Page History
...
Graphviz | ||
---|---|---|
| ||
digraph structs {
compound=true;
rankdir=LR;
Job [label=" Job ",style="filled",fillcolor="dodgerblue"]
Secret [label=" Secret ",style="filled",fillcolor="limegreen"]
Encrypted_Secret [label=" Encrypted \n Secret ",style="filled",fillcolor="dodgerblue"]
Certificate [shape="ellipse",label=" Certificate / \n Public Key ",style="filled",fillcolor="orange"]
Workflow_Variable [label=" Workflow \n Variable ",style="filled",fillcolor="dodgerblue"]
UseCertificate [shape="rectangle",label="Access",fontname="Arial",fontsize="10pt",style="filled",fillcolor="white"]
UseSecret [shape="rectangle",label="Access",fontname="Arial",fontsize="10pt",style="filled",fillcolor="white"]
EncryptSecret [shape="rectangle",label="Encrypt\njs7_encrypt.sh\njs7_encrypt.cmd\nInvoke-JS7Encrypt",fontname="Arial",fontsize="10pt",style="filled",fillcolor="white"]
ForwardWorkflowVariable [shape="rectangle",label="Forward",fontname="Arial",fontsize="10pt",style="filled",fillcolor="white"]
subgraph encrypt {
fontname="Arial";
fontsize="12pt";
Job -> UseCertificate;
Job -> UseSecret;
UseCertificate -> Certificate [label="",fontname="Arial",fontsize="10pt"];
Certificate -> EncryptSecret [label="",fontname="Arial",fontsize="10pt"];
UseSecret -> Secret [label="",fontname="Arial",fontsize="10pt"];
Secret -> EncryptSecret [label="",fontname="Arial",fontsize="10pt"];
EncryptSecret -> Encrypted_Secret [label="",fontname="Arial",fontsize="10pt"];
Encrypted_Secret -> ForwardWorkflowVariable [label="",fontname="Arial",fontsize="10pt"];
ForwardWorkflowVariable -> Workflow_Variable [label="",fontname="Arial",fontsize="10pt"];
}
} |
...
- The job encrypts a secret using the target Agent's Certificate.
- A new variable is added to the workflow that holds the encrypted secret.
Examples:
Code Block language bash title Example for Encryption with using Unix Shell # encrypt secret RESULTresult=$(./js7_encrypt.sh --cert=agent.crt --in="12345678") # forward "new_var" workflow variable holding the encrypted result echo "new_var=enc://$RESULT$result" >> $JS7_RETURN_VALUES
Code Block language powershell title Example for Encryption with using Windows Shell @rem encrypt secret and return result with JS7_ENCRYPT_VALUE environment variable call .\js7_encrypt.cmd "--cert=agent.crt" "--in=12345678" @rem forward "new_var" workflow variable holding the encrypted result echo new_var=enc://%JS7_ENCRYPT_VALUE% >> %JS7_RETURN_VALUES%
...
Code Block language powershell title Example for Encryption using PowerShell # encrypt secret and return result with JS7_ENCRYPT_VALUE environment variable $result = Invoke-JS7Encrypt -CertificatePath agent.crt -Value '12345678' -JavaLib /js7/js7.encryption\lib # forward "new_var" workflow variable holding the encrypted result "new_var=$result" | Out-File $env:JS7_RETURN_VALUES -Append
Anchor | ||||
---|---|---|---|---|
|
Graphviz | ||
---|---|---|
| ||
digraph structs {
compound=true;
rankdir=LR;
Job [label=" Job ",style="filled",fillcolor="dodgerblue"]
Secret [label=" Secret& |
...
Graphviz | ||
---|---|---|
| ||
digraph structs { compound=true; rankdir=LR; Job [label=" Job ",style="filled",fillcolor="dodgerblue"] Secret [label=" Secret ",style="filled",fillcolor="limegreen"] Encrypted_Secret [label=" Encrypted \n Secret ",style="filled",fillcolor="dodgerbluelimegreen"] PrivateKeyEncrypted_Secret [shape="ellipse",label=" Encrypted \n Private Key Secret ",style="filled",fillcolor="orangedodgerblue"] PrivateKey UsePrivateKey [shape="rectangleellipse",label="Access", Private Key ",style="filled",fillcolor="orange"] UsePrivateKey [shape="rectangle",label="Access",fontname="Arial",fontsize="10pt",style="filled",fillcolor="white"] UseEncryptedSecret [shape="rectangle",label="Access",fontname="Arial",fontsize="10pt",style="filled",fillcolor="white"] DecryptSecret [shape="rectangle",label="Decrypt\njs7_decrypt.sh\njs7_decrypt.cmd\nInvoke-JS7Decrypt",fontname="Arial",fontsize="10pt",style="filled",fillcolor="white"] subgraph encrypt { fontname="Arial"; fontsize="12pt"; Job -> UsePrivateKey; Job -> UseEncryptedSecret; UseEncryptedSecret -> Encrypted_Secret [label="",fontname="Arial",fontsize="10pt"]; UsePrivateKey -> PrivateKey [label="",fontname="Arial",fontsize="10pt"]; PrivateKey -> DecryptSecret [label="",fontname="Arial",fontsize="10pt"]; Encrypted_Secret -> DecryptSecret [label="",fontname="Arial",fontsize="10pt"]; DecryptSecret -> Secret [label="",fontname="Arial",fontsize="10pt"]; } } |
...
