...

A number of JS7 - Job Templates that implement database access support  support use of a Credential Store:

• JS7 - JITL Database Jobs
  • JS7 - JITL SQLExecutorJob
  • JS7 - JITL PLSQLJob
  • JS7 - JITL SQLPLUSJob
• JS7 - JITL SAP Jobs
  • JS7 - JITL SAPS4HANAJob

A number of JITL Job Templates require credentials, e.g. to access a database.

• Security Considerations
  • Sensitive information in jobs should not be hard-coded, should not be used from parameters and should not be disclosed, e.g. written to log files.
  • Instead, a run-time interface is offered that allows to retrieve sensitive information from a Credential Store. References to Credential Store entries can safely be stored with parameter values.
• Credential Store
  • A credential store allows the secure storage and retrieval of credentials for authentication, as well as connection and other parameters, for a detailed features and supported products see YADE Credential Store.
• Solution Outline
  • Access to the Credential Store is automatically provided for JS7 - Job Templates.

Credential Store Access

Access to a Credential Store is specified with the URI and Query Parameters of the Credential Store.

URI

cs://<entry_path>@<property_name> - required 

• The URI based syntax includes the protocol cs:// 
• followed by the <entry_path> that specifies the folder hierarchy and entry name in the Credentials Store.
• followed by the @ character

• followed by the <property_name> that should be retrieved:

  • frequently-used properties include Credential Store field names such as title, user, password, url, attachment. Custom field names are supported. 

Query Parameters

• file - required 
  
  • the path to the Credential Store file. This file can be located anywhere in the file system.

• password - optional 

  • the password for access to the Credential Store file. 
    

  • It is recommended not to use this parameter and instead to use a key_file to access the Credential Store.

• key_file - optional, default: the path and name of the Credential Store file using the extension .key, for example, by default ./config/jobs.key is assumed if ./config/jobs.kdbx is specified.

Use with JITL Database Jobs

JITL Database Jobs can access a Credential Store in the following ways:

• when being used with by use of a Hibernate configuration file,
• by use of arguments

...

The Hibernate access layer is used for database access and therefore frequently requires configuration files for database credentials. The access information such as accounts, passwords and JDBC URLs etc. are specified in with Hibernate configuration files. 

Generally it is preferable not to use passwords to access a database but to use Integrated Security, Oracle Wallet etc. However, should there be a need to specify passwords then instead of using a plain text password in a configuration file you can add your password to a KeePass Credential Store and add a reference for the Credential Store to your Hibernate configuration file.  

...

This applies to the following JITL Database Jobs:

• JS7 - JITL SQLExecutorJob
• JS7 - JITL PLSQLJob

References to a Credential Store

Syntax for Hibernate Configuration Files

The Hibernate configuration file includes a number of XML elements that can be populated from a Credential Store. It provides two types of syntax: .

Full Syntax

The Full full syntax is used when the complete URI is specified with each element of the Hibernate configuration file: 

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<hibernate-configuration>
    <session-factory>
        ...
        <property name="hibernate.connection.username">cs://secret/database/reporting@user?file=./config/secret.kdbx</property> 
        <property name="hibernate.connection.password">cs://secret/database/reporting@password?file=./config/secret.kdbx</property>
        <property name="hibernate.connection.url">cs://secret/database/reporting@url?file=./config/secret.kdbx</property>
        ...
    </session-factory>
</hibernate-configuration

...

• The secret/database/reporting value is an example for a path to an entry in the KeePass database that holds the credentials.
• The ./config/secret.kdbx value is an example for a relative path to the KeePass database that holds the Credential Store.

Short Syntax

The Short syntax is used when the credential store items are to short syntax can be used in if the hibernate Hibernate configuration to provide the details about the file includes explicit references to the credential store:

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<hibernate-configuration>
    <session-factory>
        ...
        <property name="hibernate.connection.username">cs://@user</property> 
        <property name="hibernate.connection.password">cs://@password</property> 
        <property name="hibernate.connection.url">cs://@url</property>
         ...
        <property name="hibernate.sos.credential_store_file">./config/secret.

