JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 5

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 6

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Graphviz
templateGraphvizSubgraphs
digraph structs {
    compound=true;
    rankdir=LR;

    Job [label="   Job   ",style="filled",fillcolor="dodgerblue"]
    Secret [label="   Secret   ",style="filled",fillcolor="limegreen"]
    Encrypted_Secret [label="   Encrypted   \n   Secret   ",style="filled",fillcolor="dodgerblue"]
    Certificate [shape="ellipse",label="   Certificate /   \n   Public Key   ",style="filled",fillcolor="orange"]
    Workflow_Variable [label="   Workflow   \n   Variable   ",style="filled",fillcolor="dodgerblue"]
 
    UseCertificate [shape="rectangle",label="Access",fontname="Arial",fontsize="10pt",style="filled",fillcolor="white"]
    UseSecret [shape="rectangle",label="Access",fontname="Arial",fontsize="10pt",style="filled",fillcolor="white"]
 
    EncryptSecret [shape="rectangle",label="Encrypt\njs7_encrypt.sh\njs7_encrypt.cmd\nInvoke-JS7Encrypt",fontname="Arial",fontsize="10pt",style="filled",fillcolor="white"]
    ForwardWorkflowVariable [shape="rectangle",label="Forward",fontname="Arial",fontsize="10pt",style="filled",fillcolor="white"]
 
    subgraph encrypt {
        fontname="Arial";
        fontsize="12pt";

		Job -> UseCertificate;
        Job -> UseSecret;
		UseCertificate -> Certificate [label="",fontname="Arial",fontsize="10pt"];
        Certificate -> EncryptSecret [label="",fontname="Arial",fontsize="10pt"];

 		UseSecret -> Secret [label="",fontname="Arial",fontsize="10pt"]; 
        Secret -> EncryptSecret [label="",fontname="Arial",fontsize="10pt"];
        EncryptSecret -> Encrypted_Secret [label="",fontname="Arial",fontsize="10pt"];
        Encrypted_Secret -> ForwardWorkflowVariable [label="",fontname="Arial",fontsize="10pt"];
        ForwardWorkflowVariable -> Workflow_Variable [label="",fontname="Arial",fontsize="10pt"];
      }
}

...

  • The job encrypts a secret using the target Agent's Certificate.
  • A new variable is added to the workflow that holds the encrypted secret.

  • Examples:

    • Code Block
      languagebash
      titleExample for Encryption with using Unix Shell
      # encrypt secret
RESULTresult=$(./js7_encrypt.sh --cert=agent.crt --in="12345678")

# forward "new_var" workflow variable holding the encrypted result
echo "new_var=enc://$RESULT$result" >> $JS7_RETURN_VALUES
    • Code Block
      languagepowershell
      titleExample for Encryption with using Windows Shell
      @rem encrypt secret and return result with JS7_ENCRYPT_VALUE environment variable
call .\js7_encrypt.cmd "--cert=agent.crt" "--in=12345678"

@rem forward "new_var" workflow variable holding the encrypted result
echo new_var=enc://%JS7_ENCRYPT_VALUE% >> %JS7_RETURN_VALUES%

...

    • Code Block
      languagepowershell
      titleExample for Encryption using PowerShell
      # encrypt secret and return result with JS7_ENCRYPT_VALUE environment variable
$result = Invoke-JS7Encrypt -CertificatePath agent.crt -Value '12345678' -JavaLib /js7/js7.encryption\lib

# forward "new_var" workflow variable holding the encrypted result
"new_var=$result" | Out-File $env:JS7_RETURN_VALUES -Append

Anchor
reading_secrets_from_workflow_variables
reading_secrets_from_workflow_variables
Reading Secrets from Workflow Variables

Graphviz
templateGraphvizSubgraphs
digraph structs {
    compound=true;
    rankdir=LR;

    Job [label="   Job   ",style="filled",fillcolor="dodgerblue"]
    Secret [label="   Secret&

...

