JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 8

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version Current

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

We find a number of inadequate approaches that do not make it for a secure solution:

  • Symmetric keys are a No-Go as they are available in two places and leave it up to the implementation where to store the key.
  • Obfuscation is a No-Go as it does not resist to attacks.

The preferred solution with JS7 is use of asymmetric keys:

  • JS7 - Encryption and Decryption includes to perform encryption outside of JS7 products.
  • No JS7 product is directly involved in encryption as otherwise the JS7 product would know the credentials that potentially could be When performing encryption users should check that credentials are not compromised by logging etc.

For creation of Encryption Keys see JS7 - How to create X.509 Encryption Keys.

Display feature availability
StartingFromRelease2.7.0

...

Code Block
languagexml
  <property name="hibernate.connection.password">enc://gLjIPeUJP3o1cw4y9wNrFkNUIfe5Bi/eW+KMkLUy4mvVOH0Z41V0Iuob0lDN6UFXMG1//YDbUA3yFSpvHdmRlGnYsMPkbqz+tN+7Ypy5px7F7NGGpPFSeeGS4JOe7cmgkHx9i9ZPJEEK/xDLoPj/9zj4OLTcWxrHKR0bwT2NvpEZoBPWVnWMoBqTQfk+PBRRkQFYdtR+uKVl7qMEkNc6N92hYGRevUwIZ7h++ENazlgzUdNZc1K1LCRZ/BtB8/MopP3elZ6Vq2LmP3LGnzu6MwSSBgNbPN2vguDqWjnncO1h5MekmqHV5S9RY2L+7NZ7jJ3q233ZFwq56Xm/TWB92g== U2WnoXgh87kdOz7Zcumkpg== 3mnbt2Qe7JdQuN2Lm5SD0w==</property>
  <property name="hibernate.connection.url">enc://oe5qm3SOudO8LgcFXlW3cTlsdLycXEgUis2GFJdm+4w/NHF3KGYZXCEsqUFMwvWsdY/whfkCPOyUf4cj1eY1F5QSVzjsCgpfXtpvqUjqa7mzpAfzHfRr8gjZNHzCinefke8muCYFiZbb8s9rWHu4G8aIAJsxlWrhJeu7SXqs3JPrrrBt9EJ8kJw6w/xWbUhR5MVLAvj9mIg+w83qwAhZrvuz+McoTKskXvLcBlQPtXc+Yz3RuosczmaWgHYcc/++CtnHHtlSVQf9108jus13ab6mGGsDjodVJjm715VB+cUmWhBKpwyjksrISKcpkMnGlSK3KE+VsTMjzAMPPAyGEQ== zzEKadcxLgfl4GrRUYvApA== FM5ycloUYUbUeniZUDZpK7atxQR5bvmJmYJLS1k356oA/fCoioE6zFfOzENTKgxn</property>
  <property name="hibernate.connection.username">enc://WCWDGolHrQV4zWwF7i+QEOMrzXfhQSWoH4Azb+udCPSXsvDcNBiTam9zSVDyzCkVT3VAoBdT+WQbOSJRtdvYv6IaIJHJ98W5+H/F29UlOtKhJFbzVq+qxT4XPHSlMvzhub72lv5sWEyhNsjdFd6tJj0mVVH7+jmMAzFMCMKfMeNUbsXrH5Os6UR0Uqy6KbjVx8BOv02ooqFb69yFyI76/gwkxAV+9fYinCxIj3adSO1P6Cn0VNXLw1y2z/Xuv2PJ9CusshmMEiG95/G85VSNqlSMV0HfiQ71VS2EN0fcVcFlugyslTUDIcP4ed3pNlwblu86oPoenC4Xvw3Qh2Xj/A== IcI4xRV0fnO+qRLLg3/abQ== 1gV4bt2rvMgdtPOPXFt5qw==</property>

...

  • Encrypted values start with the prefix enc://.
    • JS7 releases before 2.7.1 use the prefix: enc://
  • The The value holds the following parts separated by spaces:
    • the encrypted symmetric key,
    • the initialization vector,
    • the secret encrypted with the symmetric key.
  • For decryption the Private Key is used to decrypt the symmetric key. The symmetric key and initialization vector are used to decrypt the secret.

...

