Table of Contents
Introduction
The Hibernate configuration files are the Database configuration files. The database information like database users, passwords, and jdbc URLs etc are specified in the hibernate configuration files. These files configuration access layer is used for database access and therefore requires configuration files for credentials. The access information such as accounts, passwords and JDBC URLs etc. are specified in Hibernate configuration files. Such files can be used at the time of installation or of JOC Cockpit and JobScheduler Master and they can be created later on for the using with the ManagedDatabaseJobJSAdapterClass job.The Hibernate configuration files used by installation are:individual jobs, e.g. the for use with the Job JobSchedulerManagedDatabaseJobSOSHibernate.
Generally it is preferable not to use passwords to access a database but to use Integrated Security, Oracle Wallet etc. However, should there be a need to specify passwords then instead of using a plain text password in a configuration file you can add your password to a KeePass Credential Store and add a reference for the Credential Store to your Hibernate configuration file.
- The following hibernate configuration files are available with JobScheduler Master and JOC Cockpit:
- JobScheduler Master:
- Run-time database: hibernate.cfg.xml
- Reporting database: reporting.hibernate.cfg.xml
- for JOC Cockpit:
- JobScheduler run-time database: jobscheduler.hibernate.cfg.xml
Reporting database: reporting.hibernate.cfg.xml
- JobScheduler Master:
- Database accounts, passwords, and URLs are specified as plain text with the above hibernate Hibernate configuration files when they are provided at the time of installation using the option
<entry key="databaseConfigurationMethod" value="withoutHibernateFile"/>. To make the hibernate configuration file to use the database information from the access data from a Credential Store it is required to first create the hibernate configuration files file and then to use the<entry key="databaseConfigurationMethod" value="withHibernateFile"/>at the time of installation and to provide the path to the Hibernate configurations file.configuration file e.g. with a value like this:<entry key="reporting.hibernateConfFile" value="jobscheduler.hibernate.cfg.xml"/>. - Support for use of a Credential Store with Hibernate configuration filesHibernate configuration file also supports Credential Store.
Display feature availability StartingFromRelease 1.13.3 Display feature availability StartingFromRelease 1.12.12
Create a custom hibernate file which accesses the Database accounts, password, and URL from the Credential Store.
Parameter String to retrieve the data from Credential Store
The SOSKeePassDatabase class uses a parameter string that holds a URI and a number of query parameters:
URI
cs://<entry_path>@<property_name> - required
- The URI based syntax includes the protocol cs://
- followed by the <entry_path> that specifies the directory structure and entry name in the credentials store file.
- followed by the @ character
followed by the <property_name> that should be retrieved:
- frequently used properties include credential store field names such as title, user, password,attachment Custom field names are supported.
Query Parameters
file - required
the path to the credential store database file. This file can be stored anywhere in the file system.password - optional
the password for the credential store database file.
It is recommended not to use this parameter and instead to use a key_file to access the credential store.key_file - optional, default: <credential_store_database_filename_without_extension>.key
Refer to the Knowledge base article Using a Credential Store for Jobs#Syntax for detailed description.
Syntax for hibernate Configuration files
Referencing a Credential Store
Syntax for Hibernate Configuration Files
The Hibernate The hibernate configuration file is introduced with different elements (property optionsproperties) which that can be used to retrieve the information from a Credential Store. It provides two types of syntax:
Full Syntax
The Full syntax is used when the complete URI is to be used specified with each property element of the Hibernate configuration file. The following syntax can be used to retrieve the information from Credential Store:
<property name="hibernate.connection.username">cs://secret/database/<entry_path>@userreporting@user?file=<path to database kdbx file><./config/live/hibernate_example/secret.kdbx</property><property name="hibernate.connection.password">cs>cs://secret/database/<entry_path>@passwordreporting@password?file=<path to database kdbx file>./config/live/hibernate_example/secret.kdbx</property><property name="hibernate.connection.url">cs>cs:///<entry_path>secret/database/reporting@url?file=<path to database kdbx file>./config/live/hibernate_example/secret.kdbx</property>
Explanations:
- The
secret/database/reportingvalue is an example for a path to an entry in the KeePass database that holds the credentials. - The
./config/live/hibernate_example/secret.kdbxvalue is an example for a relative path to the KeePass database that holds the Credential Store.
Short Syntax
The Short syntax is used when the credential store items are to be used in the hibernate configuration to provide the details about the credential store:
<property name="hibernate.sos.credential_store_file">some/path/database.kdbx<>./config/live/hibernate_example/secret.kdbx</property>→ Stores stores the path to the credential store Credential Store file<property name="hibernate.sos.credential_store_key_file">some/path/database.key<>./config/live/hibernate_example/secret.key</property>→ Stores stores the path of the key file to open the credential storefor the Credential Store<property name="hibernate.sos.credential_store_password">some password<>secret</property>→ Stores stores the password of the credential store Credential Store file<property name="hibernate.sos.credential_store_entry_path">/somesecret/entrydatabase/path<reporting</property>→ specifies the directory structure → specifies the folder hierarchy and entry name in the credentials store Credentials Store file.
After adding the credential store items in the hibernate the Credential Store reference to the Hibernate configuration file as above the database information credentials can be retrieved from the credential store Credential Store by using the following property elementelements:
<property name="hibernate.connection.username">cs://@user</property><property name="hibernate.connection.password">cs://@password</property><property name="hibernate.connection.url">cs://@url</property>
Example of a hibernate file that uses KeePass database (kdbx) with Password to access database credentials.
