JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 2

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version Current

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Jobs might require variables for parameterization that hold secrets. We find a number of requirements for management of such variables, see JS7 - How to encrypt and decrypt Variables

The preferred solution with JS7 is to use asymmetric keys, for details see JS7 - Encryption and Decryption.

  • Encryption and decryption can be performed directly by related jobs.
  • Encryption and decryption can be performed outside of JS7 products.
  • This includes that JS7 products have no knowledge of secret keys involved that potentially could be compromised by logging, database persistence etc.

For creation of Encryption Keys see JS7 - How to create X.509 Encryption Keys.

Display feature availability
StartingFromRelease2.5.9

Display feature availability
StartingFromRelease2.6.6

...

Managing the Private Key and Certificate

Assymetric Asymetric encryption makes use of a Private Key and Certificate/Public Key that can be created in a number of ways:

  • Users can create a Certificate Signing Request (CSR) and ask their Certificate Authority (CA) to sign the CSR and to receive an X.509 Certificate. The X.509 Private Key or Certificate X.509 Certificate allow to derive the Public Key.
  • User can create a selfCA-signed X.509 Certificate, see JS7 - How to create self-signed X.509 SSL TLS Certificates.
  • Users can create a Private Key and Certificate as explained in the next chapter.

Note: Private Keys can be protected using a passphrase that acts as a second factor when a human user will access the key: while the Private Key is in the file system, the passphrase is in the user's brains. However, this does not improve security for unattended processing: it's pointless to store a passphrase side-by-side with the Private Key in scripts or configuration files on the same media.

Step 1: Creating the Private Key and Certificate

The following step is performed on the server hosting the Agent that should decrypt secrets using the openssl utility from the command line:. Find more examples and explanations from JS7 - How to create X.509 Encryption Keys.

Code Block
languagebash
titleExample how to create ECDSA private key and certificatePrivate Key and Certificate using ECDSA encryption
linenumberstrue
collapsetrue
# navigate to the Agent's <agent-data>/\config/\private directory
cd /var/Set-Location $env:Programdata\sos-berlin.com/\js7/\agent/\config/\private

# create thePrivate privateKey
# key  infor pkcs#1use format
#with passphrase add: without passphrase
# -passout pass:"secret"
openssl ecparam -name secp256k1secp384r1 -genkey -noout -out agent.key

# create Certificate withSigning passphraseRequest
openssl ecparamreq -genkeynew -name secp256k1 | openssl ec -aes256 -passout pass:"jobscheduler"sha512 -nodes -key agent.key -out agent.keycsr -subj "/C=DE/ST=Berlin/L=Berlin/O=SOS/OU=IT/CN=Agent"

# create certificate
openssl req -new -x509 -key agent.keyCertificate
$user_crt_tmp_file = New-TemporaryFile
"keyUsage=critical,keyAgreement,keyEncipherment" | Out-File $user_crt_tmp_file

#   for passphrase add: -passin pass:"jobschedulersecret"
openssl x509 -out agent.crtreq -sha512 -days 1825

# extract public -signkey agent.key from private key (not required)
# openssl ec -in-in agent.csr -out agent.keycrt -passin pass:"jobscheduler" -pubout > agent.pubextfile $user_crt_tmp_file
Remove-Item -Path $user_crt_tmp_file -Force
Code Block
languagebash
titleExample how to create RSA private key and certificatePrivate Key and Certificate using RSA encryption
linenumberstrue
collapsetrue
# navigate to the Agent's <agent-data>/\config/\private directory
cd /var/Set-Locataion $env:Programdata\sos-berlin.com/\js7/\agent/\config/\private

# create thePrivate privateKey keyand inCertificate pkcs#1Signing formatRequest
#   for passphrase without passphrase
# add: -passout pass:"secret"
openssl req -x509new -sha256 -newkey rsa:20484096 -sha256 -nodes -keyout agent.key -out agent.crtcsr -subj "/C=DE/ST=Berlin/L=Berlin/O=SOS/OU=IT/CN=Agent"

# create  with passphrase
openssl req -x509 -sha256 -newkey rsa:2048 -passoutCertificate
$user_crt_tmp_file = New-TemporaryFile
"keyUsage=critical,keyAgreement,keyEncipherment" | Out-File $user_crt_tmp_file

#   for passphrase add: -passin pass:"jobschedulersecret"
openssl -keyoutx509 -req -sha512 -days 1825 -signkey agent.key -in agent.csr -out agent.crt

# extract public key from certificate (not required)
# openssl x509 -pubkey -noout -in agent.crt > agent.pub-extfile $user_crt_tmp_file
Remove-Item -Path $user_crt_tmp_file -Force

Step 2: Making the Certificate available

Copy the certificate file to the server(s) hosting the Agent(s) or 3rd-party components that should encrypt secrets:

...

...

languagebash
titleExample where to copy the certificate
linenumberstrue
collapsetrue

...

# navigate to the Agent's <agent-data>/config/private directory
cd /var/sos-berlin.com/js7/agent/config/private

# copy the agent.crt certificate file from to the current location using a file transfer tool or your clipboard

Encryption

Usage

PowerShell CLI 2.0 - Cmdlets - Invoke-JS7Encrypt

...

The cmdlet returns a single string value that holds the following elements separated by spaces:

  • encrypted assymetric asymetric key
  • initialization vector
  • encrypted secret or path to encrypted output file if the -File and -OutFile arguments are used.

...

Code Block
languagepowershell
titleExample for Encryption using PowerShell
linenumberstrue
$result = Invoke-JS7Encrypt -CertificatePath agent.crt -Value "secret" -JavaLib /js7/js7.encryption/lib
"new_var=$result" | Out-File $env:JS7_RETURN_VALUES -Append

# encrypts the given secret using an Agent's X.509 certificate
# output includes the encrypted symmetric key, initialization vector and encrypted secret separated by spaces
# output is stored to the "new_var" variable (key/value pair) that is made available for later jobs in the workflow
# for PowerShell version 5.x users have to add the -Encoding OEM option to the Out-File cmdlet

Encrypting File using PowerShell

...

Code Block
languagepowershell
titleExample for Decryption using PowerShell
linenumberstrue
# assumes that prevous encryption created a "result" variable
# $result = Invoke-JS7Encrypt -CertificatePath agent.crt -Value "secret" -JavaLib /js7/js7.encryption/lib

$secret = Invoke-JS7Decrypt -Value $result -KeyPath agent.key -JavaLib /js7/js7.encryption/lib
Write-Output "$secret"

# decrypts the given encrypted secret using an Agent's private key
# initialization vector, encrypted symmetric key and encrypted secret are returned during encryption
# output includes the decrypted secret

...

Code Block
languagepowershell
titleExample for Decryption using PowerShell
linenumberstrue
# assumes that prevous encryption created a "result" variable and encrypted output file
# $result = Invoke-JS7Encrypt -File /tmp/secret.txt -OutFile /tmp/secret.txt.enc -CertificatePath agent.crt -JavaLib /js7/js7.encryption/lib

Invoke-JS7Decrypt -Value $result -File /tmp/secret.txt.enc -OutFile /tmp/secret.txt.dec -KeyPath agent.key -JavaLib /js7/js7.encryption/lib
Get-Content /tmp/secret.txt.dec -Raw

# decrypts the given encrypted file using an Agent's private key
# creates the decrypted output file

Further Resources

...