Code Block
languagebash
titleEncryption using Unix Shell
# encrypt secret and return result
result=$(./js7_encrypt.sh --cert="joc.crt" --in='jobscheduler')

# update hibernate.cfg.xml
sed -i'' -e "s@property[ ]*name[ ]*=[ ]*\"hibernate.connection.password\".*@property name=\"hibernate.connection.password\"\>enc://${result}\</property\>@g" hibernate.cfg.xml
Code Block
languagebash
titleEncryption using Windows Shell
@rem encrypt secret and return result from JS7_ENCRYPT_VALUE environment variable
call .\js7_encrypt.cmd "--cert=joc.crt" "--in=jobscheduler"

@rem update hibernate.cfg.xml
powershell.exe -Command "((Get-Content hibernate.cfg.xml) -replace 'property[ ]*name[ ]*=[ ]*\"hibernate.connection.password\".*', ('property name=\"hibernate.connection.password\">>enc:' + $env:JS7_ENCRYPT_VALUE + '</property>')) | Set-Content -Path hibernate.cfg.xml"
Code Block
languagepowershell
titleEncryption using PowerShell Shell
# encrypt secret and return result
$result = Invoke-JS7Encrypt -CertificatePath joc.crt -Value 'jobscheduler' -JavaLib /js7/js7.encryption/lib

# update Hibernate connection password in configuration file
((Get-Content hibernate.cfg.xml) -replace 'property[ ]*name[ ]*=[ ]*\"hibernate.connection.password\".*', ('property name=\"hibernate.connection.password\">>enc:' + $result + '</property>')) | Set-Content -Path hibernate.cfg.xml

...

  • The js7_encrypt.sh | .cmd script is called with the --cert argument that specifies the path to the Certificate file or Public Key file. The --in argument specifies the plain text secret. Similar parameters are used if the Invoke-JS7Encrypt PowerShell cmdlet is used.
  • Consider that the Certificate/Public Key used for encryption has to match the Private Key used by the component that performs decryption:
    • for JOC Cockpit the Private Key is located in reach of JOC Cockpit, for example in its data directory.
    • for JS7 JITL Jobs that are executed with an Agent the Private Key is in reach of the related Agent, for example in its data directory.
  • For use with Unix Shell
    • the script writes output to the stdout channel that is assigned an environment variable.
    • the sed command is used to replace the related element value in the hibernate.cfg.xml configuration file.
  • For use with Windows Shell
    • the script writes output to the JS7_ENCRYPT_VALUE environment variable.
    • the powershell.exe command is used to replace the related element value in the hibernate.cfg.xml configuration file.
  • For use with PowerShell
    • the cmdlet returns the encryption result.
    • the related element value is replaced in the hibernate.cfg.xml configuration file.

Integration with

...

Secret Manager Products

The scripts or cmdlets can be integrated with Password Secret Manager products that are used to create, to modify and to rotate passwords. A number of Password Secret Manager products offer hooks that allow to call scripts after a password is changed which is the preferred integration scenario.

...

The Hibernate configuration file has to hold a reference where to locate the location of the Private Key used for decryption:

...

The path to the Private Key file is specified from a property in the hibernate.cfg.xml file. The Private Key can optionally be protected by a password. The password is not a secret but aims to check integrity when reading/writing private keys. If no password is used to access the Private Key, then the related property should not be specifiedpassphrase. If no passphrase is used to access the Private Key, then the related property should not be specified.

Note: Private Keys can be protected using a passphrase that acts as a second factor when a human user will access the key: while the Private Key is in the file system, the passphrase is in the user's brains. However, this does not improve security for unattended processing: it's pointless to store a passphrase side-by-side with the Private Key in scripts or configuration files on the same media.

Related properties in the hibernate.cfg.xml file include:

Code Block
languagexml
  <property name="hibernate.connection.password">enc://gLjIPeUJP3o1cw4y9wNrFkNUIfe5Bi/eW+KMkLUy4mvVOH0Z41V0Iuob0lDN6UFXMG1//YDbUA3yFSpvHdmRlGnYsMPkbqz+tN+7Ypy5px7F7NGGpPFSeeGS4JOe7cmgkHx9i9ZPJEEK/xDLoPj/9zj4OLTcWxrHKR0bwT2NvpEZoBPWVnWMoBqTQfk+PBRRkQFYdtR+uKVl7qMEkNc6N92hYGRevUwIZ7h++ENazlgzUdNZc1K1LCRZ/BtB8/MopP3elZ6Vq2LmP3LGnzu6MwSSBgNbPN2vguDqWjnncO1h5MekmqHV5S9RY2L+7NZ7jJ3q233ZFwq56Xm/TWB92g== U2WnoXgh87kdOz7Zcumkpg== 3mnbt2Qe7JdQuN2Lm5SD0w==</property>
  <property name="hibernate.connection.url">enc://oe5qm3SOudO8LgcFXlW3cTlsdLycXEgUis2GFJdm+4w/NHF3KGYZXCEsqUFMwvWsdY/whfkCPOyUf4cj1eY1F5QSVzjsCgpfXtpvqUjqa7mzpAfzHfRr8gjZNHzCinefke8muCYFiZbb8s9rWHu4G8aIAJsxlWrhJeu7SXqs3JPrrrBt9EJ8kJw6w/xWbUhR5MVLAvj9mIg+w83qwAhZrvuz+McoTKskXvLcBlQPtXc+Yz3RuosczmaWgHYcc/++CtnHHtlSVQf9108jus13ab6mGGsDjodVJjm715VB+cUmWhBKpwyjksrISKcpkMnGlSK3KE+VsTMjzAMPPAyGEQ== zzEKadcxLgfl4GrRUYvApA== FM5ycloUYUbUeniZUDZpK7atxQR5bvmJmYJLS1k356oA/fCoioE6zFfOzENTKgxn</property>
  <property name="hibernate.connection.username">enc://WCWDGolHrQV4zWwF7i+QEOMrzXfhQSWoH4Azb+udCPSXsvDcNBiTam9zSVDyzCkVT3VAoBdT+WQbOSJRtdvYv6IaIJHJ98W5+H/F29UlOtKhJFbzVq+qxT4XPHSlMvzhub72lv5sWEyhNsjdFd6tJj0mVVH7+jmMAzFMCMKfMeNUbsXrH5Os6UR0Uqy6KbjVx8BOv02ooqFb69yFyI76/gwkxAV+9fYinCxIj3adSO1P6Cn0VNXLw1y2z/Xuv2PJ9CusshmMEiG95/G85VSNqlSMV0HfiQ71VS2EN0fcVcFlugyslTUDIcP4ed3pNlwblu86oPoenC4Xvw3Qh2Xj/A== IcI4xRV0fnO+qRLLg3/abQ== 1gV4bt2rvMgdtPOPXFt5qw==</property>

  <property name="hibernate.sos.decryption_key">joc.key</property>
  <property name="hibernate.sos.decryption_keypassword">jobscheduler</property>

...

Code Block
languagexml
  <property name="hibernate.connection.password">enc://gLjIPeUJP3o1cw4y9wNrFkNUIfe5Bi/eW+KMkLUy4mvVOH0Z41V0Iuob0lDN6UFXMG1//YDbUA3yFSpvHdmRlGnYsMPkbqz+tN+7Ypy5px7F7NGGpPFSeeGS4JOe7cmgkHx9i9ZPJEEK/xDLoPj/9zj4OLTcWxrHKR0bwT2NvpEZoBPWVnWMoBqTQfk+PBRRkQFYdtR+uKVl7qMEkNc6N92hYGRevUwIZ7h++ENazlgzUdNZc1K1LCRZ/BtB8/MopP3elZ6Vq2LmP3LGnzu6MwSSBgNbPN2vguDqWjnncO1h5MekmqHV5S9RY2L+7NZ7jJ3q233ZFwq56Xm/TWB92g== U2WnoXgh87kdOz7Zcumkpg== 3mnbt2Qe7JdQuN2Lm5SD0w==</property>
  <property name="hibernate.connection.url">enc://oe5qm3SOudO8LgcFXlW3cTlsdLycXEgUis2GFJdm+4w/NHF3KGYZXCEsqUFMwvWsdY/whfkCPOyUf4cj1eY1F5QSVzjsCgpfXtpvqUjqa7mzpAfzHfRr8gjZNHzCinefke8muCYFiZbb8s9rWHu4G8aIAJsxlWrhJeu7SXqs3JPrrrBt9EJ8kJw6w/xWbUhR5MVLAvj9mIg+w83qwAhZrvuz+McoTKskXvLcBlQPtXc+Yz3RuosczmaWgHYcc/++CtnHHtlSVQf9108jus13ab6mGGsDjodVJjm715VB+cUmWhBKpwyjksrISKcpkMnGlSK3KE+VsTMjzAMPPAyGEQ== zzEKadcxLgfl4GrRUYvApA== FM5ycloUYUbUeniZUDZpK7atxQR5bvmJmYJLS1k356oA/fCoioE6zFfOzENTKgxn</property>
  <property name="hibernate.connection.username">enc://WCWDGolHrQV4zWwF7i+QEOMrzXfhQSWoH4Azb+udCPSXsvDcNBiTam9zSVDyzCkVT3VAoBdT+WQbOSJRtdvYv6IaIJHJ98W5+H/F29UlOtKhJFbzVq+qxT4XPHSlMvzhub72lv5sWEyhNsjdFd6tJj0mVVH7+jmMAzFMCMKfMeNUbsXrH5Os6UR0Uqy6KbjVx8BOv02ooqFb69yFyI76/gwkxAV+9fYinCxIj3adSO1P6Cn0VNXLw1y2z/Xuv2PJ9CusshmMEiG95/G85VSNqlSMV0HfiQ71VS2EN0fcVcFlugyslTUDIcP4ed3pNlwblu86oPoenC4Xvw3Qh2Xj/A== IcI4xRV0fnO+qRLLg3/abQ== 1gV4bt2rvMgdtPOPXFt5qw==</property>

  <property name="hibernate.sos.keystore_path">credentials-keystore.p12</property>
  <property name="hibernate.sos.keystore_type">PKCS12</property>
  <property name="hibernate.sos.keystore_password">jobscheduler</property>
  <property name="hibernate.sos.keystore_keypassword">jobscheduler</property>
  <property name="hibernate.sos.keystore_keyalias">joc-2-0-primary</property>

...

