JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 22

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 23

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Jobs might require variables for parameterization that hold secrets. We find a number of requirements for management of such variables, see JS7 - How to encrypt and decrypt Variables

The preferred solution with JS7 is to use asymmetric keys, for details see JS7 - Encryption and Decryption.

...

Display feature availability
StartingFromRelease2.5.9

Display feature availability
StartingFromRelease2.6.6

Display feature availability
StartingFromRelease2.7.1

Download

The solution ships with JS7 Agents that can use encyption/decryption with shell jobs out-of-the-box.

...

Code Block
languagebash
titleExample how to create ECDSA private key and certificate
linenumberstrue
collapsetrue
# navigate to the Agent's <agent-data>/config/private directory
cd /var/sos-berlin.com/js7/agent/config/private

# create the private key in pkcs#1 format 
#   without passphrase
# openssl ecparam -name secp256k1 -genkey -noout -out agent.key
#   with passphrase
# openssl ecparam -genkey -name secp256k1 | openssl ec -aes256 -passout pass:"jobscheduler" -out agent.key

# create certificate
openssl req -new -x509 -key agent.key -out agent.crt -days 1825  
# openssl req -new -x509 -key agent.key -passin pass:"jobscheduler" -out agent.crt -days 1825

# extract public key from private key (not required)
# openssl ec -in agent.key -passin pass:pubout > agent.pub
# openssl ec -in agent.key -passin pass:"jobscheduler" -pubout > agent.pub
Code Block
languagebash
titleExample how to create RSA private key and certificate
linenumberstrue
collapsetrue
# navigate to the Agent's <agent-data>/config/private directory
cd /var/sos-berlin.com/js7/agent/config/private

# create the private key in pkcs#1 format
#   without passphrase
# openssl req -x509 -sha256 -newkey rsa:2048 -nodes -keyout agent.key -out agent.crt
#   with passphrase
# openssl req -x509 -sha256 -newkey rsa:2048 -passout pass:"jobscheduler" -keyout agent.key -out agent.crt

# extract public key from certificate (not required)
# openssl x509 -pubkey -noout -in agent.crt > agent.pub

Step 2: Making the Certificate available


# openssl x509 -pubkey -noout -passin pass:"jobscheduler" -in agent.crt > agent.pub

Step 2: Making the Certificate available

Copy the Certificate file to the server(s) hosting the Agent(s) or 3rd-party components that should encrypt variables:

...

Code Block
titleExample for Encryption using Windows Shell
linenumberstrue
call .\bin\js7_encrypt.cmd "--cert=agent.crt" "--in=secret"
@echo %JS7_ENCRYPT_VALUE%
 
@rem encrypts the given secret using an Agent's X.509 certificate
@rem consider that for Windows Shell all arguments have to be quoted
@rem output is provided from an environment variable that includes the encrypted symmetric key, initialization vector and encrypted stringsecret separated by space

Encrypting and forwarding Secret using Windows Shell in Jobs

...

Code Block
titleExample for Encryption using Windows Shell
linenumberstrue
echo secret file > %TEMP%\secret.txt
call .\bin\js7_encrypt.cmd "--cert=agent.crt" "--infile=%TEMP%\secret.txt" "--outfile=%TEMP%\secret.txt.encrypted"
@echo %JS7_ENCRYPT_VALUE%

@rem encrypts the given file using an Agent's X.509 certificate
@rem consider that for Windows Shell all arguments have to be quoted
@rem output is available from the JS7_ENCRYPT_VALUE environment variable
@rem output includes the encrypted symmetric key, initialization vector and path to encrypted file separated by spacespaces

Decryption

Usage

Invoking the script without arguments displays the usage clause:

...

Code Block
titleUsage
Usage: js7_decrypt.cmd [Options] [Switches]

  Options:
     --key=<path>                  | path to private key file for decryption.
     --key-password=<password>     | password for the private key.
     --ivin=<initialization<encrypted-vector>result>  | base64 encoded initialization vector (returned| by encryption).
     --encrypted-key=<key>         | base64 encoded encrypted symmetric key (encrypted symmetric key, initialization vector and path to encrypted file as returned by encryption).
     --ininfile=<encrypted<path-to-secret>file>       | encryptedpath secret to decryptencrypted (returned by encryption)input file.
     --infileoutfile=<path-to-file>       | path to encrypteddecrypted inputoutput file. 
     --outfile=<path-to-file>      | path to decrypted output file. 

