...

• Download: JS7 - Download
• The solution is available for Linux, MacOS®, AIX® using bash, zsh, dash shell, see JS7 - How to encrypt and decrypt using Unix Shell. Encryption and decryption with Unix and Windows can be used interchangeably.
• The solution is available for Windows® Shell.

Managing the

...

Private/

...

Public Key Pair

Assymetric encryption makes use of a private/public key pair that can be created in a number of ways:

• If SSL certificates are in use to secure HTTPS connections to an Agent, see JS7 - Agent HTTPS Connections, then the related private key and certificate can be used for encryption/decryption too.
• Users can create a Certificate Signing Request (CSR) and ask their Certificate Authority (CA) to sign the CSR and to receive an X.509 certificate. The X.509 certificate allows to derive the public key.
• User can create a self-signed X.509 certificate, see JS7 - How to create self-signed Certificates.
• Users can create a private/public key pair as explained in subsequent chapters.

Step 1: Create

...

the Private/Public Key pair

The following step is performed on the server hosting the Agent that should decrypt variables. The example makes use of the openssl command line utility that can be installed for Windows. There are alternative ways how to create private/public key pairs.

...

# navigate to the Agent's <agent-data>/config/private directory
cd /var/sos-berlin.com/js7/agent/config/private

# create the private key in pkcs#1 format
#   without passphrase
# openssl req -x509 -sha256 -newkey rsa:2048 -keyout agent.key -out agent.crt
#   with passphrase
openssl req -x509 -sha256 -newkey rsa:2048 -passout pass:"jobscheduler" -keyout agent.key -out agent.crt

# extract public key from certificate
openssl x509 -pubkey -noout -in agent.crt > agent.pub

Step 2: Make

...

Public Key available

Copy the public key file to the server(s) hosting the Agent(s) that should encrypt variables:

...

@rem call .\bin\js7_encrypt.cmd "--cert=agent.crt" "--infile=%TEMP%\secret.txt" "--outfile=%TEMP%\secret.txt.encrypted"

for /f "tokens=1-3" %%i in ("%JS7_ENCRYPT_VALUE%") do (
    set encrypted_symmetric_key=%%i
    set encrypted_base64_iv=%%j
    set encrypted_file=%%k
)

call .\bin\js7_decrypt.cmd ^
    "--key=agent.key" ^
    "--key-password=jobscheduler" ^
    "--encrypted-key=%encrypted_symmetric_key%" ^
    "--iv=%encrypted_base64_iv%" ^
    "--infile=%encrypted_file%" ^
    "--outfile=%TEMP%\secret.txt.decrypted"
type %TEMP%\secret.txt.decrypted

@rem decrypts the given encrypted file using an Agent's private key and passphrase
@rem the JS7_ENCRYPT_VALUE environment variable is returned in the encryption step and holds the encrypted symmetric key, initialization vector and path to the encrypted file
@rem consider that for Windows Shell all arguments have to be quoted
@rem output includes the path to the decrypted file that is provided from the JS7_DECRYPT_FILE environment variable

...