Graphviz
templateGraphvizSubgraphs
digraph structs {
    compound=true;
    rankdir=LR;

    Job [label="   Job   ",style="filled",fillcolor="dodgerblue"]
    Secret [label="   Secret   ",style="filled",fillcolor="limegreen"]
    Encrypted_Secret [label="   Encrypted   \n   Secret   ",style="filled",fillcolor="dodgerbluelimegreen"]
    PrivateKeyEncrypted_Secret [shape="ellipse",label="   Encrypted   \n Private Key  Secret   ",style="filled",fillcolor="orangedodgerblue"]
 
   PrivateKey UsePrivateKey [shape="rectangleellipse",label="Access",   Private Key   ",style="filled",fillcolor="orange"]
 
    UsePrivateKey [shape="rectangle",label="Access",fontname="Arial",fontsize="10pt",style="filled",fillcolor="white"]
    UseEncryptedSecret [shape="rectangle",label="Access",fontname="Arial",fontsize="10pt",style="filled",fillcolor="white"]
 
    DecryptSecret [shape="rectangle",label="Decrypt\njs7_decrypt.sh\njs7_decrypt.cmd\nInvoke-JS7Decrypt",fontname="Arial",fontsize="10pt",style="filled",fillcolor="white"]
 
    subgraph encrypt {
        fontname="Arial";
        fontsize="12pt";

		Job -> UsePrivateKey;
        Job -> UseEncryptedSecret;
        UseEncryptedSecret -> Encrypted_Secret [label="",fontname="Arial",fontsize="10pt"];

        UsePrivateKey -> PrivateKey [label="",fontname="Arial",fontsize="10pt"];
        PrivateKey -> DecryptSecret [label="",fontname="Arial",fontsize="10pt"];

        Encrypted_Secret -> DecryptSecret [label="",fontname="Arial",fontsize="10pt"];
        DecryptSecret -> Secret [label="",fontname="Arial",fontsize="10pt"];        
      }
}

...

  • Workflow variables are provided from environment variables for shell jobs, see JS7 - Job Instruction.
  • The job decrypts a secret using the current Agent's Private Key.

  • Examples:

    • Code Block
      languagebash
      titleExample for Decryption with using Unix Shell
      # encrypted result is assumed being available from NEW_VAR environment variable
secret=$(./js7_decrypt.sh \
    --key=agent.key \
    --encrypted-key="$(printf "%s" "${NEW$NEW_VAR}" | cut -d' ' -f 1)" \
    --iv="$(printf "%s" "${RESULT}$NEW_VAR" | cut -d' ' -f 2)" \
    --in="$(printf "%s" "${RESULT}$NEW_VAR" | cut -d' ' -f 3)")
echo ${secret}$secret
    • Code Block
      languagepowershell
      titleExample for Decryption with using Windows Shell
      @rem encrypted result is assumed being available from NEW_VAR environment variable
for /f "tokens=1-3" %%i in ("%NEW_VAR%") do (
    set encrypted_symmetric_key=%%i
    set encrypted_base64_iv=%%j
    set encrypted_string=%%k
)
  
call .\js7_decrypt.cmd ^
    "--key=agent.key" ^
    "--encrypted-key=%encrypted_symmetric_key%" ^
    "--iv=%encrypted_base64_iv%" ^
    "--in=%encrypted_string%"
@echo %JS7_DECRYPT_VALUE%

Use with Job Resources

Writing Secrets to Job Resources

    • Code Block
      languagepowershell
      titleExample for Decryption using PowerShell
      # encrypted result is assumed being available from NEW_VAR environment variable
$secret = Invoke-JS7Decrypt -Value $env:NEW_VAR -KeyPath agent.key -JavaLib /js7/js7.encryption\lib
Write-Output $secret

Use with Job Resources

Writing Secrets to Job Resources

Graphviz
templateGraphvizSubgraphs
digraph structs {
    compound=true;
    rankdir=LR;

    ExternalApplication [label="&
Graphviz
templateGraphvizSubgraphs
digraph structs {
    compound=true;
    rankdir=LR;

    ExternalApplication [label="   External   \n   Application   ",style="filled",fillcolor="dodgerblue"]
    Secret [label="   Secret   ",style="filled",fillcolor="limegreen"]
    Encrypted_Secret [label="   Encrypted   \n   Secret   ",style="filled",fillcolor="dodgerblue"]
    Certificate [shape="ellipse",label="   Certificate /   \n   Public Key   ",style="filled",fillcolor="orange"]
    Job_Resource [label="   Job Resource   ",style="filled",fillcolor="dodgerblue"]
 
    UseCertificate [shape="rectangle",label="Access",fontname="Arial",fontsize="10pt",style="filled",fillcolor="white"]
    UseSecret [shape="rectangle",label="Access",fontname="Arial",fontsize="10pt",style="filled",fillcolor="white"]
 
