Page History
...
- The secret should not be exposed to JS7 logging and to any instance of JS7 products that track variables.
- For example, if a variable created by some job should be forwarded to a next job executed with a different Agent then the Controller and JOC Cockpit keep track of the variable.
- The variable is available in the Agent's and Controller's memory.
- The variable is available in the Controller's journal, in JOC Cockpit's s JS7 - History and in the JS7 - Database.
- At no point in time the secret should be from clear text available to any involved JS7 componentproducts, to the database or to the OS.
- For example, if a variable created by some job should be forwarded to a next job executed with a different Agent then the Controller and JOC Cockpit keep track of the variable.
- The secret should not be exposed to OS mechanisms that allow a 3rd-party to identify the secret:
- For example, the following command to encrypt a secret can be tracked by any account capable of executing a
ps -aux
command:
echo "secret" | openssl enc -aes256 -salt -pass pass:"secret-key"
- For example, the following command to encrypt a secret can be tracked by any account capable of executing a
- We find a number of invalid inadequate approaches that do not make it for a secure solution:
- Symmetric keys are a No-Go as they are available in two places and leave it up to the implementation where to store the key.
- Obfuscation is a No-Go as it does not resist to any serious attack.
The preferred solution with JS7 is to use asymmetric keys. :
- Encryption and
...
- decryption is performed directly by the related jobs.
- No JS7 product is involved in encryption/decryption as otherwise the JS7 product would know the keys involved that potentially could be compromised by logging, database persistence etc.
- Performing encryption/decryption by jobs limits the attack surface to the OS process executing the job. The job implementation is controlled by the user who can verify secure operation. This includes that for encryption/decryption the
openssl
open source utility is used.
Asymmetric Keys
The basic proceeding works like this:
...
The following step is performed on the server hosting the Agent that should decrypt variables using the openssl
utility from the command line:
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
# navigate to the Agent's <agent-data>/config/private directory cd /var/sos-berlin.com/js7/agent/config/private # create the agent.key private key file using "jobscheduler" as a passphrase openssl genrsa -aes256 -passout pass:"jobscheduler" -out agent.key 4096 # extract the agent.pub public key file from agent.key private key file openssl rsa -passin pass:"jobscheduler" -in agent.key -pubout > agent.pub |
...
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
# navigate to the Agent's <agent-data>/config directory cd /var/sos-berlin.com/js7/agent/config # copy the agent.pub public key file from the Agent in Step 1 to target Agents using scp or a file transfer tool |
Setting up the
...
Example
The workflow example introduces a JS7 - Script Include and a workflow hodling two jobs that encrypt and decrypt variables.
- Download sample
...
- Script Include (upload .json): Crypto.includescript.json
- Download sample Workflow (upload .json): pduVariableCrypto.workflow.json
First Job: encrypt-variables
...
The Crypto Script Include is located in the related system folder and :
- Download sample Script Include (upload .json): Crypto.includescript.json
The Crypto Script Include is implemented like this:
...
Overview
Content Tools