- Workflow variables are provided from environment variables for shell jobs, see JS7 - Job Instruction.
- The job decrypts a secret using the current Agent's Private Key.
Examples:
Code Block language bash title Example for Decryption with using Unix Shell # encrypted result is assumed being available from NEW_VAR environment variable secret=$(./js7_decrypt.sh \ --key=agent.key \ --encrypted-key="$(printf "%s" "${NEW$NEW_VAR}" | cut -d' ' -f 1)" \ --iv="$(printf "%s" "${RESULT}$NEW_VAR" | cut -d' ' -f 2)" \ --in="$(printf "%s" "${RESULT}$NEW_VAR" | cut -d' ' -f 3)") echo ${secret}$secret
Code Block language powershell title Example for Decryption with using Windows Shell @rem encrypted result is assumed being available from NEW_VAR environment variable for /f "tokens=1-3" %%i in ("%NEW_VAR%") do ( set encrypted_symmetric_key=%%i set encrypted_base64_iv=%%j set encrypted_string=%%k ) call .\js7_decrypt.cmd ^ "--key=agent.key" ^ "--encrypted-key=%encrypted_symmetric_key%" ^ "--iv=%encrypted_base64_iv%" ^ "--in=%encrypted_string%" @echo %JS7_DECRYPT_VALUE%
Use with Job Resources
Writing Secrets to Job Resources
Code Block language powershell title Example for Decryption using PowerShell # encrypted result is assumed being available from NEW_VAR environment variable $secret = Invoke-JS7Decrypt -Value $env:NEW_VAR -KeyPath agent.key -JavaLib /js7/js7.encryption\lib Write-Output $secret
Use with Job Resources
Writing Secrets to Job Resources
Graphviz | ||
---|---|---|
| ||
digraph structs {
compound=true;
rankdir=LR;
ExternalApplication [label="& | ||
Graphviz | ||
| ||
digraph structs { compound=true; rankdir=LR; ExternalApplication [label=" External \n Application ",style="filled",fillcolor="dodgerblue"] Secret [label=" Secret ",style="filled",fillcolor="limegreen"] Encrypted_Secret [label=" Encrypted \n Secret ",style="filled",fillcolor="dodgerblue"] Certificate [shape="ellipse",label=" Certificate / \n Public Key ",style="filled",fillcolor="orange"] Job_Resource [label=" Job Resource ",style="filled",fillcolor="dodgerblue"] UseCertificate [shape="rectangle",label="Access",fontname="Arial",fontsize="10pt",style="filled",fillcolor="white"] UseSecret [shape="rectangle",label="Access",fontname="Arial",fontsize="10pt",style="filled",fillcolor="white"] EncryptSecret [shape="rectangle",label="Encrypt\njs7_encrypt.sh\njs7_encrypt.cmdset_job_resource\nSet-JS7JobResource",fontname="Arial",fontsize="10pt",style="filled",fillcolor="white"] StoreJobResource [shape="rectangle",label="Store",fontname="Arial",fontsize="10pt",style="filled",fillcolor="white"] subgraph encrypt { fontname="Arial"; fontsize="12pt"; ExternalApplication -> UseCertificate; ExternalApplication -> UseSecret; UseCertificate -> Certificate [label="",fontname="Arial",fontsize="10pt"]; Certificate -> EncryptSecret [label="",fontname="Arial",fontsize="10pt"]; UseSecret -> Secret [label="",fontname="Arial",fontsize="10pt"]; Secret -> EncryptSecret [label="",fontname="Arial",fontsize="10pt"]; EncryptSecret -> Encrypted_Secret [label="",fontname="Arial",fontsize="10pt"]; Encrypted_Secret -> StoreJobResource [label="",fontname="Arial",fontsize="10pt"]; StoreJobResource -> Job_Resource [label="",fontname="Arial",fontsize="10pt"]; } } |
...
- The job encrypts a secret using the target Agent's Certificate and stores the encrypted result to a Job Resource variable.
Examples:
.Examples:Code Block language bash title Example for Encryption with using Unix Shell ./js7_set_job_resource.sh \ --url=http://joc-2-0-primary:7446 \ --controller-id=controller \ --user=root \ --password=root \ --job-resource=/ProductDemo/Variables/pdBusinessSecret \ --key=businessSecret \ --value='12345678' \ --env-var=BUSINESS_SECRET \ --encrypt-cert=agent.crt
Reading Secrets from Job Resources
Variables from Job Resources are available from environment variables similar to workflow variables.