    EncryptSecret [shape="rectangle",label="Encrypt\njs7_encrypt.sh\njs7_encrypt.cmdset_job_resource\nSet-JS7JobResource",fontname="Arial",fontsize="10pt",style="filled",fillcolor="white"]
    StoreJobResource [shape="rectangle",label="Store",fontname="Arial",fontsize="10pt",style="filled",fillcolor="white"]

    subgraph encrypt {
        fontname="Arial";
        fontsize="12pt";

		ExternalApplication -> UseCertificate;
        ExternalApplication -> UseSecret;
		UseCertificate -> Certificate [label="",fontname="Arial",fontsize="10pt"];
        Certificate -> EncryptSecret [label="",fontname="Arial",fontsize="10pt"];

 		UseSecret -> Secret [label="",fontname="Arial",fontsize="10pt"]; 
        Secret -> EncryptSecret [label="",fontname="Arial",fontsize="10pt"];
        EncryptSecret -> Encrypted_Secret [label="",fontname="Arial",fontsize="10pt"];
        Encrypted_Secret -> StoreJobResource [label="",fontname="Arial",fontsize="10pt"];
        StoreJobResource -> Job_Resource [label="",fontname="Arial",fontsize="10pt"];
      }
}

...

  • The job encrypts a secret using the target Agent's Certificate and stores the encrypted result to a Job Resource variable.

  • Examples:

    .Examples:

    • Code Block
      languagebash
      titleExample for Encryption with using Unix Shell
      ./js7_set_job_resource.sh \
    --url=http://joc-2-0-primary:7446 \
    --controller-id=controller \
    --user=root \
    --password=root \
    --job-resource=/ProductDemo/Variables/pdBusinessSecret \
    --key=businessSecret \
    --value='12345678' \
    --env-var=BUSINESS_SECRET \
    --encrypt-cert=agent.crt

Reading Secrets from Job Resources

Variables from Job Resources are available from environment variables similar to workflow variables.

Decryption of secrets is the same as for Reading Secrets from Workflow Variables.

Use with Configuration Files

Writing Secrets to Configuration Files

    • Code Block
      languagebash
      titleExample for Encryption using PowerShell
      Set-JS7JobResource `
    -Path /ProductDemo/Variables/pdBusinessSecret ^
    -Key 'businessSecret' ^
    -Value '12345678' ^
    -EnvVar 'BUSINESS_SECRET' ^
    -EncryptCertificatePath agent.crt ^
    -JavaLib /js7/js7.encryption/lib

Reading Secrets from Job Resources

Variables from Job Resources are available from environment variables similar to workflow variables.

Decryption of secrets is the same as for Reading Secrets from Workflow Variables.

Use with Configuration Files

Writing Secrets to Configuration Files

Graphviz
templateGraphvizSubgraphs
digraph structs {
    compound=true;
    rankdir=LR;

    ExternalApplication [label="   External   \n   Application   ",style="filled",fillcolor="dodgerblue"]
    Secret [label=" 
Graphviz
templateGraphvizSubgraphs
digraph structs {
    compound=true;
    rankdir=LR;

    ExternalApplication [label="   External   \n   Application   ",style="filled",fillcolor="dodgerblue"]
    Secret [label="   Secret   ",style="filled",fillcolor="limegreen"]
    Encrypted_Secret [label="   Encrypted   \n   Secret   ",style="filled",fillcolor="dodgerblue"]
    Certificate [shape="ellipse",label="   Certificate /   \n   Public Key   ",style="filled",fillcolor="orange"]
    Configuration_File [label="   Configuration   \n   File   ",style="filled",fillcolor="dodgerblue"]
 
    UseCertificate [shape="rectangle",label="Access",fontname="Arial",fontsize="10pt",style="filled",fillcolor="white"]
    UseSecret [shape="rectangle",label="Access",fontname="Arial",fontsize="10pt",style="filled",fillcolor="white"]
 
    EncryptSecret [shape="rectangle",label="Encrypt\njs7_encrypt.sh\njs7_encrypt.cmd\nInvoke-JS7Encrypt",fontname="Arial",fontsize="10pt",style="filled",fillcolor="white"]
    StoreConfigurationFile [shape="rectangle",label="Store",fontname="Arial",fontsize="10pt",style="filled",fillcolor="white"]

    subgraph encrypt {
        fontname="Arial";
        fontsize="12pt";

		ExternalApplication -> UseCertificate;
        ExternalApplication -> UseSecret;
		UseCertificate -> Certificate [label="",fontname="Arial",fontsize="10pt"];
        Certificate -> EncryptSecret [label="",fontname="Arial",fontsize="10pt"];

