Table of Contents | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
|
Introduction
- The "Password Safe" ( Credential Store , (CS) connection and other allows sensitive data to be encrypted and stored securely and independently of the application(s) such as .YADE YADE and the JobScheduler YADE JITL Jobs that use this data. Access to the CS is only possible with access methods such as an SSH key or password.
- Currently CS is using "KeePass" and "KeePassX" with the db version 1.0, thus CS can be used on most popular OS platforms.
- The advantage of using a CS is that the CS stores the credentials (and other information/parameters) into sensitive information such as credentials in a standardized, secure and fully encrypted database , i.e. Keepass. YADE will and sensitive authentication information is not exposed in use. Applications access the CS database using a standard interface. The CS database can only be accessed by using password, encryption-key file (ppk) or a combination of both.
- The CS password is used to encrypt the contents stored in the CS database with AES.
- CS can be used to securely store information or parameters, database connection URL, run-time decryption key and other access data.
The following information can be retrieved from CS standard fields:
- UserID : The user identification of a user who is authorized for the operation.
- Password : Assigned password for the user.
- Server-Name : Target server name or IP address
- Notes : In the notes section of the CS other parameters/options can be stored, i.e. YADE parameters, database connection URL etc. The extra options are defined in a similarly way as used on the command line.
- File-Attachment : Files such as PGP or SSH private key files can be stored in the CS as attachments. Applications will retrieve the attached file at run-time and will delete the file immediately once operation is completed.
Scope
This article describes the use of the Credential Store with the YADE Client via the client's command line interface.
A description of the use of the Credential Store with the YADE JITL job can be found in the Jobs JADEJob & JADE4DMZJob article.
Configuration Procedure
- requires the use of a standard open database format (
.kdb
or.kdbx
), which allows the use of graphical and API interfaces across the most relevant operating systems.
Scope
This article is in two parts:
- The first part describes the use of the Credential Store in a relatively simple example file transfer configuration. The configuration described can be used to transfer files from a live server and a download containing the configuration file is available so that users can get a working Credential Store up, running and tested as easily as possible.
- The second part of the article describes Credential Store configuration elements not covered by the example configuration. In addition, the use of the Credential Store in with the JobScheduler YADE JITL jobs is described
This article does not attempt to provide a step-by-step description of file transfer configuration, which is available elsewhere in this article, for example, in the tutorials for YADE and the JobScheduler.
Anchor | ||||
---|---|---|---|---|
|
The example presented in this article illustrates the configuration and use of the Credential Store as part of a simple file transfer operation - downloading files from an online server to the user's local file system.
The configuration is stored in an XML settings file and includes the elements specifying the Credential store and the file transfer as a whole. This settings file can be used by both the YADE Client and by the YADE JITL jobs that are provided with the JobScheduler.
The example described in this article is The examples presented in this article are based on the simple file transfer example that is described in the detail in The YADE Client Command Line Interface - Tutorial 1 - Getting Started article. This tutorial describes the configuration required to download a number of files from a an online server provided by the SOS GmbH and save these file files on the user's local file system. Using this server together with the downloaded configuration file means that users can get a working example up and running with a minimum of effort. A simplified version of the configuration used in the tutorial (only specifying FTP) is available as a download: sos-berlin_demo_2_local.xml
In the current example, the Credential Store is to store configuration information for the online server - i.e. for the file transfer source. The principle described can be equally well used for the configuration of multiple file transfer source, target, proxy and jump-host servers and for the other file transfer protocols that can be used by the YADE Client.
Note that a YADE Client or JobScheduler Master is required to carry out the example file transfer. Instructions for installing and configuring the YADE Client can be found in the YADE - Tutorials article.
...
Instructions for installing and configuring the JobScheduler can be found in the JobScheduler Master - Installation Guide series of articles.
The example configuration file can be downloaded here:
Configuration Procedure for the Example
Installing the Credential Store and configuring the KeePass database
KeePass 2, which is just one of the applications available for creating and configuring .kdb
or .kdbx
databases, has been used in the current article to implement the Credential Store database and is used in the screenshots. The installation and use of KeePass 2 is described on the KeePass Web Site.