  • hibernate.sos.keystore_path: The keystore path can be specified from an absolute path or from a relative path. The relative path starts from the JETTY_BASE/resources/joc directory of the JOC Cockpit installation.
  • hibernate.sos.keystore_type: The PKCS12 keystore type should be used. Typically keystores with the file name extension .p12 or .pfx signal indicate a PKCS12 compliant keystore.

  • hibernate.sos.keystore_password: The keystore should be be protected by a password. The password is not a secret, but aims to check checking integrity when reading/writing keystores.

  • hibernate.sos.keystore_keypassword: For use with the PKCS12 format the password passphrase for the key and the password for the keystore have to match.

  • hibernate.sos.keystore_keyalias: The Private Key's alias name is a unique identifier of the key in the keystore. An alias name has to be specified if more than one Private Key is available in the keystore. The property can be omitted for keystores that hold a single key.

...

It is possible to use the SSL Private Key/Certificate stored in JOC Cockpit's keystore for HTTPS connections for to perform encryption/decryption, see JS7 - JOC Cockpit HTTPS Connections.

...

Code Block
languagexml
titleExample for hibernate.cfg.xml
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<hibernate-configuration>
 <session-factory>
  <property name="hibernate.connection.driver_class">org.mariadb.jdbc.Driver</property>
  <property name="hibernate.connection.password">enc://BLW40Z7PIGMq4btJ+ZuFMonL6XnGTHi/O8Q1d7s/ZGrTceQw/UotqkcL20zVOR7sTSXpGjCU9VsiJ+xodoIrnPla4pqOOuh+lIkuOrJJIt+7Hn+4BdcrCvdzx3Ys5vsPd13NJVk= QjdEjQ3RXbkopm8bCFnWYw== gh/JMrYD9JloP0sAOn8dNw==</property>
  <property name="hibernate.connection.url">enc://BOLk45C7Mv8MLteMLKwhuRbiaD+qtQsbf6sCILpHv6pVnkTyBRJpekG0F2Gk8j1MYPtuawP4aGI6QYGRfb8ATsvVnF4HvpNl3pWn+kiFgihcOuzIDmUmfxp6MJ5SA9Dp9A5bntA= fJN3OdAiqA393Nf7wgOTEg== Nq2v6z8b18hwnUzeLYLYscIHiXEj91BJJKlzJNqlD0Ub1cMRMGbkCidU9le8W1yS</property>
  <property name="hibernate.connection.username">enc://BPmDxWAkcgbUMiTREP+x4np4x/VnicgMTiiFNO7eEB9bRH4lhGgBAq8QQ3cz+HKWj0qRVgMEDU/pd6UDxrpbZf0ZDULdYwgRTWD1FaM2Fb12M2xGWWNHE9pryUCopU1nOSYdnbY= hNoSj7k9uFlVVuc8HjoVvg== a90hZkncSN1WUsQ/dQimDQ==</property>
  <property name="hibernate.dialect">org.hibernate.dialect.MySQLInnoDBDialect</property>
  <property name="hibernate.show_sql">false</property>
  <property name="hibernate.connection.autocommit">false</property>
  <property name="hibernate.format_sql">true</property>
  <property name="hibernate.temp.use_jdbc_metadata_defaults">false</property>

  <!-- Hikari Connection Pool -->
  <property name="hibernate.connection.provider_class">org.hibernate.hikaricp.internal.HikariCPConnectionProvider</property>
  <property name="hibernate.hikari.maximumPoolSize">10</property>

  <!-- Encryption / Decryption -->
  <property name="hibernate.sos.keystore_path">/var/sos-berlin.com/js7/joc/resources/joc/credentials-keystore.p12</property>
  <property name="hibernate.sos.keystore_type">PKCS12</property>
  <property name="hibernate.sos.keystore_password">jobscheduler</property>
  <property name="hibernate.sos.keystore_keypassword">jobscheduler</property>
  <property name="hibernate.sos.keystore_keyalias">joc-2-0-primary</property>
 </session-factory>
</hibernate-configuration>

...