 		UseSecret -> Secret [label="",fontname="Arial",fontsize="10pt"]; 
        Secret -> EncryptSecret [label="",fontname="Arial",fontsize="10pt"];
        EncryptSecret -> Encrypted_Secret [label="",fontname="Arial",fontsize="10pt"];
        Encrypted_Secret -> StoreConfigurationFile [label="",fontname="Arial",fontsize="10pt"];
        StoreConfigurationFile -> Configuration_File [label="",fontname="Arial",fontsize="10pt"];
      }
}

Explanation;::

  • A secret should be stored to a configuration file, for example a password for access to a database,
  • An external application creates/updates the secret, for example by password rotation.
  • The application makes use of the js7_encrypt.sh | .cmd scripts to encrypt the secret and stores the encrypted secret to the configuration file. Similarly the Invoke-JS7Encrypt PowerShell cmdlet can be used.
  • Find details from JS7 - How to encrypt and decrypt Database Credentials.

  • Examples:

    • Code Block
      languagebash
      titleExample for Encryption using Unix Shell
      # encrypt secret and return result
result=$(./js7_encrypt.sh --cert=agent.crt --in="12345678")

# update <password> placeholder in application.conf file
sed -i'' -e "s@<password>@${result}@g" application.conf
    • Code Block
      languagepowershell
      titleExample for Encryption using Windows Shell
      @rem encrypt secret and return result with JS7_ENCRYPT_VALUE environment variable
call .\js7_encrypt.cmd "
  • A secret should be stored to a configuration file, for example a password for access to a database,
  • An external application creates/updates the secret, for example by password rotation.
  • The application makes use of the js7_encrypt.sh | .cmd scripts to encrypt the secret and stores the encrypted secret to the configuration file.
  • Find details from JS7 - How to encrypt and decrypt Database Credentials.

  • Examples:

    • Code Block
      languagebash
      titleExample for Encryption with Unix
      # encrypt secret
RESULT=$(./js7_encrypt.sh --cert=agent.crt" "--in="12345678")

#@rem update <password> placeholder in application.conf file
sed -i'' -e "s@<password>@enc://${RESULT}@g"powershell.exe -Command "((Get-Content application.conf) -replace '<password>', $env:JS7_ENCRYPT_VALUE) | Set-Content -Path application.conf"
    • Code Block
      languagepowershell
      titleExample for Encryption with Windowsusing PowerShell
      @rem# encrypt secret and return result with JS7_ENCRYPT_VALUE environment variable
call .\js7_encrypt.cmd "--cert=agent.crt" "--in=12345678"

@remand return result
$result = Invoke-JS7Encrypt -CertificatePath agent.crt -Value '12345678' -JavaLib /js7/js7.encryption\lib

# update <password> placeholder in application.conf file
powershell.exe -Command "((Get-Content application.conf) -replace '<password>', 'enc://' + $env:JS7_ENCRYPT_VALUE$result) | Set-Content -Path application.conf"

Reading Secrets from Configuration Files

Graphviz
templateGraphvizSubgraphs
digraph structs {
    compound=true;
    rankdir=LR;

    Job [label="&nbsp;&nbsp;&nbsp;Job&nbsp;&nbsp;&nbsp;",style="filled",fillcolor="dodgerblue"]
    Secret [label="&nbsp;&nbsp;&nbsp;Secret&nbsp;&nbsp;&nbsp;",style="filled",fillcolor="limegreen"]
    Encrypted_Secret [label="&nbsp;&nbsp;&nbsp;Encrypted&nbsp;&nbsp;&nbsp;\n&nbsp;&nbsp;&nbsp;Secret&nbsp;&nbsp;&nbsp;",style="filled",fillcolor="dodgerblue"]
    PrivateKey [shape="ellipse",label="&nbsp;&nbsp;&nbsp;Private Key&nbsp;&nbsp;&nbsp;",style="filled",fillcolor="orange"]
    Configuration_File [label="&nbsp;&nbsp;&nbsp;Configuration&nbsp;&nbsp;&nbsp;\n&nbsp;&nbsp;&nbsp;File&nbsp;&nbsp;&nbsp;",style="filled",fillcolor="dodgerblue"]
 
    UsePrivateKey [shape="rectangle",label="Access",fontname="Arial",fontsize="10pt",style="filled",fillcolor="white"]
    UseEncryptedSecret [shape="rectangle",label="Access",fontname="Arial",fontsize="10pt",style="filled",fillcolor="white"]
 