Feature Availability
Display feature availability | ||
---|---|---|
|
The full range of Credential Store features such as secure, compliant and password-free use of the Credential Store as well as compatibility with KeePass .kdb
databases requires the YADE Client in version 1.12.2 or newer.
Database Configuration
Credential Store databases are stored as either .kdb
or .kdbx
files on the file system.
The database included with the download files was configured as follows:
- Path:
.\jade_demo\keepass\demo_credential_store.kdbx
- Master Password:
sos
Note that a Master Key file can be used to provide further protection for the database, either instead of or in addition to the Master Password. This is described in the Advanced Configuration section of this article below but has not been configured for the download database.
Anchor | ||||
---|---|---|---|---|
|
Connection configuration information is stored in the Credential Store as an Entry and Entries can be organized into Groups.
The following fields are available for storing information in a CS Entry:
- Title: The identifier for the Entry, this could be a string containing, for example, the host name/server name.
- User name: The user identification of a user account who is authenticated for the operation.
- Password: Assigned password for a user account or passphrase for a private key.
- URL: The host name/server name or IP address of the server.
- Notes: This block can be used to specify additional parameters for the file transfer.
- File Attachment & String Fields: Files such as PGP or SSH private keys can be stored as attachments.
- A first file is specified as an attachment .
- Further files are specified using String field parameter / value pairs.
YADE will retrieve the contents of an attached file at run-time - intermediate or temporary files are not created when reading attachments.
Note that Attachments and String Fields are specified in the KeePass GUI via the AdvancedEdit Entry tab.
The following information needs to be specified for the current example:
- Groups:
demo,ftp
(optional) - Title:
demo_on_test.sos-berlin.com
- User name:
demo
- Password:
demo
- URL:
test.sos-berlin.com
(Alternatively, the IP address could have been specified here.)
The following screenshot shows that two Groups have been configured for the current example, named "demo" and "ftp", along with the Entry "demo_on_test.sos-berlin.com".
The next screenshot shows the configuration of the parameters in the "demo_on_test.sos-berlin.com" Entry:
Integrating the Credential Store in a File Transfer Configuration
The use of the Credential Store is specified in YADE Client file transfer configuration files, which are written in XML. We recommend using the SOS XML Editor to edit these files. Instructions for downloading, installing and using the XML Editor are linked from this page.
In the remainder of the current article, it is assumed that readers have made themselves familiar with the organization of the YADE Client file transfer configurations into Profiles and Fragments. This is described in The YADE Client Command Line Interface - Tutorial 1 - Getting Started article mentioned above.
The current example uses the XML configuration from the Getting Started tutorial article above and describes the necessary configuration elements required to move the sensitive information such as user name and password from the XML file to the Credential Store. Users wishing implement the current example should download the tutorial file transfer configuration file linked above and open it in their XML Editor, where they can then add the necessary configuration information.
The information required to use the Credential Store falls into two "areas":
- Information about the Credential Store itself (location, how to access its contents, etc.).
This information is configured in the XML file in a CredentialStoreFragment. - Information about how the information in the Credential Store (server address, password, etc.) is to be accessed for the file transfer.
This information is stored as a string in each of the relevant XML ProtocolFragment child elements (Hostname, Account. etc.).
In addition, the ProtocolFragment element has a reference specifying that the Credential Store is to be used.
Specifying the Credential Store
The following list shows the organization of the XML elements required to specify the Credential Store. These elements and their attributes are shown in full in the XML Editor screenshot below.
Fragments
ProtocolFragments
FTPFragment name
="ftp_demo_sos-berlin_cs"- ....
CredentialStoreFragmentRef
ref ="ftp_demo"
CredentialStoreFragments
CredentialStoreFragment
name ="ftp_demo"CSFile file path
%USERPROFILE%\jade_demo....CSAuthentication
PasswordAuthentication
- etc.
CSEntryPath
Profiles
- etc.
Addressing the information in the Credential Store
Parameters stored in a Credential Store database Entry can be addressed in the CredentialStoreFragment XML element as follows:
- The CSEntryPath element is used to specify the base path in the Credential Store database to the Entry.
