Page History
| Table of Contents |
|---|
Introduction
JS7 - Encryption and Decryption are integrated with Password Secret Manager products in a number of ways. Basic requirements include that:
- The Password Secret Manager is the sole source that holds the secret. Secrets can be updated/rotated at any point in time.
- The Password Secret Manager stores encrypted secrets to JS7 - Job Resources.
- Jobs read encrypted secrets from Job Resources and decrypt on-the-fly.
Integration
Use with Job Resources
Encrypting Secrets to Job Resources
| Graphviz | ||
|---|---|---|
| ||
digraph structs {
compound=true;
rankdir=LR;
Vault [label=" Vault ",style="filled",fillcolor="limegreen",fontname="Arial",fontsize="12pt"]
PasswordManagerSecretManager [label=" PasswordSecret \n Manager \n Client ",style="filled",fillcolor="dodgerblue",fontname="Arial",fontsize="12pt"]
Secret [label=" Secret ",style="filled",fillcolor="limegreen",fontname="Arial",fontsize="12pt"]
Encrypted_Secret [label=" Encrypted \n Secret ",style="filled",fillcolor="dodgerblue",fontname="Arial",fontsize="12pt"]
Certificate [shape="ellipse",label=" Certificate / \n Public Key ",style="filled",fillcolor="orange",fontname="Arial",fontsize="12pt"]
Job_Resource [label=" Job \n Resource ",style="filled",fillcolor="dodgerblue",fontname="Arial",fontsize="12pt"]
UseVault [shape="rectangle",label="Access",fontname="Arial",fontsize="10pt",style="filled",fillcolor="white"]
UseCertificate [shape="rectangle",label="Access",fontname="Arial",fontsize="10pt",style="filled",fillcolor="white"]
UseSecret [shape="rectangle",label="Access",fontname="Arial",fontsize="10pt",style="filled",fillcolor="white"]
EncryptSecret [shape="rectangle",label="Encrypt\njs7_set_job_resource.sh\nSet-JS7JobResource",fontname="Arial",fontsize="10pt",style="filled",fillcolor="white"]
StoreJobResource [shape="rectangle",label="Store",fontname="Arial",fontsize="10pt",style="filled",fillcolor="white"]
subgraph encrypt {
fontname="Arial";
fontsize="12pt";
PasswordManagerSecretManager -> UseCertificate;
PasswordManagerSecretManager -> UseVault;
UseVault -> Vault -> UseSecret;
UseCertificate -> Certificate [label="",fontname="Arial",fontsize="10pt"];
Certificate -> EncryptSecret [label="",fontname="Arial",fontsize="10pt"];
UseSecret -> Secret [label="",fontname="Arial",fontsize="10pt"];
Secret -> EncryptSecret [label="",fontname="Arial",fontsize="10pt"];
EncryptSecret -> Encrypted_Secret [label="",fontname="Arial",fontsize="10pt"];
Encrypted_Secret -> StoreJobResource [label="",fontname="Arial",fontsize="10pt"];
StoreJobResource -> Job_Resource [label="",fontname="Arial",fontsize="10pt"];
}
} |
Explanation:
- The Password Secret Manager encrypts a secret using the target Agent's Certificate and stores the encrypted result to a Job Resource variable.
- The Job Resource variable is assigned an environment variable that will be made available to jobs using the Job Resource.
Examples:
For details see JS7 - How to update a Job Resource using Unix Shell.
Code Block language bash title Example for Encryption using Unix Shell collapse true ./js7_set_job_resource.sh \ --url=http://joc-2-0-primary:7446 \ --controller-id=controller \ --user=root \ --password=root \ --job-resource=/ProductDemo/Variables/pdDatabaseSecret \ --key=databasePassword\ --value='12345678' \ --env-var='DATABASE_PASSWORD' \ --encrypt-cert=foobar.crtCode Block language bash title Example for Encryption using PowerShell collapse true Set-JS7JobResource ` -Path /ProductDemo/Variables/pdDatabaseSecret ` -Key 'databasePassword' ` -Value '12345678' ` -EnvVar 'DATABASE_PASSWORD' ` -EncryptCertificatePath foobar.crt ` -JavaLib /js7/js7.encryption/lib
Decrypting Secrets from Jobs
| Graphviz | ||
|---|---|---|
| ||
digraph structs {
compound=true;
rankdir=LR;
Job [label=" Job ",style="filled",fillcolor="dodgerblue",fontname="Arial",fontsize="12pt"]
Secret [label=" Secret ",style="filled",fillcolor="limegreen",fontname="Arial",fontsize="12pt"]
Encrypted_Secret [label=" Encrypted \n Secret ",style="filled",fillcolor="dodgerblue",fontname="Arial",fontsize="12pt"]
PrivateKey [shape="ellipse",label=" Private Key ",style="filled",fillcolor="orange",fontname="Arial",fontsize="12pt"]
UsePrivateKey [shape="rectangle",label="Access",fontname="Arial",fontsize="10pt",style="filled",fillcolor="white"]
UseEncryptedSecret [shape="rectangle",label="Access",fontname="Arial",fontsize="10pt",style="filled",fillcolor="white"]
DecryptSecret [shape="rectangle",label="Decrypt\njs7_decrypt.sh\njs7_decrypt.cmd\nInvoke-JS7Decrypt",fontname="Arial",fontsize="10pt",style="filled",fillcolor="white"]
subgraph encrypt {
fontname="Arial";
fontsize="12pt";
Job -> UsePrivateKey;
Job -> UseEncryptedSecret;
UseEncryptedSecret -> Encrypted_Secret [label="",fontname="Arial",fontsize="10pt"];
UsePrivateKey -> PrivateKey [label="",fontname="Arial",fontsize="10pt"];
PrivateKey -> DecryptSecret [label="",fontname="Arial",fontsize="10pt"];
Encrypted_Secret -> DecryptSecret [label="",fontname="Arial",fontsize="10pt"];
DecryptSecret -> Secret [label="",fontname="Arial",fontsize="10pt"];
}
} |
...