...

kdbx</property>
        <property name="hibernate.sos.credential_store_key_file">./config/secret.

...

key</property>
        <property name="hibernate.sos.credential_store_password"

...

>secret</property>
        <property name="hibernate.sos.credential_store_entry_path">/secret/database

...

/reporting</property>
        ...
    </session-factory>
</hibernate-configuration

Explanation:

• <property name="hibernate.sos.credential_store_file"> => path to the Credential Store file
• <property name="hibernate.connection.username">cs://@user</property> sos.credential_store_key_file"> => path of the key file for the Credential Store
• <property name="hibernate.connectionsos.credential_store_password">cs://@password</property> > => password of the Credential Store file
• <property name="hibernate.connection.url">cs://@url</property> 

URI and Query Parameters Hibernate Configuration Files

URI

cs://<entry_path>@<property_name> - required 

• The URI based syntax includes the protocol cs:// 
• followed by the <entry_path> that specifies the sos.credential_store_entry_path"> => folder hierarchy and entry name in the Credentials Store .
• followed by the @ character

• followed by the <property_name> that should be retrieved:

  • frequently-used properties include Credential Store field names such as title, user, password, url, attachment. Custom field names are supported. 

Query Parameters

• file - required 
  the path to the Credential Store file. This file can be located anywhere in the file system.

• password - optional 
  the password for the Credential Store file. 
  It is recommended not to use this parameter and instead to use a key_file to access the Credential Store.

• key_file - optional, default: <credential_store_filename_without_extension>.key 

Refer to the  Using a Credential Store for Jobs article for a detailed description.

Use with Arguments

The JITL Database Jobs support the following arguments:

• file

Use with Arguments

References to a Credential Store can be directly specified from arguments. This applies to the following JITL Database Jobs:

• JS7 - JITL SQLExecutorJob
• JS7 - JITL PLSQLJob
• JS7 - JITL SQLPLUSJob

References to a Credential Store

References to a credential store can be directly specified from arguments.

Full Syntax

The full syntax is used when the complete URI is specified with an argument: 

JITL SAP Jobs can  

• Starting Point
  • Users frequently operate jobs that require credentials, e.g. to access a database, a file transfer SFTP server etc.
  • Such jobs are implemented as simple shell jobs.
• Security Considerations
  • Sensitive information in jobs should not be hard-coded, should not be used from parameters and should not be disclosed, e.g. written to log files. Therefore credentials cannot be forwarded by parameters to jobs.
  • Instead, a run-time interface is offered that allows to retrieve sensitive information from a credential store. References to credential store entries can safely be stored with parameter values.
• Credential Store
  • A credential store allows the secure storage and retrieval of credentials for authentication, as well as connection and other parameters, for a detailed features and supported products see YADE Credential Store.
• Solution Outline
  • Access to the credential store is provided by a Java class that can be loaded from shell jobs and from JS7 - Job Templates.
  • The Java class is parameterized with the path that identifies the requested entry from the credential store.

Usage 

JS7 Agents provide the com.sos.keepass.SOSKeePassDatabase Java class that can be invoked

• in a shell job by calling the java command line utility with the class name:
  • If the class is executed successfully:
    • return code = 0, output is sent to stdout
  • If execution of the class ends in error:
    • return code = 99, exception output is sent to stderr

  • from the command line like this:

    • java com.sos.keepass.SOSKeePassDatabase "cs://server/SFTP/homer.sos@password?file=credential_store.kdbx"

    • When invoking the class then the path to the entry in the credential store has to be specified. 

