Page History
...
- Symmetric keys are a No-Go as they are available in two places and leave it up to the implementation where to store the key.
- Obfuscation is a No-Go as it does not resist to serious attacks.
The preferred solution with JS7 is use of asymmetric keys:
...
Display feature availability | ||
---|---|---|
|
Jira | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
|
Asymmetric Keys
Encryption and decryption use asymmetric keys, for details see JS7 - Encryption and Decryption:
Encryption
Hibernate Configuration File
In a Hibernate configuration file, typically using the hibernate.cfg.xml
file name, the following credentials can be encrypted:
Code Block | ||
---|---|---|
| ||
<property name="hibernate.connection.password">jobscheduler</property>
<property name="hibernate.connection.url">jdbc:mysql://mysql-5-7:3306/jobscheduler200</property>
<property name="hibernate.connection.username">jobscheduler</property> |
...
- Encrypted values start with the prefix
enc://
. - The value holds the following parts separated by spaces:
- an encrypted symmetric key,
- an initialization vector,
- the secret encrypted with the symmetric key.
- For decryption a private key and the initialization vector are used to decrypt the symmetric key. The secret is decrypted using the decrypted, symmetric key.
...
Scripts for Encryption
Credentials can be encrypted using scripts:
...
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
result=$(./js7_encrypt.sh --cert="joc.crt" --in='jobscheduler') sed -i'' -e "s@property[ ]*name[ ]*=[ ]*\"hibernate.connection.password\".*@property name=\"hibernate.connection.password\"\>enc://${result}\</property\>@g" hibernate.cfg.xml |
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
call .\js7_encrypt.cmd "--cert=joc.crt" "--in=jobscheduler" powershell.exe -Command "((Get-Content hibernate.cfg.xml) -replace 'property[ ]*name[ ]*=[ ]*`\"hibernate.connection.password`password\".*', "('property name=`\"hibernate.connection.password`">$envpassword\">' + $env:JS7_ENCRYPT_VALUE<VALUE + '</property>"')) | Set-Content -Path hibernate.cfg.xml" |
Explanation:
- The
js7_encrypt.sh | .cmd
script is called with the--cert
argument that specifies the path to the public key or certificate Certificate file or Public Key file. The--in
argument specifies the plain text password. - Consider that the Certificate/Public Key used for encryption has to match the Private Key used by the component that performs decryption:
- for JOC Cockpit the Private Key is located in the JOC Cockpit data directory.
- for JS7 JITL Jobs that are executed with an Agent the Private Key is located with the related Agent.
- For use with Unix
- the script writes output to the stdout channel that is assigned an environment variable.
- the
sed
command is used to replace the related element value in thehibernate.cfg.xml
configuration file.
- For use with Windows
- the script writes output to the
JS7_ENCRYPT_VALUE
environment variable. - the powershell.exe command is used to replace the related element value in the
hibernate.cfg.xml
configuration file.
- the script writes output to the
Decryption
The Hibernate configuration file has to hold a reference where to locate the Private Key used for decryption:
- from a key file in PEM format,
- from a keystore in PKCS12 format.
Use with Private Key File
The path to the Private Key file is specified from a property in the hibernate.cfg.xml
file. The Private Key can optionally be protected by a password. The password is not a secret but aims to check integrity when reading/writing private keys.
Related properties in the hibernate.cfg.xml
file look like this:
Code Block | ||
---|---|---|
| ||
