Table of Contents
Introduction
The Hibernate access layer is used for database access and therefore requires configuration files for credentials. The access information such as accounts, passwords and JDBC URLs etc. are specified in hibernate Hibernate configuration files. These Such files can be used at the time of installation of JOC Cockpit and JobScheduler Master and they can be created later on for individual jobs, e.g. the for use with the Job JobSchedulerManagedDatabaseJobSOSHibernate.
Generally it is preferable not to use passwords to access a database but to use Integrated Security, Oracle Wallet etc. However, should there be a need to specify passwords then instead of using a plain text password in a configuration file you can add your password to a KeePass Credential Store and add a reference for the credential store Credential Store to your Hibernate configuration file.
...
- Database accounts, passwords, and URLs are specified as plain text with the above Hibernate configuration files when they are provided at the time of installation using the option
<entry key="databaseConfigurationMethod" value="withoutHibernateFile"/>. To make the hibernate configuration file use access data from a Credential Store it is required to first create the hibernate configuration file and then to use the<entry key="databaseConfigurationMethod" value="withHibernateFile"/>at the time of installation and to provide the path to the Hibernate configuration file with the e.g. with a value like this:<entry key="reporting.hibernateConfFile" value="jobscheduler.hibernate.cfg.xml"/>setting. - Support for use of a Credential Store with Hibernate configuration files
Display feature availability StartingFromRelease 1.13.3 Display feature availability StartingFromRelease 1.12.12
Referencing
...
The SOSKeePassDatabase the class uses a parameter string that holds a URI and a number of query parameters:
URI
cs://<entry_path>@<property_name> - required
- The URI based syntax includes the protocol cs://
- followed by the <entry_path> that specifies the folder hierarchy and entry name in the Credentials Store database.
- followed by the @ character
followed by the <property_name> that should be retrieved:
- frequently-used properties include Credential Store field names such as title, user, password, attachment. Custom field names are supported.
Query Parameters
file - required
the path to the Credential Store database file. This file can be stored anywhere in the file system.password - optional
the password for the Credential Store database file.
It is recommended not to use this parameter and instead to use a key_file to access the Credential Store.key_file - optional, default: <credential_store_database_filename_without_extension>.key
...
a Credential Store
...
...
Syntax for Hibernate Configuration
...
Files
The Hibernate configuration file is introduced with different elements (properties) that can be used to retrieve the information from a Credential Store. It provides two types of syntax:
Full Syntax
The Full syntax is used when the complete URI is to be used specified with each property element of the Hibernate configuration file. The following syntax can be used to retrieve access data from a Credential Store:
<property name="hibernate.connection.username">cs://<entry_path>@usersecret/database/reporting@user?file=[path to *./config/live/hibernate_example/secret.kdbx file]</property><property name="hibernate.connection.password">cs>cs:///<entry_path>@passwordsecret/database/reporting@password?file=[path to *./config/live/hibernate_example/secret.kdbx file]</property><property name="hibernate.connection.url">cs>cs:///<entry_path>secret/database/reporting@url?file=[path to *./config/live/hibernate_example/secret.kdbx file]</property>
...
Explanations:
- The
secret/database/reportingvalue is an example for a path to an entry in the KeePass database that holds the credentials. - The
./config/live/hibernate_example/secret.kdbxvalue is an example for a relative path to the KeePass database that holds the Credential Store.
Short Syntax
The Short syntax is used when the credential store items are to be used in the hibernate configuration to provide the details about the credential store:
<property name="hibernate.sos.credential_store_file">[path to *./config/live/hibernate_example/secret.kdbx file]</property>→ Stores stores the path to the credential store Credential Store file<property name="hibernate.sos.credential_store_key_file">[path to *./config/live/hibernate_example/secret.key file]</property>→ Stores stores the path of the key file to open the credential storefor the Credential Store<property name="hibernate.sos.credential_store_password">[some password]secret</property>→ Stores stores the password of the credential store Credential Store file<property name="hibernate.sos.credential_store_entry_path">[/somesecret/entrydatabase/path]reporting</property> → specifies the directory structure→ specifies the folder hierarchy and entry name in the credentials store Credentials Store file.