    DecryptSecret [shape="rectangle",label="Decrypt\njs7_decrypt.sh\njs7_decrypt.cmdcmd\nInvoke-JS7Decrypt",fontname="Arial",fontsize="10pt",style="filled",fillcolor="white"]
    ReadConfigurationFile [shape="rectangle",label="Access",fontname="Arial",fontsize="10pt",style="filled",fillcolor="white"]
 
    subgraph encrypt {
        fontname="Arial";
        fontsize="12pt";

		Job -> UsePrivateKey;
        Job -> ReadConfigurationFile;
        ReadConfigurationFile -> Configuration_File [label="",fontname="Arial",fontsize="10pt"];
        Configuration_File -> UseEncryptedSecret [label="",fontname="Arial",fontsize="10pt"];
        UseEncryptedSecret -> Encrypted_Secret [label="",fontname="Arial",fontsize="10pt"];

        UsePrivateKey -> PrivateKey [label="",fontname="Arial",fontsize="10pt"];
        PrivateKey -> DecryptSecret [label="",fontname="Arial",fontsize="10pt"];

        Encrypted_Secret -> DecryptSecret [label="",fontname="Arial",fontsize="10pt"];
        DecryptSecret -> Secret [label="",fontname="Arial",fontsize="10pt"];        
      }
}

...

  • A job reads the encrypted secret from the configuration file.
  • The job makes use of the js7_decrypt.sh | .cmd scripts to decrypt the secret by use of its Private Key. Similarly the Invoke-JS7Decrypt PowerShell cmdlet can be used.

  • Examples:

    • Code Block
      languagebash
      titleExample for Decryption with using Unix Shell
      # read secret from application.conf file that is assumed to look like this:
#     username=foo
#     password=gE4NPEbrrUFFdjbnvtX9ZWF9owz1ghwbjl2WLAP19k6ps1tXX+fug== KeU1ZYgNfF1kNfYQaIp/Wg== osXNvG2evsSnf3WUE8I8TQ==
result=$(grep -E 'password=.*' application.conf | cut -d '=' -f 2-)
# encrypted result is assumed being available from RESULT environment variable
secret=$(./js7_decrypt.sh \
    --key=agent.key \
    --encrypted-key="$(printf "%s" "${RESULT}$result" | cut -d' ' -f 1)" \
    --iv="$(printf "%s" "${RESULT}$result" | cut -d' ' -f 2)" \
    --in="$(printf "%s" "${RESULT}$result" | cut -d' ' -f 3)")
echo ${secret}$secret
    • Code Block
      languagepowershell
      titleExample for Decryption using Windows Shell
      tbd
    • Code Block
      languagepowershell
      titleExample for Decryption with Windowsusing PowerShell
      @rem# encrypted result is assumed being availableread secret from RESULTapplication.conf environmentfile variable
for /f "tokens=1-3" %%i in ("%RESULT%") do (
that is assumed to look like this:
#    set encrypted_symmetric_key=%%i
username=foo
#    set encrypted_base64_iv=%%j
    set encrypted_string=%%k
)
  
call .\js7_decrypt.cmd ^
    "--key=agent.key" ^
    "--encrypted-key=%encrypted_symmetric_key%" ^
    "--iv=%encrypted_base64_iv%" ^
    "--in=%encrypted_string%"
@echo %JS7_DECRYPT_VALUE% password=gE4NPEbrrUFFdjbnvtX9ZWF9owz1ghwbjl2WLAP19k6ps1tXX+fug== KeU1ZYgNfF1kNfYQaIp/Wg== osXNvG2evsSnf3WUE8I8TQ==
$matches = ( Get-Content application.conf | Select-String "password=(.*)" ).Matches
$result = if ( $matches.Groups.count -gt 1 ) { $matches.Groups[1].Value }

$secret = Invoke-JS7Decrypt -Value $result -KeyPath agent.key -JavaLib /js7/js7.encryption\lib
Write-Output $secret

Key Distribution

Keys can be distributed in a number of ways. Find a few frequently Frequently used scenarios .include that

  • Users can create individual Private Keys and Certificates for encryption/decryption of secrets per Agent.
  • Users can create Private Keys and Certificates that are shared amongst a number of Agents.
    • This applies to use of an Agent Cluster that allows to execute jobs on any Agent in the cluster.

...