Page History
...
- Encrypted values start with the prefix
enc://
. - The value holds the following parts separated by spaces:
- the encrypted symmetric key,
- the initialization vector,
- the secret encrypted with the symmetric key.
- For decryption a the Private Key and the initialization vector are is used to decrypt the symmetric key. The secret is decrypted using the decrypted, symmetric key and initialization vector are used to decrypt the secret.
Scripts for Encryption
Credentials can be encrypted using scripts:
...
Code Block | ||||
---|---|---|---|---|
| ||||
# encrypt secret result=$(./js7_encrypt.sh --cert="joc.crt" --in='jobscheduler') # update hibernate.cfg.xml sed -i'' -e "s@property[ ]*name[ ]*=[ ]*\"hibernate.connection.password\".*@property name=\"hibernate.connection.password\"\>enc://${result}\</property\>@g" hibernate.cfg.xml |
Code Block | ||||
---|---|---|---|---|
| ||||
@rem encrypt secret call .\js7_encrypt.cmd "--cert=joc.crt" "--in=jobscheduler" @rem update hibernate.cfg.xml powershell.exe -Command "((Get-Content hibernate.cfg.xml) -replace 'property[ ]*name[ ]*=[ ]*\"hibernate.connection.password\".*', ('property name=\"hibernate.connection.password\">' + $env:JS7_ENCRYPT_VALUE + '</property>')) | Set-Content -Path hibernate.cfg.xml" |
...
- The
js7_encrypt.sh | .cmd
script is called with the--cert
argument that specifies the path to the Certificate file or Public Key file. The--in
argument specifies the plain text passwordsecret. - Consider that the Certificate/Public Key used for encryption has to match the Private Key used by the component that performs decryption:
- for JOC Cockpit the Private Key is located in the reach of JOC Cockpit, for example in its data directory.
- for JS7 JITL Jobs that are executed with an Agent the Private Key is located with in reach of the related Agent, for example in its data directory.
- For use with Unix
- the script writes output to the stdout channel that is assigned an environment variable.
- the
sed
command is used to replace the related element value in thehibernate.cfg.xml
configuration file.
- For use with Windows
- the script writes output to the
JS7_ENCRYPT_VALUE
environment variable. - the powershell.exe command is used to replace the related element value in the
hibernate.cfg.xml
configuration file.
- the script writes output to the
...
The scripts can be integrated with Password Manager products that are used to create, to modify and to rotate passwords. A number of Password Manager products offer hooks that allow to call scripts after a password is changed which is the preferred integration scenario.
...
Use with Keystore
The path to the a keystore file is specified from a property in the hibernate.cfg.xml
file. The keystore should comply to PKCS12 format.
...
Users should consider that Private Keys/Certifcates are typically created for specific usages such as to secure an HTTPS connection. Should keys be created with the dataEncryption
Key Usage option then they can be used for encryption/decryption of credentials.
Many users consider it more secure to use different keys for encryption/decryption of HTTPS connections and for encryption/decryption of secrets.
...