After adding the Credential Store reference to the Hibernate configuration file as above the database access data credentials can be retrieved from the Credential Store by using the following property elements:
<property name="hibernate.connection.username">cs://@user</property><property name="hibernate.connection.password">cs://@password</property><property name="hibernate.connection.url">cs://@url</property>
URI and Query Parameters Hibernate Configuration Files
URI
cs://<entry_path>@<property_name> - required
- The URI based syntax includes the protocol cs://
- followed by the <entry_path> that specifies the folder hierarchy and entry name in the Credentials Store.
- followed by the @ character
followed by the <property_name> that should be retrieved:
- frequently-used properties include Credential Store field names such as title, user, password, url, attachment. Custom field names are supported.
Query Parameters
file - required
the path to the Credential Store file. This file can be located anywhere in the file system.password - optional
the password for the Credential Store file.
It is recommended not to use this parameter and instead to use a key_file to access the Credential Store.key_file - optional, default: <credential_store_filename_without_extension>.key
Refer to the Using a Credential Store for Jobs article for a detailed description.
Example
Hibernate Configuration File
Example of a Hibernate configuration file that for MySQL that makes use of a KeePass database that is secured with a key file (same name as the KeePass database but with extension .key):
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<hibernate-configuration>
<session-factory>
<property name="hibernate.connection.url"><![CDATA[cs://serversecret/testdatabase/reporting/MySQL@urlreporting@url?file=./config/cs/kdbx-p-flive/hibernate_example/secret.kdbx]]></property>
<property name="hibernate.connection.username"><![CDATA[cs://serversecret/proddatabase/reporting/MySQL@userreporting@user?file=./config/cs/kdbx-p-flive/hibernate_example/secret.kdbx]]></property>
<property name="hibernate.connection.password"><![CDATA[cs://serversecret/testdatabase/reporting/MySQL@passwordreporting@password?file=./config/cs/kdbx-p-flive/hibernate_example/secret.kdbx]]></property>
<property name="hibernate.connection.driver_class">org.mariadb.jdbc.Driver</property>
<property name="hibernate.dialect">org.hibernate.dialect.MySQLInnoDBDialect</property>
<property name="hibernate.show_sql">false</property>
<property name="hibernate.connection.autocommit">false</property>
<property name="hibernate.format_sql">true</property>
<property name="hibernate.temp.use_jdbc_metadata_defaults">false</property>
</session-factory>
</hibernate-configuration> |
...
- The Hibernate file makes use of the KeePass database
kdbx-p-fsecret.kdbxlocated in the./config/csfolderlive/hibernate_examplefolder of JobScheduler Master with Key File Authentication. cs://serversecret/testdatabase/reporting/MySQL is is the path to the entry in the KeePass database where the database credentials are stored.
...
- If the base names of the KeePass database (
secret.kdbx) and of the key file (secret.key) are the same and if the files are stored in the same location then it is not required to specify the key file as it will be automatically be looked up. - It is possible to secure a KeePass database with a password, however, this makes no sense in this a context that avoids directly readable passwords. A key file can better be secured by OS permissions that rule access to the key file.
...
Download
- Download the attached archive hibernate_example.zip
Using the Example
- Unzip the archive to the
./config/livefolder of JobScheduler Master. This will create a sub-folderhibernate_example. - Add the database configuration according to your environment to the KeePass database
secret.kdbx-p-f.kdbx. Secure Access to the KeePass database is secured with a the key filekdbx-p-fsecret.key. - Make the changes for database access (URL, Usernameusername, Passwordpassword).
- The file The
hibernate-cs.syntax.full.cfg.xml includesxmlfile includes the elements to access the KeePass database. - The Databasejob includes the command (
query_databasejob includes the database query ) to be executed:select count(*) as number_of_hits from SCHEDULER_HISTORY; - The
display_resultsjob echos the value of the result parameternumber_of_hitsto the log.. - Run the order hibernate_order from JOC Cockpit.
- The output of the command database query will be displayed with the log.
References
- Links to Change Management System
Jira server SOS JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 6dc67751-9d67-34cd-985b-194a8cdc9602 key JITL-587 Jira server SOS JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 6dc67751-9d67-34cd-985b-194a8cdc9602 key JITL-589
...