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<hibernate-configuration>
<session-factory>
<property name="hibernate.connection.url"><![CDATA[cs://server/test/reporting/MySQL@url?file=config/cs/kdbx-p-f.kdbx&password=test]]></property>
<property name="hibernate.connection.username"><![CDATA[cs://server/prod/reporting/MySQL@username?file=config/cs/kdbx-p-f.kdbx&password=test]]></property>
<property name="hibernate.connection.password"><![CDATA[cs://server/test/reporting/MySQL@password?file=config/cs/kdbx-p-f.kdbx&password=test]]></property>
<property name="hibernate.connection.driver_class">org.mariadb.jdbc.Driver</property>
<property name="hibernate.dialect">org.hibernate.dialect.MySQLInnoDBDialect</property>
<property name="hibernate.show_sql">false</property>
<property name="hibernate.connection.autocommit">false</property>
<property name="hibernate.format_sql">true</property>
<property name="hibernate.temp.use_jdbc_metadata_defaults">false</property>
</session-factory>
</hibernate-configuration> |
Explanations
- Hibernate file make use of KeePass database (kdbx) for accessing Database credentials
- cs://server/test/reporting/MySQL is the <entry_path> path where the MySQL database credential stores.
- file - File path of the KeePass database (kdbx).
- password- Password for accessing the KeePass database (kdbx)
URI and Query Parameters Hibernate Configuration Files
URI
cs://<entry_path>@<property_name> - required
- The URI based syntax includes the protocol cs://
- followed by the <entry_path> that specifies the folder hierarchy and entry name in the Credentials Store.
- followed by the @ character
followed by the <property_name> that should be retrieved:
- frequently-used properties include Credential Store field names such as title, user, password, url, attachment. Custom field names are supported.
Query Parameters
file - required
the path to the Credential Store file. This file can be located anywhere in the file system.password - optional
the password for the Credential Store file.
It is recommended not to use this parameter and instead to use a key_file to access the Credential Store.key_file - optional, default: <credential_store_filename_without_extension>.key
Refer to the Using a Credential Store for Jobs article for a detailed description.
Example
Hibernate Configuration File
Example of a Hibernate configuration file for MySQL that makes use of a KeePass database that is secured Example of a hibernate file that uses the KeePass database (kdbx) with a key file (same name as of the kdbx KeePass database but with extension .key) to access database credentials.:
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<?xml version="1.0" encoding="UTF-8" standalone="no"?> <hibernate-configuration> <session-factory> factory> <property name="hibernate.connection.url"><![CDATA[cs://serversecret/testdatabase/reporting/MySQL@urlreporting@url?file=./config/live/cs/kdbx-p-fhibernate_example/secret.kdbx]]></property> <property name="hibernate.connection.username"><![CDATA[cs://serversecret/proddatabase/reporting/MySQL@usernamereporting@user?file=./config/cs/kdbx-p-flive/hibernate_example/secret.kdbx]]></property> <property name="hibernate.connection.password"><![CDATA[cs://serversecret/testdatabase/reporting/MySQL@passwordreporting@password?file=./config/live/cs/kdbx-p-fhibernate_example/secret.kdbx]]></property> <property name="hibernate.connection.driver_class">org.mariadb.jdbc.Driver</property> <property name="hibernate.dialect">org.hibernate.dialect.MySQLInnoDBDialect</property> <property name="hibernate.show_sql">false</property> <property name="hibernate.connection.autocommit">false</property> <property name="hibernate.format_sql">true</property> <property name="hibernate.temp.use_jdbc_metadata_defaults">false</property> </session-factory> </hibernate-configuration> |
Explanations
- The Hibernate file make makes use of the KeePass database (kdbx)
secret.kdbxlocated in the./config/live/hibernate_examplefolder of JobScheduler Master with Key File Authentication for accessing Database credentials. cs://serversecret/testdatabase/reporting/MySQL is the <entry_path> path where the MySQL database credential stores.- file- File path where the KeePass database (kdbx)
...
- is the path to the entry in the KeePass database where the database credentials are stored.
Notes:
- If the base names of the KeePass database (
secret.kdbx) and of the key file (secret.key) are the same and if the files are stored in the same location then it is not required to specify the key file as it will be automatically looked up. - It is possible to secure a KeePass database with a password, however, this makes no sense in a context that avoids directly readable passwords. A key file can better be secured by OS permissions that rule access to the key file.
...
Download
- Download the attached archive:For Windows Operating System credential_store_using_hibernate_Key_filearchive hibernate_example.zipFor Linux Operating System credential_store_using_hibernate_key_file_example.tar
Using the Example
- Unzip the archive to the
./config/livefolder of JobScheduler installation Master. This will create a sub-folderhibernate_example. - Add the database configuration according to your environment in the KDBX database (present in the example folder) for using the kdbx with the key file which accesses the credential to log in to the databaseto the KeePass database
secret.kdbx.. Access to the KeePass database is secured with the key filesecret.key. - Make the changes for database access (URL, username, password).
- The
hibernate-cs.syntax.full.cfg.xmlfile includes the elements to access the KeePass database. - The
query_databasejob includes the database query to be executed:select count(*) as number_of_hits from SCHEDULER_HISTORY; - The
display_resultsjob echos the value of the result parameternumber_of_hitsto the log.. - Run the order hibernate_order from JOC Cockpit.
- The output of the database query will be displayed with the log.
References
- Links to Change Management System
Jira server SOS JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 6dc67751-9d67-34cd-985b-194a8cdc9602 key JITL-587 Jira server SOS JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 6dc67751-9d67-34cd-985b-194a8cdc9602 key JITL-589