring command for the following administrative tasks:

Create a private string that is intended to be used by a cluster object instance that may or may not yet exist, using the create subcommand.
Update the value of private string, using the set subcommand.
Delete private strings from the cluster configuration, using the delete subcommand.
Display the specifications of private strings, using the show subcommand.
List the names of private strings, using the list subcommand.

You must have solaris.cluster.modify role-based access control (RBAC) authorization to use the clpstring command to create, update, or delete private strings. You must have solaris.cluster.read authorization to show or list information about private strings.

Typical usage of private strings might be similar to the following:

On one of the cluster nodes, create the private string name with the clpstring create command.

For example, in the following command you are prompted to enter the value of a string you have named pw_string. The -b option indicates that a resource instance named resource1 is going to use this private string. The -t option indicates that the instance's type is resource, which is the default. The -v option provides verbose output.
```
# clpstring create -b resource1 -t resource -v pw_string
Enter string value: 
Enter string value again: 
Private string "pw_string" is created for the global cluster.
```
When you enter the private string value in this way, the characters are not echoed to the screen for increased security.

You can also provide the value of the string by creating a plain text file containing the value and specifying the path to the file by using the -f option with the create subcommand.

The data service agent runs a script to retrieve the private string value using the scha_cluster_get command.

The following is a simple example to show how to retrieve a private string for an application:

# 'myapp' is an application program that requires a password, which it
# reads from standard input.  The cluster administrator has been
# instructed to create a private string 'pw_string' containing the password.
# We use scha_cluster_get to retrieve the password and pipe it into the
# 'myapp' program. The program's output is captured in a file.

scha_cluster_get -O pstring pw_string | myapp > myapp_output_file

Note - If you want to change the name of the private string, you must delete the string with clpstring command, and then create a new private string.

For more information about the clpstring command, see the clpstring(1CL) man page.

Skip Navigation Links
Exit Print View
	Oracle Solaris Cluster Data Services Developer's Guide Oracle Solaris Cluster 4.1