JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 5

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 6

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Encrypted values start with the prefix enc://.
  • The value holds the following parts separated by spaces:
    • the encrypted symmetric key,
    • the initialization vector,
    • the secret encrypted with the symmetric key.
  • For decryption a the Private Key and the initialization vector are is used to decrypt the symmetric key. The secret is decrypted using the decrypted, symmetric key and initialization vector are used to decrypt the secret.

Scripts for Encryption

Credentials can be encrypted using scripts:

...

Code Block
languagebash
titleEncryption using Unix Shell
# encrypt secret
result=$(./js7_encrypt.sh --cert="joc.crt" --in='jobscheduler')

# update hibernate.cfg.xml
sed -i'' -e "s@property[ ]*name[ ]*=[ ]*\"hibernate.connection.password\".*@property name=\"hibernate.connection.password\"\>enc://${result}\</property\>@g" hibernate.cfg.xml
Code Block
languagebash
titleEncryption using Windows Shell
@rem encrypt secret
call .\js7_encrypt.cmd "--cert=joc.crt" "--in=jobscheduler"

@rem update hibernate.cfg.xml
powershell.exe -Command "((Get-Content hibernate.cfg.xml) -replace 'property[ ]*name[ ]*=[ ]*\"hibernate.connection.password\".*', ('property name=\"hibernate.connection.password\">' + $env:JS7_ENCRYPT_VALUE + '</property>')) | Set-Content -Path hibernate.cfg.xml"

...

  • The js7_encrypt.sh | .cmd script is called with the --cert argument that specifies the path to the Certificate file or Public Key file. The --in argument specifies the plain text passwordsecret.
  • Consider that the Certificate/Public Key used for encryption has to match the Private Key used by the component that performs decryption:
    • for JOC Cockpit the Private Key is located in the reach of JOC Cockpit, for example in its data directory.
    • for JS7 JITL Jobs that are executed with an Agent the Private Key is located with in reach of the related Agent, for example in its data directory.
  • For use with Unix
    • the script writes output to the stdout channel that is assigned an environment variable.
    • the sed command is used to replace the related element value in the hibernate.cfg.xml configuration file.
  • For use with Windows
    • the script writes output to the JS7_ENCRYPT_VALUE environment variable.
    • the powershell.exe command is used to replace the related element value in the hibernate.cfg.xml configuration file.

...

The scripts can be integrated with Password Manager products that are used to create, to modify and to rotate passwords. A number of Password Manager products offer hooks that allow to call scripts after a password is changed which is the preferred integration scenario.

...

Use with Keystore

The path to the a keystore file is specified from a property in the hibernate.cfg.xml file. The keystore should comply to PKCS12 format.

...

Users should consider that Private Keys/Certifcates are typically created for specific usages such as to secure an HTTPS connection. Should keys be created with the dataEncryption Key Usage option then they can be used for encryption/decryption of credentials.

Many users consider it more secure to use different keys for encryption/decryption of HTTPS connections and for encryption/decryption of secrets.

...