Page History

Introduction

• The Credential Store (CS) allows sensitive data to be encrypted and stored securely and independently of the application(s) such as YADE and the JobScheduler YADE JITL Jobs that use this data.
• The advantage of using a CS is that the CS stores sensitive information such as credentials in a standardized, secure and fully encrypted database and sensitive authentication information is not exposed in use. Applications access the CS database by using password, encryption-key file or a combination of both.
• The CS requires the use of a standard open database format (.kdb or .kdbx ), which allows the use of graphical and API interfaces across the most relevant operating systems.

Scope

This article is in two parts:

...

This article does not attempt to provide a step-by-step description of file transfer configuration, which is available elsewhere in this article, for example, in the tutorials for YADE and the JobScheduler.

Anchor
example example

Example Description

The example presented in this article illustrates the configuration and use of the Credential Store as part of a simple file transfer operation - downloading files from an online server to the user's local file system.

...

• sos-berlin_demo_2_local.xml.

Configuration Procedure for the Example

Installing the Credential Store and configuring the KeePass database

KeePass 2, which is just one of the applications available for creating and configuring .kdb or .kdbx databases, has been used in the current article to implement the Credential Store database and is used in the screenshots. The installation and use of KeePass 2 is described on the KeePass Web Site.

Feature Availability

The full range of Credential Store features such as secure, compliant and password-free use of the Credential Store as well as compatibility with KeePass .kdb databases requires the YADE Client in version 1.12.2 or newer.

Database Configuration

Credential Store databases are stored as either .kdb or .kdbx  files on the file system.

...

Note that a Master Key file can be used to provide further protection for the database, either instead of or in addition to the Master Password. This is described in the Advanced Configuration section of this article below but has not been configured for the download database.

Anchor
add_entry add_entry

Adding connection information to the Credential Store

Connection configuration information is stored in the Credential Store as an Entry and Entries can be organized into Groups.

...

The next screenshot shows the configuration of the parameters in the "demo_on_test.sos-berlin.com" Entry:

Integrating the Credential Store in a File Transfer Configuration

The use of the Credential Store is specified in YADE Client file transfer configuration files, which are written in XML. We recommend using the SOS XML Editor to edit these files. Instructions for downloading, installing and using the XML Editor are linked from this page.

...

The current example uses the XML configuration from the Getting Started tutorial article above and describes the necessary configuration elements required to move the sensitive information such as user name and password from the XML file to the Credential Store. Users wishing implement the current example should download the tutorial file transfer configuration file linked above and open it in their XML Editor, where they can then add the necessary configuration information.

...

In addition, the ProtocolFragment element has a reference specifying that the Credential Store is to be used.

Specifying the Credential Store

The following list shows the organization of the XML elements required to specify the Credential Store. These elements and their attributes are shown in full in the XML Editor screenshot below. 

• Fragments
  
  • ProtocolFragments
    • FTPFragment name="ftp_demo_sos-berlin_cs"
      
      • ....
      • CredentialStoreFragmentRef ref ="ftp_demo"
  • CredentialStoreFragments
    • CredentialStoreFragment name ="ftp_demo"
      
      • CSFile file path  %USERPROFILE%\jade_demo....
      • CSAuthentication
        
        • PasswordAuthentication
          • etc.
      • CSEntryPath
• Profiles
  • etc.

Addressing the information in the Credential Store

Parameters stored in a Credential Store database Entry can be addressed in the CredentialStoreFragment XML element as follows:

...

Note that a full list of parameters is described in the Adding an Entry to the Credential Store section above.

Configuration in the XML Editor

The parts of the XML configuration relevant to the use of the Credential Store are shown in the following screenshot of the configuration for the current example, with parameter values highlighted according to their function:

The Transfer Target Directory

The screenshot above shows a CopyTarget.Directory parameter for a Windows environment:

...

Depending on their operating system, users may find it necessary to modify this attribute before running the example.

XML Listing

The following code block can be opened to show the full XML configuration for the example:

<?xml version="1.0" encoding="utf-8"?>
<Configurations xsi:noNamespaceSchemaLocation="http://www.sos-berlin.com/schema/jade/JADE_configuration_v1.0.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <Fragments>
    <ProtocolFragments>
      <FTPFragment name="ftp_demo_sos-berlin_cs">
        <BasicConnection>
          <Hostname><![CDATA[cs://demo/ftp/demo_on_test.sos-berlin.com@url]]></Hostname>
        </BasicConnection>
        <BasicAuthentication>
          <Account><![CDATA[cs://demo/ftp/demo_on_test.sos-berlin.com@user]]></Account>
          <Password><![CDATA[cs://demo/ftp/demo_on_test.sos-berlin.com@password]]></Password>
        </BasicAuthentication>
        <CredentialStoreFragmentRef ref="ftp_demo" />
      </FTPFragment>
    </ProtocolFragments>
    <CredentialStoreFragments>
      <CredentialStoreFragment name="ftp_demo">
        <CSFile><![CDATA[%USERPROFILE%\jade_demo\keepass\demo_cred_store.kdbx]]></CSFile>
        <CSAuthentication>
          <PasswordAuthentication>
            <CSPassword><![CDATA[sos]]></CSPassword>
          </PasswordAuthentication>
        </CSAuthentication>
        <CSEntryPath />
      </CredentialStoreFragment>
    </CredentialStoreFragments>
  </Fragments>
  <Profiles>
    <Profile profile_id="ftp_server_2_local_cs">
      <Operation>
        <Copy>
          <CopySource>
            <CopySourceFragmentRef>
              <FTPFragmentRef ref="ftp_demo_sos-berlin_cs" />
            </CopySourceFragmentRef>
            <SourceFileOptions>
              <Selection>
                <FileSpecSelection>
                  <FileSpec><![CDATA[.*]]></FileSpec>
                  <Directory><![CDATA[./]]></Directory>
                </FileSpecSelection>
              </Selection>
            </SourceFileOptions>
          </CopySource>
          <CopyTarget>
            <CopyTargetFragmentRef>
              <LocalTarget />
            </CopyTargetFragmentRef>
            <Directory><![CDATA[${USERPROFILE}\jade_demo\transfer_receive]]></Directory>
          </CopyTarget>
        </Copy>
      </Operation>
    </Profile>
  </Profiles>
</Configurations>

