Page History
...
- The secret should not be exposed to JS7 logging and to any instance of JS7 products that track variables.
- For example, if a variable created by some job should be forwarded to a next job executed with a different Agent then the Controller and JOC Cockpit keep track of the variable.
- The variable is available in the Controller's memory.
- The variable is available in the JOC Cockpit's JS7 - History.
- At no point in time the secret should be from clear text to any involved JS7 component, database or OS.
- For example, if a variable created by some job should be forwarded to a next job executed with a different Agent then the Controller and JOC Cockpit keep track of the variable.
- The secret should not be exposed to OS mechanisms that allow a 3rd-party to identify the secret
- For example, the following command to encrypt a secret can be tracked by any account capable of executing a
ps -auxcommand:
echo "secret" | openssl enc -aes256 -salt -pass pass:"secret-key"
- For example, the following command to encrypt a secret can be tracked by any account capable of executing a
- We find a number of No-Go invalid approaches that do not make it for a secure solution:
- Symmetric keys are a No-Go as they are available in two places and leave it up to the implementation where to store the key.
- Obfuscation is a No-Go as it does not resist to any serious attack.
...
The solution is provided for download and can be used to automate encryption and decryption of variables.
- The solution is available for Linux and MacOS® using bash shell.
- The solution is intended as a baseline example for customization by JS7 users and by SOS within the scope of professional services.
Solution for Unix Jobs
Managing the private/public key pair
...
Overview
Content Tools