Introduction

JS7 - Encryption and Decryption offers secure handling of secrets by use of asymmetric keys.

  • The Certificate/Public Key is used to encrypt a secret.
  • The Private Key is used to decrypt an encrypted secret.

JOC Cockpit offers to centrally manage Certificates while Private Keys remain with Agents. For creation of Encryption Keys see JS7 - How to create X.509 Encryption Keys.

Certificates can be used to encrypt and to decrypt values of variables assigned workflows, jobs or orders, see JS7 - Encryption - Integration with Workflows - Jobs - Orders.

FEATURE AVAILABILITY STARTING FROM RELEASE 2.7.1

Managing Encryption Keys

The administrative menu of JOC Cockpit offers to Manage Encryption Keys:


The operation displays the list of available keys like this:


Explanation:

  • Certificates can be imported from files.
  • Certificates can be manually added by copy/paste.
  • Certificate entries can be updated by clicking the alias name of the Certificate.
  • A Certificate's action menu offers the operations to update and to delete a Certificate entry.

Adding and Updating Certificates

When adding/updating a Certificate, the following popup window is displayed:


Explanation:

  • The following input fields are offered:
    • Certificate Alias: The Certificate is assigned an Alias name that can be freely chosen by the user. The Alias name must be unique for any Certificates managed.
    • Certificate: The Certificate or Public Key can be added to the related input field by copy/paste. The PEM format of a Certificate/Public Key is used:
      • Certificate
        • The first line of a Certificate looks like this: -----BEGIN CERTIFICATE-----
        • The last line of a Certificate looks like this: -----END CERTIFICATE-----
      • Public Key
        • The first line of a Public Key looks like this: -----BEGIN PUBLIC KEY-----
        • The last line of a Public Key looks like this: -----END PUBLIC KEY-----
      • Between the first line and the last line a number of base64 encoded lines indicate the Certificate's or Public Key's content.
    • Path to Private Key File: Specifies the path to the location of the Private Key file with Agent that holds the Private Key. Frequently the <AGENT-DATA>/config/private directory is used. However, any directory can be used that is in reach of the Agent. 
      • Users have to store the Private Key to the indicated location.
      • Note: Private Keys must not be protected by a passphrase. The passphrase acts as a second factor when a human user will access the key: while the Private Key is in the file system, the passphrase is in the user's brains. However, this does not improve security for unattended processing : it's pointless to store a passphrase side-by-side with the Private Key in scripts or configuration files on the same media. Therefore,, use of passphrace-protected Private Keys is denied.
    • Job Resource Folder: The indicated Certificate and Path to Private Key File will be made available to jobs from a JS7 - Job Resource. The name of the Job Resource will be created from the Certificate Alias, the folder of the Job Resource is indicated with the input field, see chapter Job Resource for Certificate
  • The Use of Certificates by Agents link displays the list of Agents that are assigned the given Certificate Alias, see chapter Managing Certificates for Agents.

Job Resource for Certificate

When encryption keys are added or updated, they automatically create and deploy a Job Resource like this:


Explanation:

  • The Job Resource makes use of the Certificate Alias name. Users should consider that object names in the JS7 inventory are unique.
  • The Job Resource holds the following variables:
    • encipherment_certificate: holds the Certificate/Public Key.
    • encipherment_private_key_path: holds the Path to Private Key File. The Private Key file must be available for the Agent(s) which perform decryption.
  • The Job Resource can be assigned any jobs that use encrypted secrets. It will be deployed by the Controller to any Agents assigned the Job Resource. The Agent will make use of the Job Resource to identify the path to the Private Key used to decrypt secrets.

Managing Certificates for Agents

The administrative menu of JOC Cockpit offers to Manage Controllers/Agents from the following page:

Assigning Certificates to Agents

Each Agent's action menu offers the operation to Assign Encryption Certificate:


Invoking the action menu item brings forward a popup window to select the Certificate Alias that should be assigned the Agent:


Users must ensure that the related Private Key is available with the Agent from the location specified with the selected Certificate Alias.

Listing Certificate Assignments

The list of Standalone Agents and Cluster Agents displays the Certificates column.

Users can click the icon to make the list of Certificate Aliases available that are assigned the given Agent:

.

Further Resources