In the current example this would be set to:demo/ftp/
demo_on_test.sos-berlin.com
wheredemo
andftp
are (optional) Group names, as already mentioned, anddemo_on_test.sos-berlin.com
is the Title of the KeePass database Entry.
The Credential Store Entry parameters are addressed using one of the following syntaxes:
- relative:
cs://@parameter_name
, where the parameter_name is the name of the relevant parameter specified for the Entry - for example, url and the CSEntryPath element is filled as shown above
- fully specified:
cs://
, and where the CSEntryPath element, which is a required element, is left blankdemo/ftp/
@parameter_namedemo_on_test.sos-berlin.com
The following parameters are fully specified in the Credential Store in the current example:
- Hostname:
cs://
(wheredemo/ftp/
@urldemo_on_test.sos-berlin.com
@url
specifies the URL element stored in the database ) - Account:
(wherecs://
demo/ftp/
@userdemo_on_test.sos-berlin.com
@user
specifies the User name element stored in the database) - Password:
(wherecs://
@passworddemo/ftp/
demo_on_test.sos-berlin.com
@password
specifies the Password element stored in the database)
Note that a full list of parameters is described in the Adding an Entry to the Credential Store section above.
Configuration in the XML Editor
Info | ||
---|---|---|
| ||
The XML Editor includes up-to-date documentation for elements as can be seen in the screenshot below, which shows the documentation for the Hostname element. |
The parts of the XML configuration relevant to the use of the Credential Store are shown in the following screenshot of the configuration for the current example, with parameter values highlighted according to their function:
The Transfer Target Directory
The screenshot above shows a CopyTarget.Directory parameter for a Windows environment:
${USERPROFILE}\jade_demo\transfer_receive
Depending on their operating system, users may find it necessary to modify this attribute before running the example.
XML Listing
The following code block can be opened to show the full XML configuration for the example:
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
<?xml version="1.0" encoding="utf-8"?>
<Configurations xsi:noNamespaceSchemaLocation="http://www.sos-berlin.com/schema/jade/JADE_configuration_v1.0.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Fragments>
<ProtocolFragments>
<FTPFragment name="ftp_demo_sos-berlin_cs">
<BasicConnection>
<Hostname><![CDATA[cs://demo/ftp/demo_on_test.sos-berlin.com@url]]></Hostname>
</BasicConnection>
<BasicAuthentication>
<Account><![CDATA[cs://demo/ftp/demo_on_test.sos-berlin.com@user]]></Account>
<Password><![CDATA[cs://demo/ftp/demo_on_test.sos-berlin.com@password]]></Password>
</BasicAuthentication>
<CredentialStoreFragmentRef ref="ftp_demo" />
</FTPFragment>
</ProtocolFragments>
<CredentialStoreFragments>
<CredentialStoreFragment name="ftp_demo">
<CSFile><![CDATA[%USERPROFILE%\jade_demo\keepass\demo_cred_store.kdbx]]></CSFile>
<CSAuthentication>
<PasswordAuthentication>
<CSPassword><![CDATA[sos]]></CSPassword>
</PasswordAuthentication>
</CSAuthentication>
<CSEntryPath />
</CredentialStoreFragment>
</CredentialStoreFragments>
</Fragments>
<Profiles>
<Profile profile_id="ftp_server_2_local_cs">
<Operation>
<Copy>
<CopySource>
<CopySourceFragmentRef>
|
The configuration provided in the download file will cause six files in the root server folder to be copied to a local /jade_demo/transfer_receive
folder, generating the target folder in the user's home or profile directory if required and permissions are available. The files will be transferred by FTP and authentication for the server (user name and password) is specified in the download file.
Installing and configuring the Credential Store
The installation of KeePass II is described on the Keepass Web Site.
For the examples described in the current article the following database was configured (on a Windows system):
- Path & name:
%USERPROFILE%\jade_demo\keepass\demo_cred_store.kdbx
- Master Password:
sos
The following information was specified in the database:
- Database:
demo_database
- Group:
demo
- Title:
demo on test.sos-berlin.com
- UserId:
demo
- Password:
demo
- URL:
test.sos-berlin.com
(alternatively, the IP address could have been specified here.