<property name="hibernate.connection.password">enc://gLjIPeUJP3o1cw4y9wNrFkNUIfe5Bi/eW+KMkLUy4mvVOH0Z41V0Iuob0lDN6UFXMG1//YDbUA3yFSpvHdmRlGnYsMPkbqz+tN+7Ypy5px7F7NGGpPFSeeGS4JOe7cmgkHx9i9ZPJEEK/xDLoPj/9zj4OLTcWxrHKR0bwT2NvpEZoBPWVnWMoBqTQfk+PBRRkQFYdtR+uKVl7qMEkNc6N92hYGRevUwIZ7h++ENazlgzUdNZc1K1LCRZ/BtB8/MopP3elZ6Vq2LmP3LGnzu6MwSSBgNbPN2vguDqWjnncO1h5MekmqHV5S9RY2L+7NZ7jJ3q233ZFwq56Xm/TWB92g== U2WnoXgh87kdOz7Zcumkpg== 3mnbt2Qe7JdQuN2Lm5SD0w==</property>
<property name="hibernate.connection.url">enc://oe5qm3SOudO8LgcFXlW3cTlsdLycXEgUis2GFJdm+4w/NHF3KGYZXCEsqUFMwvWsdY/whfkCPOyUf4cj1eY1F5QSVzjsCgpfXtpvqUjqa7mzpAfzHfRr8gjZNHzCinefke8muCYFiZbb8s9rWHu4G8aIAJsxlWrhJeu7SXqs3JPrrrBt9EJ8kJw6w/xWbUhR5MVLAvj9mIg+w83qwAhZrvuz+McoTKskXvLcBlQPtXc+Yz3RuosczmaWgHYcc/++CtnHHtlSVQf9108jus13ab6mGGsDjodVJjm715VB+cUmWhBKpwyjksrISKcpkMnGlSK3KE+VsTMjzAMPPAyGEQ== zzEKadcxLgfl4GrRUYvApA== FM5ycloUYUbUeniZUDZpK7atxQR5bvmJmYJLS1k356oA/fCoioE6zFfOzENTKgxn</property>
<property name="hibernate.connection.username">enc://WCWDGolHrQV4zWwF7i+QEOMrzXfhQSWoH4Azb+udCPSXsvDcNBiTam9zSVDyzCkVT3VAoBdT+WQbOSJRtdvYv6IaIJHJ98W5+H/F29UlOtKhJFbzVq+qxT4XPHSlMvzhub72lv5sWEyhNsjdFd6tJj0mVVH7+jmMAzFMCMKfMeNUbsXrH5Os6UR0Uqy6KbjVx8BOv02ooqFb69yFyI76/gwkxAV+9fYinCxIj3adSO1P6Cn0VNXLw1y2z/Xuv2PJ9CusshmMEiG95/G85VSNqlSMV0HfiQ71VS2EN0fcVcFlugyslTUDIcP4ed3pNlwblu86oPoenC4Xvw3Qh2Xj/A== IcI4xRV0fnO+qRLLg3/abQ== 1gV4bt2rvMgdtPOPXFt5qw==</property>
<property name="hibernate.sos.decryption_key">joc.key</property>
<property name="hibernate.sos.decryption_keypassword">jobscheduler</property> |
Use with Keystore
The path to the keystore file is specified from a property in the hibernate.cfg.xml
file. The keystore should be in PKCS12 format.
Related properties in the hibernate.cfg.xml
file look like this:
Code Block | ||
---|---|---|
| ||
<property name="hibernate.connection.password">enc://gLjIPeUJP3o1cw4y9wNrFkNUIfe5Bi/eW+KMkLUy4mvVOH0Z41V0Iuob0lDN6UFXMG1//YDbUA3yFSpvHdmRlGnYsMPkbqz+tN+7Ypy5px7F7NGGpPFSeeGS4JOe7cmgkHx9i9ZPJEEK/xDLoPj/9zj4OLTcWxrHKR0bwT2NvpEZoBPWVnWMoBqTQfk+PBRRkQFYdtR+uKVl7qMEkNc6N92hYGRevUwIZ7h++ENazlgzUdNZc1K1LCRZ/BtB8/MopP3elZ6Vq2LmP3LGnzu6MwSSBgNbPN2vguDqWjnncO1h5MekmqHV5S9RY2L+7NZ7jJ3q233ZFwq56Xm/TWB92g== U2WnoXgh87kdOz7Zcumkpg== 3mnbt2Qe7JdQuN2Lm5SD0w==</property>
<property name="hibernate.connection.url">enc://oe5qm3SOudO8LgcFXlW3cTlsdLycXEgUis2GFJdm+4w/NHF3KGYZXCEsqUFMwvWsdY/whfkCPOyUf4cj1eY1F5QSVzjsCgpfXtpvqUjqa7mzpAfzHfRr8gjZNHzCinefke8muCYFiZbb8s9rWHu4G8aIAJsxlWrhJeu7SXqs3JPrrrBt9EJ8kJw6w/xWbUhR5MVLAvj9mIg+w83qwAhZrvuz+McoTKskXvLcBlQPtXc+Yz3RuosczmaWgHYcc/++CtnHHtlSVQf9108jus13ab6mGGsDjodVJjm715VB+cUmWhBKpwyjksrISKcpkMnGlSK3KE+VsTMjzAMPPAyGEQ== zzEKadcxLgfl4GrRUYvApA== FM5ycloUYUbUeniZUDZpK7atxQR5bvmJmYJLS1k356oA/fCoioE6zFfOzENTKgxn</property>
<property name="hibernate.connection.username">enc://WCWDGolHrQV4zWwF7i+QEOMrzXfhQSWoH4Azb+udCPSXsvDcNBiTam9zSVDyzCkVT3VAoBdT+WQbOSJRtdvYv6IaIJHJ98W5+H/F29UlOtKhJFbzVq+qxT4XPHSlMvzhub72lv5sWEyhNsjdFd6tJj0mVVH7+jmMAzFMCMKfMeNUbsXrH5Os6UR0Uqy6KbjVx8BOv02ooqFb69yFyI76/gwkxAV+9fYinCxIj3adSO1P6Cn0VNXLw1y2z/Xuv2PJ9CusshmMEiG95/G85VSNqlSMV0HfiQ71VS2EN0fcVcFlugyslTUDIcP4ed3pNlwblu86oPoenC4Xvw3Qh2Xj/A== IcI4xRV0fnO+qRLLg3/abQ== 1gV4bt2rvMgdtPOPXFt5qw==</property>
<property name="hibernate.sos.keystore_path">credentials-keystore.p12</property>
<property name="hibernate.sos.keystore_type">PKCS12</property>
<property name="hibernate.sos.keystore_password">jobscheduler</property>
<property name="hibernate.sos.keystore_keypassword">jobscheduler</property>
<property name="hibernate.sos.keystore_keyalias">joc-2-0-primary</property> |
Explanation:
- The keystore path can be specified as an absolute path or a relative path. The relative path starts from the
JETTY_BASE/resources/joc
directory of the JOC Cockpit installation. - The PKCS12 keystore type should be used. Typically keystores with the file name extension .p12 or .pfx signal a PKCS12 compliant keystore.