Running the YADE Client with the Credential Store

The use of the Credential Store is contained within the settings file and is not exposed when calling the YADE Client. For example, on Windows systems, the YADE Client is called for the current example using:

...

Note that the log files neither indicate that a credential store has been use for the transfer nor reveal any passwords. 

Anchor
jitl jitl

Using the Credential Store with the JobScheduler JITL YADE jobs

Settings XML files such as the sos-berlin_demo_2_local_cs.xml file which was used to configure the example described above can be used for JobScheduler JITL jobs. Here, only two parameters are needed to run the YADE JITL job (settings and profile) as can be seen in the next screenshot.

...

Note also that while the YADE Client runs under the current user account, the JobScheduler generally runs under a predefined account. This means that while paths in the configuration file can use parameters such as %USERPROFILE% when the configuration file is being used with the YADE Client, it is generally necessary to use absolute paths when the configuration file is to be used for JITL jobs.

Advanced Configuration

Key File Authentication

Key file authentication can be used for the Credential Store either alone or together with the password authentication described in the example above.

...

Key file authentication has to be configured for the Credential Store and in the XML settings file.

Configuring key file authentication in the Credential Store

KeePass provides a Create Composite Master Key function that is reached with the Files / Master Key... menu item. screen

...

The next section describes the configuration of the XML settings file to include a reference to this file.

Configuring key file authentication in the XML settings file

Key file authentication is configured in the XML settings file by specifying a KeyFileAuthentication element as a child of the CSAuthentication element in the Credential Store fragment.

...

• CredentialStoreFragments
  • CredentialStoreFragment name ="ftp_demo"
    
    • CSFile file path%USERPROFILE% \jade_demo....
    • CSAuthentication
      
      • PasswordAuthentication
        • .CSPassword myPassword
      • KeyFileAuthentication
        • CSKeyFile %USERPROFILE%\jade_demo\cs_key_file\demo_credential_store.key
          
    • CSEntryPath
      

Connection authentication key files

The Credential Store can be used to store RSA and similar connection authentication key files. These are stored in the Credential Store database as attachments.

Configuring authentication key files in the Credential Store

Attachments are added to the Credential Store in KeePass in the File Attachments section of the Advanced tab as shown in the screenshot below. Note that only one attachment can be added for each Credential Store Entry :

Configuring authentication key files in the XML settings file

A first attachment for, for example, SSH would be configured in the XML settings file by specifying an AuthenticationFile element in the SSHAuthentication element.

...

Passphrase elements are stored in the Credential Store as Notes.

Custom Parameters

Custom parameters allow XML ProtocolFragment elements such as StrictHostkeyChecking that do not belong to the standard keepass.GUI fields such as URL to be specified.

Configuring custom parameters in the Credential Store

Custom parameters are set as string name / value pairs. In the KeePass 2 GUI these are set by opening the Edit window for an Entry using the Add function in the String Fields section of the Advanced tab. .This is shown in the next screenshot:

Configuring custom parameters in the XML settings file

Custom parameters are configured in the XML settings file by ..

...

Note that custom parameters can only be used to set parameters in ProtocolFragments - they cannot be used to set ProfileFragments parameters such as Recursive.

See Also

• YADE User Manual - Credential Store

References

Support of the features described in this article is subject to the following issues:

Issues implemented with Release 1.12.1:

• Jira
  server SOS JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 6dc67751-9d67-34cd-985b-194a8cdc9602 key YADE-462

• Jira
  server SOS JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 6dc67751-9d67-34cd-985b-194a8cdc9602 key YADE-464

• Jira
  server SOS JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 6dc67751-9d67-34cd-985b-194a8cdc9602 key YADE-481

• Jira
  server SOS JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 6dc67751-9d67-34cd-985b-194a8cdc9602 key YADE-482

• Jira
  server SOS JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 6dc67751-9d67-34cd-985b-194a8cdc9602 key YADE-485

• Jira
  server SOS JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 6dc67751-9d67-34cd-985b-194a8cdc9602 key YADE-487

• Jira
  server SOS JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 6dc67751-9d67-34cd-985b-194a8cdc9602 key YADE-491

Issues implemented with Release 1.12.2:

• Jira
  server SOS JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 6dc67751-9d67-34cd-985b-194a8cdc9602 key YADE-493

• Jira
  server SOS JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 6dc67751-9d67-34cd-985b-194a8cdc9602 key YADE-498

• Jira
  server SOS JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 6dc67751-9d67-34cd-985b-194a8cdc9602 key YADE-499

...