Integrating the Credential Store in a File Transfer Configuration
The use of the Credential Store is specified in YADE Client file transfer configuration files, which are written in XML. We recommend using the SOS XML Editor to edit these files. Instructions for downloading, installing and using the XML Editor are linked from this page.
In the remainder of the current article, it is assumed that readers have made themselves familiar with the organization of the YADE Client file transfer configurations into Profiles and Fragments. This is described in the Getting Started YADE tutorial linked above.
The following configuration elements are required to specify the use of a Credential Store:
- A Credential Store Fragments element that at the same level in the XML hierarchy as the Protocol Fragments elements.
- A Credential Store Fragment element that is referenced from the Protocol Fragment. This Fragment specifies the location and authentication for the Credential Store.
- The values of the connection and authentication elements are modified to refer to elements stored within the Credential Store.
The XML Configuration
The parts of the XML configuration relevant to the use of the Credential Store are shown in the following screenshot of the XML Editor:
Running the YADE Client with the Credential Store
The use of the Credential Store is contained within the settings file and is not exposed when calling the client. For example, for Windows systems:
Code Block | ||||
---|---|---|---|---|
| ||||
C:\Program Files\sos-berlin.com\jade\client\bin>jade.cmd -settings="%USERPROFILE%\jade_demo\sos-berlin_demo_2_local.xml" -profile="ftp_server_2_local_cs" |
The output produced when successful:
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
C:\Program Files\sos-berlin.com\jade\client\bin>jade.cmd -settings="%USERPROFILE%\jade_demo\sos-berlin_demo_2_local.xml" -profile="ftp_server_2_local_cs" + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + START : JADE.CMD + + ----------------- + + DATE : 17.04.2018 14:56:51,26 + HOSTNAME : JS-PC + USER : aa + CALL : C:\Program Files\sos-berlin.com\jade\client\bin\jade.cmd -settings="C:\Users\aa\jade_demo\sos-berlin_demo_2_local.xml" -profile="ftp_server_2_local_cs" + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + main INFO 14:56:54,679 (SOSDataExchangeEngineMain.java:76) ::Execute SOSDataExchange - Kommandozeilenprogram startet .... main INFO 14:56:54,711 (SOSDataExchangeEngine.java:536) ::showBanner ************************************************************************ * * * YADE - Managed File Transfer * * -----www.sos-berlin.com----- * * * ************************************************************************ Version = 1.12.3-SNAPSHOT (2018-04-15 23:09, revision f156fa1144fe219789e9bf2ad1d3a4b52a68cd24) Copyright 2003-2018 SOS GmbH Berlin Date = 2018-04-17 14:56:54 SettingsFile = C:\Users\aa\jade_demo\sos-berlin_demo_2_local.xml Profile = ftp_server_2_local_cs Operation = copy Transactional = false +------------Source------------ | Protocol = ftp | Host = test.sos-berlin.com | IP = 93.157.51.161 | User = demo | Password = *** | Passive = false | TransferMode = binary | Directory = ./ | FileSpec = .* | ErrorWhenNoFilesFound<FTPFragmentRef = trueref="ftp_demo_sos-berlin_cs" /> | Recursive </CopySourceFragmentRef> = false | Remove <SourceFileOptions> = false +------------Target------------ <Selection> | Protocol = local<FileSpecSelection> | Host = JS-PC<FileSpec><![CDATA[.*]]></FileSpec> | IP <Directory><![CDATA[./]]></Directory> = 192.11.0.85 | Directory </FileSpecSelection> = C:\Users\aa\jade_demo\transfer_receive/ | OverwriteFiles </Selection> = true main INFO 14:56:55,164 (SOSVfsFtpBaseClass.java:242) ::doConnect SOSVfs_D_0102: Verbunden mit Rechner 'test.sos-berlin.com' ³ber Port-Nummer '21'. main INFO 14:56:55,539 (SOSVfsFtpBaseClass.java:958) ::login (demo@test.sos-berlin.com:21) SOSVfs_D_133: Benutzer 'demo' eingeloggt. main INFO 14:56:55,695 (SOSVfsFtpBaseClass.java:1295) ::transferMode SOSVfs_D_123: Antwort des FTP-Servers ['binary']: '200 Type set to I'. main INFO 14:56:56,148 (SOSDataExchangeEngine.java:897) ::setInfo 6 files found for regexp '.