The keystore should be be protected by a password. The password is not a secret, but aims to check integrity when reading/writing keystores. For use with the PKCS12 format the password for the key and the password for the keystore have to match.
The Private Key's alias name is a unique identifier of the key in the keystore. An alias name has to be specified if more than one Private Key is available in the keystore.
Use with JOC Cockpit HTTPS Keystore
It is possible to use the SSL Private Key/Certificate stored in JOC Cockpit's keystore for HTTPS connections for encryption/decryption, see JS7 - JOC Cockpit HTTPS Connections.
Users should consider that Private Keys/Certifcates are typically created for specific usages such as to secure an HTTPS connection. Should keys be created with the dataEncryption
Key Usage then they can be used for encryption/decryption of credentials.
Many users consider it more secure to use different keys for encryption/decryption of HTTPS connections and for encryption/decryption of secrets.
Example
Find an example for a hibernate.cfg.xml
configuration file for use with a MySQL database:
Code Block | ||||
---|---|---|---|---|
| ||||
<?xml version="1.0" encoding="UTF-8" standalone="no"?> <hibernate-configuration> <session-factory> <property name="hibernate.connection.driver_class">org.mariadb.jdbc.Driver</property> <property name="hibernate.connection.password">enc://BLW40Z7PIGMq4btJ+ZuFMonL6XnGTHi/O8Q1d7s/ZGrTceQw/UotqkcL20zVOR7sTSXpGjCU9VsiJ+xodoIrnPla4pqOOuh+lIkuOrJJIt+7Hn+4BdcrCvdzx3Ys5vsPd13NJVk= QjdEjQ3RXbkopm8bCFnWYw== gh/JMrYD9JloP0sAOn8dNw==</property> <property name="hibernate.connection.url">enc://BOLk45C7Mv8MLteMLKwhuRbiaD+qtQsbf6sCILpHv6pVnkTyBRJpekG0F2Gk8j1MYPtuawP4aGI6QYGRfb8ATsvVnF4HvpNl3pWn+kiFgihcOuzIDmUmfxp6MJ5SA9Dp9A5bntA= fJN3OdAiqA393Nf7wgOTEg== Nq2v6z8b18hwnUzeLYLYscIHiXEj91BJJKlzJNqlD0Ub1cMRMGbkCidU9le8W1yS</property> <property name="hibernate.connection.username">enc://BPmDxWAkcgbUMiTREP+x4np4x/VnicgMTiiFNO7eEB9bRH4lhGgBAq8QQ3cz+HKWj0qRVgMEDU/pd6UDxrpbZf0ZDULdYwgRTWD1FaM2Fb12M2xGWWNHE9pryUCopU1nOSYdnbY= hNoSj7k9uFlVVuc8HjoVvg== a90hZkncSN1WUsQ/dQimDQ==</property> <property name="hibernate.dialect">org.hibernate.dialect.MySQLInnoDBDialect</property> <property name="hibernate.show_sql">false</property> <property name="hibernate.connection.autocommit">false</property> <property name="hibernate.format_sql">true</property> <property name="hibernate.temp.use_jdbc_metadata_defaults">false</property> <!-- Hikari Connection Pool --> <property name="hibernate.connection.provider_class">org.hibernate.hikaricp.internal.HikariCPConnectionProvider</property> <property name="hibernate.hikari.maximumPoolSize">10</property> <property name="hibernate.hikari.leakDetectionThreshold">30000</property> <!-- Encryption / Decryption --> <property name="hibernate.sos.keystore_path">/var/sos-berlin.com/js7/joc/resources/joc/credentials-keystore.p12</property> <property name="hibernate.sos.keystore_type">PKCS12</property> <property name="hibernate.sos.keystore_password">jobscheduler</property> <property name="hibernate.sos.keystore_keypassword">jobscheduler</property> <property name="hibernate.sos.keystore_keyalias">joc-2-0-primary</property> </session-factory> </hibernate-configuration> |