Introduction

JS7 - Encryption and Decryption offers secure handling of secrets by use of asymmetric keys.

The JOC Cockpit can be used for JS7 - Encryption - Management of Encryption Keys:

• Centrally managing Certificates/Public Keys.
• Providing JS7 - Job Resources that hold the related Certificate/Public Key. Such Job Resources can be assigned workflows and jobs that should decrypt secrets.

For creation of Encryption Keys see JS7 - How to create X.509 Encryption Keys.

Encryption

Encrypting Workflow Variables

A workflow can be assigned variables that hold encrypted values.

To encrypt a variable users can proceed like this from the Configuration->Inventory view:

Explanation:

• The encrypted_variable workflow variable holds an encrypted value.
• For encryption of values users click the icon that invokes the following popup window:
  
  
  
  
  • The first input field accepts the plain text value for the variable.
  • Users can select a Certificate
    • from the list of Certificate Alias names that are centrally managed, see JS7 - Encryption - Management of Encryption Keys,
    • by pasting an individual Certificate.
  • Hitting the Submit button will encrypt the plain text value and will assign the variable the encrypted value that looks like this:
    • enc:BGlzj4sQ5ea0D6UdZTOP0oF0hkKN9Ca1ecMeQfi8y4cEx/rweM9MpNquU2q5lint0lY6yvoYspLhlV7rhKIAEooFh2Ohca0wBZ4InjvrAI0r0xGa/fmpxCKgfuzNHBqZdsoTVQo= OD6HmuRRmpLKPLYN5urJlw== dQH6taVBtH2jaX4+ig+5ig==
    • The enc: prefix indicates an encrypted value that holds the following parts separated by spaces:
      • encrypted symmetric key,
      • initialization vector,
      • encrypted secret.
  • When selecting a Certificate, then the Use of Certificate by Agents link can be used to check which Agents are assigned the Certificate. Users should consider that the Agent assigned the job that needs to decrypt the variable's value has to be assigned the Certificate used for encryption and the Agent must have access to the matching Private Key.

Encrypting Job Variables

Job variables include Environment Variables used for Shell jobs and Arguments used for JVM jobs.

Values for such variables can be encrypted from the Properties Editor of a job like this:

Clicking the icon invokes a popup window for encryption as explained with chapter Encrypting Workflow Variables.

Encrypting Order Variables

Order variables can be encypted in the following places:

• with JS7 - Schedules that create orders for the JS7 - Daily Plan,
• with ad hoc orders.

Encrypting Order Variables from Schedules

JS7 - Schedules are used to add orders to the JS7 - Daily Plan.

Schedules can encrypt order variables as from the following example:

Clicking the icon invokes a popup window for encryption as explained with chapter Encrypting Workflow Variables.

Encrypting Order Variables from Ad hoc Orders

When adding ad hoc orders to a workflow using the Workflows view users can encrypt values of workflow variables like this:

Clicking the icon invokes a popup window for encryption as explained with chapter Encrypting Workflow Variables.

Decryption

Decryption can be performed from Shell jobs and vom JS7 - JITL Job Templates.

Decrypting from Shell Jobs

Shell jobs can make use of the JS7 scripts provided for decryption, see JS7 - Encryption - Integration with Shell CLI.

Decrypting from JITL Jobs

JS7 - JITL Job Templates provide a built-in mechanism to decrypt any encrypted argument values.

Prerequisites for decryption include that

• the related job is assigned the Job Resource that holds the Certificate used for encryption, see JS7 - Encryption - Management of Encryption Keys,
• the Agent has access to the Private Key that is specified by the Job Resource.

Further Resources

• JS7 - Encryption and Decryption
• JS7 - Encryption - Management of Encryption Keys
• JS7 - How to create X.509 Encryption Keys