*'. main INFO 14:56:56,945 (SOSDataExchangeEngine.java:788) ::printState SOSJADE_I_0101: Es wurden 6 Dateien ³bertragen main INFO 14:56:56,961 (SOSDataExchangeEngine.java:359) ::showResult ************************************************************************* Ausf³hrungsstatus = Ohne Fehler. Erfolgreiche ▄bertragungen = 6 ▄bersprungene ▄bertragungen = 0 Fehlgeschlagene ▄bertragungen = 0 letzter aufgetretener Fehler = ************************************************************************* main INFO 14:56:56,976 (SOSDataExchangeEngineMain.java:78) ::Execute Execute - Programm wurde ohne Fehler beendet + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + END : JADE.CMD + + ---------------- + + DATE : 17.04.2018 14:56:57,03 + HOSTNAME : JS-PC + USER : aa + CALL : C:\Program Files\sos-berlin.com\jade\client\bin\jade.cmd -settings="C:\Users\aa\jade_demo\sos-berlin_demo_2_local.xml" -profile="ftp_server_2_local_cs" + EXIT : 0 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + |
See Also:
Parameter used by SOS Credential Store
...
Name | Title | Mandatory | Default |
---|---|---|---|
Process additional parameters from "notes" filed | false | false | |
CredentialStore_OverwriteExportedFile | false | true | |
CredentialStore_Permissions4ExportedFile | false | 600 | |
Delete Attachment On Exit of Application | false | true | |
Export attached file to disc | false | false | |
Name of the extracted attachment file | false |
| |
Name of the File containing the private Key | false |
| |
Password for CS | false |
| |
Authentication Method for the CS | true | privatekey | |
The Type of the crendential store application | false | KeePass | |
Path and Key for the credentials | true |
| |
Name of Credential Database | true |
| |
use credential store for authentication | false | false |
Parameter CredentialStore_ProcessNotesParams: Process additional parameters from notes field
- In the notes field of the CS database extra parameters like a database connection string , Proxy server IP etc. can be defined. These parameters will be processed with other parameters defined in settings file, JITL parameters. If a parameter with the same name is defined in the notes section then the parameter value in the notes of the CS will have priority.
Code Block | ||
---|---|---|
| ||
-dburl=test -verbose=2 -password=12345 |
- The notes properties of KeePass can be used to store extra parameters, i.e. options such as a database connection string, proxy server settings etc.
- Data-Type : SOSOptionBoolean
- The default value for this parameter is:
false
. - Use together with parameter:
- use_credential_Store - use credential store for authentication
- Alias: CS_ProcessNotesParams
Parameter CredentialStore_OverwriteExportedFile
- At run-time YADE can export the file stored in the attachment field of the CS database to the local file system. For example If the attached file is an SSH key and YADE had to use the key file for file transfer operations. YADE will export the attached file into a predefined directory i.e. $HOME/.ssh. To avoid any unwanted overwriting of existing files in the $HOME/.ssh folder set this parameter as false.
- Data-Type: SOSOptionBoolean
- The default value for this parameter is:
true
. - Use together with parameter:
- use_credential_Store - use credential store for authentication
- Alias: CS_OverwriteExportedFile
Parameter CredentialStore_Permissions4ExportedFile
- At run-time YADE can export the file defined in the attachment filed of the CS database to the local file system. For example If the attached file is an SSH key and YADE wants to use the key file for file transfer operations then YADE will export the attached file to a predefined directory, i.e. $HOME/.ssh, and the key file should have specific permissions.
