JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 1

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 2

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • The solution is available for Windows, Linux and MacOS® using bash shellPowerShell 7.x
  • The solution is intended as a baseline example for customization by JS7 users and by SOS within the scope of professional services.

Solution for

...

Managing the private/public key pair

Step 1: Create a private/public key pair

...

Code Block
languagebash
titleExample how to create private/public key pair
linenumberstrue
# navigate to the Agent's <agent-data>/config/private directory
cd /var/sos-berlin.com/js7/agent/config/private

# create the private key file using "jobscheduler" as a passphrase, starting with: -----BEGIN RSA PRIVATE KEY-----
openssl genrsa -aes256 -passout pass:"jobscheduler" -out agent-pkcs1.key 2048

# convert key from pkcs#1 to pkcs#8, starting with: -----BEGIN ENCRYPTED PRIVATE KEY-----
openssl pkcs8 -inform PEM -topk8 -in agent-pkcs1.key -out agent.key

# extract the agent.pub public key file from agent.key private key file
openssl rsa -passin pass:"jobscheduler" -in agent.key -pubout > agent.pub

Step 2: Make public key available

Copy the public key to the server(s) hosting the Agent(s) that should encrypt variables:

Code Block
languagebash
titleExample where to copy the public key
linenumberstrue
# navigate to the Agent's <agent-data>/config directory
cd /var/sos-berlin.com/js7/agent/config

# copy the agent.pub public key file from Step 1 to the current location using scp or a file transfer tool

Setting up the Example

The example introduces a JS7 - Script Include and a workflow holding two jobs to encrypt and to decrypt variables.

...

Image Removed

First Job: encrypt-variable

The fist job encrypt-variable is implemented like this:

Code Block
languagebash
titleExample how to encrypt variables from a job
linenumberstrue
#!/bin/bash
set -e

# encrypt variable values using the target Agent's public key
##!include CryptoShell

EncryptVariable myVar1 "secret1"
EncryptVariable myVar2 "secret2"

Explanation:

  • The job makes use of JS7 - Script Includes: the CryptoShell Script Include holds the Shell functions used in the job.
    • The ##!include CryptoShell inserts the Shell code available from the indicated CryptoShell Script Include.
    • The Script Include is invoked once per job and optionally can be parameterized to specify the location of the public key.
      • ##!include CryptoShell --replace="<public-key>","/var/sos-berlin.com/js7/agent/config/agent.pub"
      • The first argument of the --replace option is a placeholder available with the CryptoShell Script Include.
      • The second argument represents the value by which the placeholder will be replaced. The above value corresponds to the default value that will be used if the Script Include is invoked without replacement options: the public key is looked up from a file with the name agent.pub in the Agent's <agent-data>/config directory.
  • The EncryptVariable Shell function expects the name of the variable and the value that should be encrypted:
    • EncryptVariable <name> <value> [<key-name> [<public-key>]]
      • <name>: The name of the variable is required.
      • <value>: The value of the variable that should be encrypted is required.
      • <key-name>: The name of a second variable holding the encrypted symmetric key. Defaults to <name>_key.
      • <public-key>: The path to the public key file is specified. Defaults to <agent-data>/config/agent.pub.
    • The Shell function will encrypt the variable value using the indicated public key.
    • The variable and its encrypted value will be forwarded to subsequent jobs and instructions in the workflow.

Second Job: decrypt-variable

...

Image Removed

Explanation:

  • MY_VAR1: environment variable that holds the encrypted value of the myVar1 workflow variable created by the encrypt-variable job.
  • MY_VAR1_KEY: environment variable that holds the encrypted value of the symmetric key. The variable is implicitly created by the encrypt-variable job.
  • MY_VAR2, MY_VAR2_KEY: similar to above variables.

The second job decrypt-variable is implemented like this:

Code Block
languagebash
titleExample how to decrypt variables in a job
linenumberstrue
#!/bin/bash
set -e

# decrypt variable values using the Agent's private key
##!include CryptoShell

echo "$(DecryptVariable "${MY_VAR1}" "${MY_VAR1_KEY}")"
echo "$(DecryptVariable "${MY_VAR2}" "${MY_VAR2_KEY}")"

Explanation:

  • The job makes use of JS7 - Script Includes: the CryptoShell Script Include holds the Shell functions used in the job.
    • The ##!include CryptoShell inserts the Shell code available from the indicated CryptoShell Script Include.
    • The Script Include can be invoked with repeated --replace=<what>,<with> options.
      • The Script Include optionally can be parameterized to specify the location of the private key.
        • ##!include CryptoShell --replace="<private-key>","/var/sos-berlin.com/js7/agent/config/private/agent.key"
        • The first argument of the --replace option is a placeholder available with the CryptoShell Script Include.
        • The second argument represents the value by which the placeholder will be replaced. The above value represents the default value that will be used of the Script Include is invoked without replacement options.
      • The Script Include can be parameterized to specify a passphrase required by the private key.
        • ##!include CryptoShell --replace="<passphrase>","jobscheduler"
        • The Script Include holds the above passphrase as a default value. Users should consider to change or to drop the default passphrase.
  • The DecryptVariable function expects the encrypted value of the variable and the encrypted value of the symmetric key:
    • DecryptVariable <value> <key> [<private-key> [<passphrase>]]
      • <value>: The encrypted value of the variable is required.
      • <key>: The value of the variable holding the encrypted symmetric key is required.
      • <private-key>: The path to the private key file is specified. Defaults to <agent-data>/config/private/agent.key.
      • <passphrase>: The passphrase of the private key is specified.
    • The function will decrypt the encrypted symmetric key and will decrypt the encrypted value using the decrypted symmetric key.
  • The DecryptVariable function returns the secret that can be assigned an environment variable or other function.
  • It is recommended not to write the secret to a file or to perform any operation that will expose the secret to logging of output in the stdout and stderr channels.

