JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 3

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 4

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Consider the parties involved and related use cases:
    • A job executed on Agent A should be parameterized by a variable holding a secret.
    • A job executed on Agent B retrieves a secret that should be forwarded to a job on Agent A and possibly to other Agents too.
  • Use of asymmetric keys allows 
    • to create and to store a private key on Agent A.
    • to use Agent A's public key on Agent B or any other system involved.
    • to manage encryption and decryption like this:
      • create a symmetric one-time key and an encrypted copy of the key derived from Agent A's public key.
      • encrypt a variable's value with the one-time key.
      • drop the one-time key and forward the encrypted copy of the one-time key and the variable holding the encrypted value to Agent A.
      • only Agent A will be able to decrypt the encrypted one-time key using its private key which reveals the symmetric key required to decrypt the variable value.

...

Setting up the Workflow

The workflow example is straightforward from introduces two jobs that create and that read encrypted variables:

...

  • The job makes use of JS7 - Script Includes: the Crypto Script Include holds the Shell functions used in the job.
    • The ##!include Crypto inserts the shell code available from the indicated Crypto Script Include.
    • The Script Include can be parameterized to specify the location of the private key.
    • The Script Include can be parameterized to specify a passphrase used by the private key.
      • ## include Crypto --replace="<passphrase>","jobscheduler"
      • The Script Include can be invoked with any number of --replace=<what>,<with> options.
  • The DecryptVariable function expects the encrypted value of the variable and the encrypted value of the symmetric key.
    • DecryptVariable <value> <key-value> [<private-key> [,<passphrase>]]
      • <value>: The encrypted value of the variable is required.
      • <key-value>: The value of the variable holding the encrypted symmetric key is required.
      • <private-key>: The path to the private key file is specified. Defaults to <agent-data>/config/private/agent.key.
      • <passphrase>: The passphrase of the private key.
    • The function will decrypt the encrypted symmetric key.
    • The function will decrypt the encrypted variable value using the decrypted symmetric key.
  • The DecryptVariable function returns the secret that can be assigned an environment variable.
  • It is recommended not to write the secret to a file or to perform any operation that will expose the secret to logging of output in the stdout and stderr channels.

Script Include: Crypto

The Script Include is located in the related system folder and looks like this:

Image Added


Explanation:

  • The Script Include implements the EncryptVariables and DecryptVariables shell functions.
  • Both functions create a temporary file for the symmetric key. The Script Include implements a trap to reliably remove the symmetric key file.
  • The effective operation to encrypt and to decrypt is performed using the openssl utility.

Solution for Windows Jobs

...