Code Block | ||
---|---|---|
| ||
-CredentialStore_Permissions4ExportedFile="600" |
- Data-Type: SOSOptionString
- The default value for this parameter is:
600
. - Use together with parameter:
- use_credential_Store - use credential store for authentication
- CredentialStore_ExportAttachment - Export attached file to disc
- Alias: CS_Permissions4ExportedFile
Parameter CredentialStore_DeleteExportedFileOnExit: Delete Attachment On Exit of Application
- At run-time YADE will export the attached file of a CS to the local file system and once its operation is completed and irrespective of operation's status by default YADE will delete this file. In special cases, e.g. for debuging, if you want YADE not to delete the file then set this parameter as
false
. - Data-Type : SOSOptionBoolean
- The default value for this parameter is
true
. - Use together with parameter:
- use_credential_Store - use credential store for authentication
- Alias: CS_DeleteExportedFileOnExit
Parameter CredentialStore_ExportAttachment: Export attached file to disc
- YADE can export a file that is stored in the CS database as attachment to the local file system. By default YADE does not export attached files.
- Data-Type: SOSOptionBoolean
- The default value for this parameter is:
false
. - Alias: CS_ExportAttachment
Parameter CredentialStore_ExportAttachment2FileName: Name of the extracted attachment file
To use the file stored in the CS as attachment during an operation, YADE has to export the attached file to the local file system. Use this parameter to define the name of exported file in the local file system.
Code Block | ||
---|---|---|
| ||
-CredentialStore_ExportAttachment2FileName="archive_server_ras.ppk" |
- Data-Type: SOSOptionOutFileName
- Use together with parameter:
- use_credential_Store - use credential store for authentication
- Alias: CS_ExportAttachment2FileName
Parameter CredentialStore_KeyFileName: Name of the File containing the private Key
Credential Store can be accessed by YADE using a private key or using a password or a combination of both. Define the path/location of the SSH key file using this parameter.
Code Block | ||
---|---|---|
| ||
-CredentialStore_KeyFileName="jade_cs_rsa.ppk" |
- Data-Type: SOSOptionInFileName
- Use together with parameter:
- use_credential_Store - use credential store for authentication
- Alias: CS_KeyFileName
Parameter CredentialStore_password: Password for CS
The Credential Store can be accessed by YADE using a private key or using a password or a combination of both. Define the CS access password using this parameter. Hint: always use a strong password for CS.
Code Block | ||
---|---|---|
| ||
-CredentialStore_password="55ybr293N!2BButnY4,w" |
Data-Type: SOSOptionPassword
Use together with parameter:
- use_credential_Store - use credential store for authentication
Alias: CS_password
Parameter CredentialStore_AuthenticationMethod: Authentication Method for the CS
There are three possible combinations of authentication methods.
Code Block | ||
---|---|---|
| ||
-CredentialStoreAuthenticationMethod="password"
--- OR ---
-CredentialStoreAuthenticationMethod="privatekey"
--- OR ---
-CredentialStoreAuthenticationMethod="password+privatekey" |
- Data-Type: SOSOptionString
- The default value for this parameter is:
privatekey
. - Use together with parameter:
- use_credential_Store - use credential store for authentication
- This parameter is mandatory.
- Alias: CS_AuthenticationMethod
Parameter CredentialStore_StoreType: The Type of the crendential store application
- At present only "KeePass" as CS database is supported and only
KeePass
as valid parameter value is permitted. - Data-Type: SOSOptionString
- The default value for this parameter is:
KeePass
. - Use together with parameter:
- use_credential_Store - use credential store for authentication
- Alias: CS_StoreType
Parameter CredentialStore_KeyPath: Path and Key for the credentials
- This option specifies the path of the access key for access to the credential store..
- Credential store can be accessed by the YADE using a private key or using a password or a combination of both. Define the path/location of the SSH key file using this parameter.
Code Block | ||
---|---|---|
| ||
-CredentialStore_KeyFileName="/ssh/server1/sap-upload" |
- Data-Type: SOSOptionString
- Use together with parameter:
- use_credential_Store - use credential store for authentication
- This parameter is mandatory.
- Alias: CS_KeyPath
Parameter CredentialStore_FileName: Name of Credential Database
- The path and name of the KeePass or KeePassX database file with the file extension .kdb.