...

The CryptoShell Script Include is located in the related inventory folder:

...

Image Removed

Explanation:

  • The CryptoShell Script Include implements the EncryptVariable and DecryptVariable Shell functions.
  • Both functions create a temporary file for the symmetric key in the Agent's work directory. The Script Include implements a trap to remove the symmetric key file on termination of the job.
  • Encryption and decryption is performed using the openssl utility.

Solution for PowerShell Jobs on Unix/Windows

Managing the private/public key pair

Step 1: Create a private/public key pair

The following step is performed on the server hosting the Agent that should decrypt variables using the openssl utility from the command line:

Code Block
languagebash
titleExample how to create private/public key pair
linenumberstrue
# navigate to the Agent's <agent-data>/config/private directory
cd /var/sos-berlin.com/js7/agent/config/private

# create the private key file using "jobscheduler" as a passphrase, starting with: -----BEGIN RSA PRIVATE KEY-----
openssl genrsa -aes256 -passout pass:"jobscheduler" -out agent-pkcs1.key 2048

# convert key from pkcs#1 to pkcs#8, starting with: -----BEGIN ENCRYPTED PRIVATE KEY-----
openssl pkcs8 -inform PEM -topk8 -in agent-pkcs1.key -out agent.key

# extract the agent.pub public key file from agent.key private key file
openssl rsa -passin pass:"jobscheduler" -in agent.key -pubout > agent.pub

Step 2: Make public key available


Setting up the Example

The example introduces a JS7 - Script Include and a workflow holding two jobs to encrypt and to decrypt variables.

Image Modified

First Job: encrypt-variable

The fist job encrypt-variable is implemented like this:

...

  • The job makes use of JS7 - Script Includes: the CryptoPowerShell Script Include holds the PowerShell functions used in the job.
    • The ##!include CryptoPowerShell inserts the PowerShell code available from the indicated CryptoPowerShell Script Include.
    • The Script Include is invoked once per job and optionally can be parameterized to specify the location of the public key.
      • ##!include CryptoPowerShell --replace="<public-key>","/var/sos-berlin.com/js7/agent/config/agent.pub"
      • The first argument of the --replace option is a placeholder available with the CryptoPoserShell Script Include.
      • The second argument represents the value by which the placeholder will be replaced. The above value corresponds to the default value that will be used if the Script Include is invoked without replacement options: the public key is looked up from a file with the name agent.pub in the Agent's <agent-data>/config directory.
  • The Encrypt-Variable PowerShell function expects the name of the variable and the value that should be encrypted:
    • Encrypt-Variable -Name <name> -Value <value> [-KeyName <key-name>] [-PublicKey <public-key>]
      • <name>: The name of the variable is required.
      • <value>: The value of the variable that should be encrypted is required.
      • <key-name>: The name of a second variable holding the encrypted symmetric key. Defaults to <name>_key.
      • <public-key>: The path to the public key file is specified. Defaults to <agent-data>/config/agent.pub.
    • The PowerShell function will encrypt the variable value using the indicated public key.
    • The variable and its encrypted value will be forwarded to subsequent jobs and instructions in the workflow.

Second Job: decrypt-variable

The second job decrypt-variable maps workflow variables to environment variables like this:

Image Modified


Explanation:

...

  • The job makes use of JS7 - Script Includes: the CryptoPowerShell Script Include holds the PowerShell functions used in the job.
    • The ##!include CryptoPowerShell inserts the PowerShell code available from the indicated CryptoPowerShell Script Include.
    • The Script Include can be invoked with repeated --replace=<what>,<with> options.
      • The Script Include optionally can be parameterized to specify the location of the private key.
        • ##!include CryptoPowerShell --replace="<private-key>","/var/sos-berlin.com/js7/agent/config/private/agent.key"
        • The first argument of the --replace option is a placeholder available with the CryptoPowerShell Script Include.
        • The second argument represents the value by which the placeholder will be replaced. The above value represents the default value that will be used of the Script Include is invoked without replacement options.
      • The Script Include can be parameterized to specify a passphrase required by the private key.
        • ##!include CryptoPowerShell --replace="<passphrase>","jobscheduler"
        • The Script Include holds the above passphrase as a default value. Users should consider to change or to drop the default passphrase.
  • The Decrypt-Variable function expects the encrypted value of the variable and the encrypted value of the symmetric key:
    • Decrypt-Variable -Value  <value> -Key <key> [-PrivateKey <private-key> [-Passphrase <passphrase>]]
      • <value>: The encrypted value of the variable is required.
      • <key>: The value of the variable holding the encrypted symmetric key is required.
      • <private-key>: The path to the private key file is specified. Defaults to <agent-data>/config/private/agent.key.
      • <passphrase>: The passphrase of the private key is specified.
    • The function will decrypt the encrypted symmetric key and will decrypt the encrypted value using the decrypted symmetric key.
  • The Decrypt-Variable function returns the secret that can be assigned an environment variable or other function.
  • It is recommended not to write the secret to a file or to perform any operation that will expose the secret to logging of output in the stdout and stderr channels.

Anchor
script_include_cryptopowershell
script_include_cryptopowershell
Script Include:

...

CryptoPowerShell

The CryptoPowerShell Script Include is located in the related inventory folder:

The CryptoPowershell CryptoPowerShell Script Include is implemented like this:

Image Modified


Explanation:

  • The CryptoPowershell CryptoPowerShell Script Include implements the Encrypt-Variable and Decrypt-Variable Powershell PowerShell functions.
  • Encryption and decryption is performed without external utilities.

...