 
  Switches:
     -h | --help                   | displays usage

...

  • --key
    • Specifies the path to a the Private Key file that matches the X.509 Certificate or Public Key used for previous encryption.
    • The argument is required.
  • --key-password
    • Specifies the password if the Private Key file indicated with the --key option is protected by a password.
  • --iv
    • Specifies the base64 encoded initialization vector as returned during encryption.
    • The argument is required.
  • --encrypted-key
    • Specifies the base64 encoded, encrypted symmetric key as returned during encryption.
    • The argument is required.
  • --in
    • Specifies the encrypted value encryption result that should be decrypted. The result includes the encrypted symmetric key, initialization vector and path to encrypted file separated by spaces as returned from the encryption step.
    • The argument is required. If the option --infile is specified, then its value takes precedence to the path specified with the --in optionOne of the options --in or --infile has to be specified.
  • --infile
    • Specifies the path to an encrypted file that should be decrypted.One of the
    • options If this option is specified then its value takes precedence to the path specified with the --in or --infile has to be specified option.
    • This option requires use of the --outfile option.
  • --outfile
    • Specifies the path to the output file that will be created holding the decrypted content of the input file.
    • The option is required if the --infile option is specified.

...

Code Block
titleExample for Decryption using Windows Shell
linenumberstrue
@rem call .\bin\js7_encrypt.cmd "--cert=agent.crt" "--in=secret"

for /f "tokens=1-3" %%i in ("call .\bin\js7_decrypt.cmd ^
    "--key=agent.key" ^
    "--in=%JS7_ENCRYPT_VALUE%") do (
@echo %JS7_DECRYPT_VALUE%

@rem decrypts the set encrypted_symmetric_key=%%i
    set encrypted_base64_iv=%%j
    set encrypted_string=%%k
)
 
call .\bin\js7_decrypt.cmd ^
    "--key=agent.key" ^
    "--key-password=jobscheduler" ^
    "--encrypted-key=%encrypted_symmetric_key%" ^
    "--iv=%encrypted_base64_iv%" ^
    "--in=%encrypted_string%"
@echo %JS7_DECRYPT_VALUE%

@rem decrypts the encrypted secret using an Agent's private key and passphrase
@rem consider that for Windows Shell all arguments have to be quoted
@rem the JS7_DECRYPT_VALUE environment variable is automatically created and holds the decrypted secret

Decrypting File using Windows Shell

encrypted result using an Agent's private key
@rem consider that for Windows Shell all arguments have to be quoted
@rem the JS7_DECRYPT_VALUE environment variable is automatically created and holds the decrypted secret

Decrypting File using Windows Shell

Code Block
titleExample for Decryption using Windows Shell
linenumberstrue
@rem
Code Block
titleExample for Decryption using Windows Shell
linenumberstrue
@rem call .\bin\js7_encrypt.cmd "--cert=agent.crt" "--infile=%TEMP%\secret.txt" "--outfile=%TEMP%\secret.txt.encrypted"

for /f "tokens=1-3" %%i in ("%JS7_ENCRYPT_VALUE%") do (
    set encrypted_symmetric_key=%%i
    set encrypted_base64_iv=%%j
    set encrypted_file=%%k
)

call .\bin\js7_decryptencrypt.cmd ^
    "--keycert=agent.key" ^
   crt" "--infile=%TEMP%\secret.txt" "--key-password=jobscheduler" outfile=%TEMP%\secret.txt.encrypted"

call .\bin\js7_decrypt.cmd ^
    "--encrypted-key=%encrypted_symmetric_key%agent.key" ^
    "--ivin=%encrypted%JS7_base64ENCRYPT_iv%VALUE%" ^
    "--infile=%encrypted_file%%TEMP%\secret.txt.encrypted" ^
    "--outfile=%TEMP%\secret.txt.decrypted"
type %TEMP%\secret.txt.decrypted

@rem decrypts the given encrypted file using an Agent's private key and passphrase
@rem the JS7_ENCRYPT_VALUE environment variable is returned in the encryption step and holds the encrypted symmetric key, initialization vector and path to the encrypted file
@rem consider that for Windows Shell all arguments have to be quoted
@rem output includes the path to the decrypted file that is provided from the JS7_DECRYPT_FILE environment variable


Further Resources

...