Code Block | ||
---|---|---|
| ||
Command-Line : jade.sh -CredentialStoreFileName="/etc/keystore/sap_jade.kdb" |
Code Block |
---|
YADE profile : CredentialStoreFileName = /etc/keystore/sap_jade.kdb |
Code Block | ||
---|---|---|
| ||
Java API : CSOptions.CredentialStoreFileName.Value("/etc/keystore/sap_jade.kdb"); |
- Data-Type : SOSOptionInFileName
- Use together with parameter:
- use_credential_Store - use credential store for authentication
- This parameter is mandatory.
- Alias: CS_FileName
Parameter use_credential_Store: use credential store for authentication
- If you want to store your access data, i.e. user id, password, SSH key, database connection string in an encrypted CS database, then enable this parameter and configure access to the CS accordingly. By default YADE will look for the parameters from its configuration file, from the command line or from the JITL Job.
- Data-Type: SOSOptionBoolean
- The default value for this parameter is:
false
.
Example of YADE Profile using Credential Store : jade_settings.ini
...
</SourceFileOptions>
</CopySource>
<CopyTarget>
<CopyTargetFragmentRef>
<LocalTarget />
</CopyTargetFragmentRef>
<Directory><![CDATA[${USERPROFILE}\jade_demo\transfer_receive]]></Directory>
</CopyTarget>
</Copy>
</Operation>
</Profile>
</Profiles>
</Configurations> |
Running the YADE Client with the Credential Store
The use of the Credential Store is contained within the settings file and is not exposed when calling the YADE Client. For example, on Windows systems, the YADE Client is called for the current example using:
Code Block | ||||
---|---|---|---|---|
| ||||
C:\Program Files\sos-berlin.com\jade\client\bin>jade.cmd -settings="%USERPROFILE%\jade_demo\sos-berlin_demo_2_local_cs.xml" -profile="ftp_server_2_local_cs" |
After the YADE command has finished execution the number of files transferred can be read from the log file.
Note that the log files neither indicate that a credential store has been use for the transfer nor reveal any passwords.
Show If | ||
---|---|---|
| ||
Download ExampleA download is available containing a full XML configuration file for Windows users and Windows users with the necessary permissions will be able to use these files by unpacking the zip file to a Users of other operating systems may have to make minor configuration changes. |
Anchor | ||||
---|---|---|---|---|
|
Settings XML files such as the sos-berlin_demo_2_local_cs.xml
file which was used to configure the example described above can be used for JobScheduler JITL jobs. Here, only two parameters are needed to run the YADE JITL job (settings and profile) as can be seen in the next screenshot.
Note that we recommend that these parameters are set manually using the New button shown in the screenshot below and not using the Wizard button.
Note also that while the YADE Client runs under the current user account, the JobScheduler generally runs under a predefined account. This means that while paths in the configuration file can use parameters such as %USERPROFILE% when the configuration file is being used with the YADE Client, it is generally necessary to use absolute paths when the configuration file is to be used for JITL jobs.
Advanced Configuration
Key File Authentication
Key file authentication can be used for the Credential Store either alone or together with the password authentication described in the example above.
This option allows the the Credential Store to be used completely securely, yet without passwords, if required.
Key file authentication has to be configured for the Credential Store and in the XML settings file.
Configuring key file authentication in the Credential Store
KeePass provides a Create Composite Master Key function that is reached with the Files / Master Key... menu item. screen
The Create Composite Master Key function is shown in the following screenshot (Note that the Show expert options checkbox has to be selected first.):
Note also that the Master Password checkbox should not be selected if key file authentication is to be used without a master password.
The entropy of the key generated can be increased as part of the key creation procedure. This is done as part of the key generation procedure in the interface shown in the next screenshot.
For the purpose of this article the key has been saved in the jade_demo
folder used for the download example.
The next section describes the configuration of the XML settings file to include a reference to this file.
Configuring key file authentication in the XML settings file
Key file authentication is configured in the XML settings file by specifying a KeyFileAuthentication element as a child of the CSAuthentication element in the Credential Store fragment.