The Job Resource is assigned the workflow to make environment variables available to all jobs or is assigned individual jobs. JS7 takes care to transfer the Job Resource to all Agents that operate workflows or jobs which are assigned the Job Resource. The environment variables specified with the Job Resource are automatically available for shell jobs.
- The job decrypts a secret using the current Agent's Private Key.
Examples:
For details see JS7 - How to encrypt and decrypt using Unix Shell
Code Block language bash title Example for Decryption using Unix Shell collapse true # encrypted result is assumed being available from DATABASE_PASSWORD environment variable secret=$($JS7_AGENT_HOME/bin/js7_decrypt.sh \ --key=$JS7_AGENT_CONFIG_DIR/private/foobar.key \ --encrypted-key="$(printf "%s" "$DATABASE_PASSWORD" | cut -d' ' -f 1)" \ --iv="$(printf "%s" "$DATABASE_PASSWORD" | cut -d' ' -f 2)" \ --in="$(printf "%s" "$DATABASE_PASSWORD" | cut -d' ' -f 3)") echo $secretFor details see JS7 - How to encrypt and decrypt using Windows Shell
Code Block language powershell title Example for Decryption using Windows Shell collapse true @rem encrypted result is assumed being available from DATABASE_PASSWORD Job Resource environment variable for /f "tokens=1-3" %%i in ("%DATABASE_PASSWORD%") do ( set encrypted_symmetric_key=%%i set encrypted_base64_iv=%%j set encrypted_string=%%k ) call "%JS7_AGENT_HOME%\bin\js7_decrypt.cmd" ^ "--key=%JS7_AGENT_CONFIG_DIR%\foobar.key" ^ "--encrypted-key=%encrypted_symmetric_key%" ^ "--iv=%encrypted_base64_iv%" ^ "--in=%encrypted_string%" @echo %JS7_DECRYPT_VALUE%For details see JS7 - How to encrypt and decrypt using PowerShell
Code Block language powershell title Example for Decryption using PowerShell collapse true # encrypted result is assumed being available from DATABASE_PASSWORD Job Resource environment variable $secret = Invoke-JS7Decrypt ` -Value $env:DATABASE_PASSWORD ` -KeyPath $env:JS7_AGENT_CONFIG_DIR/private/foobar.key ` -JavaLib $env:JS7_AGENT_HOME/lib Write-Output $secret
Use with
...
Secret Managers
- Password Secret Manager products are used for lifecycle management of secrets, i.e. to create, to update, to rotate and to delete secrets.
- Password Secret Manager products typically offer one or more of the following interfaces:
- Command Line Interface: The Password Secret Manager CLI can be executed to retrieve a secret. The JS7 encryption scripts can be used to encrypt the secret for later use with JS7 products.
- Event interface: The Password Secret Manager triggers events when a secret is changed. Typically Password Secret Managers offer hooks to forward changed secrets to applications such as JS7. This includes an automation scenario when passwords are rotated at regular basis. Hooks can include to execute a shell script, to implement a REST API call etc.
- For CLI/Event integration the following JS7 interfaces can be used:
- For execution of shell scripts and cmdlets see
- For execution of REST API calls see
- JS7 - REST Web Service API
- No REST API calls for encryption are offered as this step is performed outside of JS7 products. Instead, the Password Secret Manager calls a locally available JS7 Java class to encrypt the secret. Finally the encrypted secret is stored to JS7 using the REST Web Service API.
- The recommended approach is to store changed secrets to JS7 - Job Resources.
- The recommended architecture includes that the Password Secret Manager forwards changed secrets to JS7.
- It is not a perfect option that JS7 will access the Password Secret Manager in order to check if a secret changed.
- One reason being that this approach will shift security risks as JS7 would have to authenticate with the Password Secret Manager at run-time. Availability and accessibility of the Password Secret Manager would be crucial which is a bad idea considering high availability of the job scheduling solution.
- Another reason being that the Password Secret Manager knows the point in time when a secret is changed. It's a waste of resources to repeatedly access the Password Secret Manager if the secret did not change.
Key Distribution
Keys can be distributed in a number of ways. Frequent scenarios include:
- Password Secret Manager products offering hooks to forward secrets to JS7 can encrypt secrets with the receiving Agent's Certificate or Public Key. If more than one Agent needs access to the same sensitive information,
- the same secret can be encrypted a number of times using individual Certificates/Public Keys per Agent,
- the secret can be encrypted once and the same Private Key can be shared by a number of Agents. This applies to use of secrets in an Agent Cluster if jobs on any Agent should access the same secret.
- Certificates and Public Keys include no sensitive information. There is no harm in making an Agent's Certificate available from a PEM file known to the Password Secret Manager product.
Further Resources
- JS7 - Encryption and Decryption
- JS7 - How to encrypt and decrypt Variables
- JS7 - How to update a Job Resource using Unix Shell
- JS7 - How to encrypt and decrypt Database Credentials
...
Overview
Content Tools