• by use of a shell script provided with JS7 Agents
  • for Unix environments:
    • $JS7_AGENT_HOME/bin/agent_credential_value.sh "cs://server/SFTP/homer.sos@password?file=credential_store.kdbx"
  • for Windows environments:
    • %JS7_AGENT_HOME%\bin\agent_credential_value.cmd "cs://server/SFTP/homer.sos@password?file=credential_store.kdbx"
  • The script hides the call to the java command line utility.
• A call to the SOSKeePassDatabase class syntactically uses a single parameter string that holds the URI and a number of query parameters:

URI

• cs://<entry_path>@<property_name> - required
  • The URI based syntax includes the protocol cs://
  • followed by the <entry_path> that specifies the directory structure and entry name in the credentials store file.
  • followed by the @ character
  • followed by the <property_name> that should be retrieved:
    • frequently used properties include credential store field names such as title, user, password. Custom field names are supported. 
      • starting with JITL-585 the attachment property is supported
    • for detailed explanations of available properties see the Using Credential Store to securely store authentication, connection and other parameters article.

Query Parameters

Standard Parameters

• file - required
  • the path to the credential store database file. This file can be stored anywhere in the file system. 
  • The path can be specified either relatively or absolutely. As a path separator both forward slashes and backslashes can be used. For example:
    • cs://databases/mysql_localhost@password?file=config/credential_store.kdbx
    • cs://databases/mysql_localhost@password?file=C:/ProgramData/sos-berlin.com/js7/agent/config/credential_store.kdbx
  • Relative paths are considered with respect to the Agent's working directory, see JS7_AGENT_WORK_DIR from the JS7 - Job Environment Variables
• password - optional
  • the password for the credential store database file.
  • It is recommended not to use this parameter and instead to use a key_file to access the credential store.
• key_file - optional, default: <credential_store_database_filename_without_extension>.key
  • a key file for the credential store database file.
  • If this parameter is set:
    • this path can be specified either relatively or absolutely. See explanation for the file parameter.
    • An exception will be raised if the .key file cannot be found.
  • If this parameter is not set:
    • a <credential_store_database_filename_without_extension>.key file such as credential_store.kdbx -> credential_store.key will be looked up in the directory where the credential store database file is located.
      • The .key file will be used if it exists.
      • An exception will be raised if a .key file is not found and the password parameter is not used.
• ignore_expired - optional (boolean 0-1), default: 0
  • ignore_expired=0 - an exception is raised if the entry has expired.
  • ignore_expired=1 - expiration of an entry is ignored.
• attachment - optional (boolean 0-1)
  
  • attachment=1 - a attachment field is used.

Advanced Parameters

...

• create_entry=0 - an exception is raised if the entry cannot be found.
• create_entry=1 - creates an entry if it does not exist.
  
  • an exception is raised if the root group of the cs://<entry_path> URI does not match the credential store root group.
  • creates the full path to the entry if it does not exist.

...

• set value of a string property:
  
  • cs://<entry_path>@<property_name>?...&set_property=<value>
    
    • <property_name> property exists:
      • property value will be updated.
    • <property_name> property does not exist:
      • <property_name> property will be created with the given value.
• set value of a binary property:
  • cs://<entry_path>@<property_name>?...&set_property=<file path>&attachment=1
    • <property_name> property exists:
      • property value will be updated with the <file path> file content.
    • <property_name> property does not exist:
      • <property_name> binary property will be created with the <file path> file content.
  • cs://<entry_path>@attachment?...&set_property=<file path>
    
    • creates a new binary property with the given file content if it does not exist (property name is a file name), or updates the binary property value from the given file content.

Explanation:

• The jobs/oracle/minos.sos value is an example for a path to an entry in the KeePass database that holds the credentials.
• The ./config/jobs.kdbx value is an example for a relative path to the KeePass database that holds the Credential Store.

Short Syntax

The short syntax can be used if arguments are specified with references to the Credential Store location:

Use with JITL SAP Jobs

...

• does not create any output for the binary property set with the set_property.

...