The key file element can be added either instead of or alongside a password authentication element as required.
This is shown in the following list:
CredentialStoreFragments
CredentialStoreFragment
name ="ftp_demo"CSFile file path
%USERPROFILE% \jade_demo....CSAuthentication
PasswordAuthentication
- .
CSPassword
myPassword
- .
KeyFileAuthentication
CSKeyFile
%USERPROFILE%\jade_demo\cs_key_file\demo_credential_store.key
CSEntryPath
Connection authentication key files
The Credential Store can be used to store RSA and similar connection authentication key files. These are stored in the Credential Store database as attachments.
Configuring authentication key files in the Credential Store
Attachments are added to the Credential Store in KeePass in the File Attachments section of the Advanced tab as shown in the screenshot below. Note that only one attachment can be added for each Credential Store Entry :
Configuring authentication key files in the XML settings file
A first attachment for, for example, SSH would be configured in the XML settings file by specifying an AuthenticationFile element in the SSHAuthentication element.
The key file element can be added either instead of or alongside a password authentication element as required.
This following list shows the configured of the SFTP Fragment required to carry out the download from the test.sos-berlin.com SFTP/FTP server that was used for the simple example described above: The AuthenticationFile element that specifies the Attachment in the Credential Store Entry is specified in the same way as the Hostname and other elements described in the example above.
SFTPFragment
name ="sftp_demo_sos-berlin_cs"BasicConnection
Hostname
cs://demo/sftp/demo_on_test.sos-berlin.com@attachment
SSHAuthentication
Account
AuthenticationMethodPublicKey
AuthenticationFile
cs://demo/sftp/demo_on_test.sos-berlin.com@attachmentPassphrase
myPassPhrase
CredentialStoreFragmentRef
ref="ftp_demo"
Note that this list also shows the use of a Passphrase element for the AuthenticationFile element. This is not required for authentication with the test.sos-berlin.com SFTP server but is provided as an illustration.
Passphrase elements are stored in the Credential Store as Notes.
Custom Parameters
Custom parameters allow XML ProtocolFragment elements such as StrictHostkeyChecking that do not belong to the standard keepass.GUI fields such as URL to be specified.
Configuring custom parameters in the Credential Store
Custom parameters are set as string name / value pairs. In the KeePass 2 GUI these are set by opening the Edit window for an Entry using the Add function in the String Fields section of the Advanced tab. .This is shown in the next screenshot:
Configuring custom parameters in the XML settings file
Custom parameters are configured in the XML settings file by ..
SFTPFragment
name ="sftp_tokyo_japan.sos-berlin.com"BasicConnection
SSHAuthentication
CredentialStoreFragmentRef
ref="demo_credential_store"StrictHostkeyChecking
"false"
Note that custom parameters can only be used to set parameters in ProtocolFragments - they cannot be used to set ProfileFragments parameters such as Recursive.
See Also
References
Support of the features described in this article is subject to the following issues:
Issues implemented with Release 1.12.1:
Jira server SOS JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 6dc67751-9d67-34cd-985b-194a8cdc9602 key YADE-462 Jira server SOS JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 6dc67751-9d67-34cd-985b-194a8cdc9602 key YADE-464 Jira server SOS JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 6dc67751-9d67-34cd-985b-194a8cdc9602 key YADE-481 Jira server SOS JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 6dc67751-9d67-34cd-985b-194a8cdc9602 key YADE-482 Jira server SOS JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 6dc67751-9d67-34cd-985b-194a8cdc9602 key YADE-485 Jira server SOS JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 6dc67751-9d67-34cd-985b-194a8cdc9602 key YADE-487 Jira server SOS JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 6dc67751-9d67-34cd-985b-194a8cdc9602 key YADE-491
Issues implemented with Release 1.12.2:
Jira server SOS JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 6dc67751-9d67-34cd-985b-194a8cdc9602 key YADE-493 Jira server SOS JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 6dc67751-9d67-34cd-985b-194a8cdc9602 key YADE-498 Jira server SOS JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 6dc67751-9d67-34cd-985b-194a8cdc9602 key YADE-499