Are there fence-agents that support passwordless authentication?

Solution Unverified - Updated 22 Apr 2025

---

Environment

• Red Hat Enterprise Linux Server 7, 8, 9 (with the High Availability Add On)

Issue

• Are there fence-agents that support passwordless authentication?

Resolution

Currently there is no way to configure passwordless authentication for fence_ilo*, fence_ipmilan, or fence_ipmilan based fence-agents. This is not exhaustive list.

Passwordless based power based fence-agents

These power based fence-agents have passwordless authentication.

• fence_azure_arm: uses Application ID and Authentication key, combined with Resource Group, Tenant ID and Subscription ID.
• fence_aliyun: uses Access Key and Secret Key, or Ram Role.
• fence_aws: uses Access Key and Secret Key, or node assigned role.
• fence_ibm_powervs: uses Token and CRN.
• fence_ibm_vpc: uses API Key.
• fence_virt/fence_xvm: uses Key generated on host node.

Passwordless non-power based fence-agents

These fence-agents usually do not require any authentication.

• fence_scsi
• fence_mpath
• fence_sbd
• fence_kdump

The fence-agents that are pending support or we are exploring passwordless authentication

• fence_ipmilan and fence_ipmilan based fence-agents: This content is not included.RHEL-16445
• fence_vmware_soap and fence_vmware_rest: This content is not included.RHEL-7653

---

Red Hat Enterprise Linux 8

• This issue was tracked with the issue This content is not included.RHEL-7653 (Support for non-password fencing authentication for HP ILO and VMware) for RHEL 8. There is no way to configure passwordless authentication for fence_ilo*, fence_vmware_soap or fence_vmware_rest. In regards to fence_vmware_soap or fence_vmware_rest, attempts to use a token or certificates with VMware is unable to authenticate with the APIs (The API key still requires username/password).

Red Hat Enterprise Linux 9

• This RFE was explored in RHEL 8 and there currently is no way to do passwordless authentication with the fence-agents that were requested (fence_ilo*, fence_vmware_soap, or fence_vmware_rest).
• This issue is being tracked with the issue This content is not included.RHEL-16445 (ipmitool: add support for certificate-based authentication) for RHEL 9 (for fence_ipmilan based fence-agents).

Related Articles

• Support Policies for RHEL High Availability Clusters - General Requirements for Fencing/STONITH
• Is there a way to store secrets in pacemaker?
• How do I hide the fence device password specified in the cluster configuration? This was the older method to not include passwords in pacemaker cib. The recommended method is to use pacemaker cib secrets.

SBR

• Clusterha

Product(s)

• Red Hat Enterprise Linux

Components

• cluster

Category

• Supportability

Tags

• cluster ha high availability
• fence_agent
• fencing
• pacemaker

---

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.