Decryption of secrets is the same as for Reading Secrets from Workflow Variables.
Use with Configuration Files
Writing Secrets to Configuration Files
Code Block language bash title Example for Encryption using PowerShell Set-JS7JobResource ` -Path /ProductDemo/Variables/pdBusinessSecret ^ -Key 'businessSecret' ^ -Value '12345678' ^ -EnvVar 'BUSINESS_SECRET' ^ -EncryptCertificatePath agent.crt ^ -JavaLib /js7/js7.encryption/lib
Reading Secrets from Job Resources
Variables from Job Resources are available from environment variables similar to workflow variables.
Decryption of secrets is the same as for Reading Secrets from Workflow Variables.
Use with Configuration Files
Writing Secrets to Configuration Files
Graphviz | ||
---|---|---|
| ||
digraph structs {
compound=true;
rankdir=LR;
ExternalApplication [label=" External \n Application ",style="filled",fillcolor="dodgerblue"]
Secret [label=" | ||
Graphviz | ||
| ||
digraph structs { compound=true; rankdir=LR; ExternalApplication [label=" External \n Application ",style="filled",fillcolor="dodgerblue"] Secret [label=" Secret ",style="filled",fillcolor="limegreen"] Encrypted_Secret [label=" Encrypted \n Secret ",style="filled",fillcolor="dodgerblue"] Certificate [shape="ellipse",label=" Certificate / \n Public Key ",style="filled",fillcolor="orange"] Configuration_File [label=" Configuration \n File ",style="filled",fillcolor="dodgerblue"] UseCertificate [shape="rectangle",label="Access",fontname="Arial",fontsize="10pt",style="filled",fillcolor="white"] UseSecret [shape="rectangle",label="Access",fontname="Arial",fontsize="10pt",style="filled",fillcolor="white"] EncryptSecret [shape="rectangle",label="Encrypt\njs7_encrypt.sh\njs7_encrypt.cmd\nInvoke-JS7Encrypt",fontname="Arial",fontsize="10pt",style="filled",fillcolor="white"] StoreConfigurationFile [shape="rectangle",label="Store",fontname="Arial",fontsize="10pt",style="filled",fillcolor="white"] subgraph encrypt { fontname="Arial"; fontsize="12pt"; ExternalApplication -> UseCertificate; ExternalApplication -> UseSecret; UseCertificate -> Certificate [label="",fontname="Arial",fontsize="10pt"]; Certificate -> EncryptSecret [label="",fontname="Arial",fontsize="10pt"]; UseSecret -> Secret [label="",fontname="Arial",fontsize="10pt"]; Secret -> EncryptSecret [label="",fontname="Arial",fontsize="10pt"]; EncryptSecret -> Encrypted_Secret [label="",fontname="Arial",fontsize="10pt"]; Encrypted_Secret -> StoreConfigurationFile [label="",fontname="Arial",fontsize="10pt"]; StoreConfigurationFile -> Configuration_File [label="",fontname="Arial",fontsize="10pt"]; } } |
Explanation;::
- A secret should be stored to a configuration file, for example a password for access to a database,
- An external application creates/updates the secret, for example by password rotation.
- The application makes use of the
js7_encrypt.sh | .cmd
scripts to encrypt the secret and stores the encrypted secret to the configuration file. Similarly theInvoke-JS7Encrypt
PowerShell cmdlet can be used. - Find details from JS7 - How to encrypt and decrypt Database Credentials.
Examples:
Code Block language bash title Example for Encryption using Unix Shell # encrypt secret and return result result=$(./js7_encrypt.sh --cert=agent.crt --in="12345678") # update <password> placeholder in application.conf file sed -i'' -e "s@<password>@${result}@g" application.conf
Code Block language powershell title Example for Encryption using Windows Shell @rem encrypt secret and return result with JS7_ENCRYPT_VALUE environment variable call .\js7_encrypt.cmd "
- A secret should be stored to a configuration file, for example a password for access to a database,
- An external application creates/updates the secret, for example by password rotation.
- The application makes use of the
js7_encrypt.sh | .cmd
scripts to encrypt the secret and stores the encrypted secret to the configuration file. - Find details from JS7 - How to encrypt and decrypt Database Credentials.
Examples:
Code Block language bash title Example for Encryption with Unix # encrypt secret RESULT=$(./js7_encrypt.sh --cert=agent.crt" "--in="12345678") #@rem update <password> placeholder in application.conf file sed -i'' -e "s@<password>@enc://${RESULT}@g"powershell.exe -Command "((Get-Content application.conf) -replace '<password>', $env:JS7_ENCRYPT_VALUE) | Set-Content -Path application.conf"
Code Block language powershell title Example for Encryption with Windowsusing PowerShell @rem# encrypt secret and return result with JS7_ENCRYPT_VALUE environment variable call .\js7_encrypt.cmd "--cert=agent.crt" "--in=12345678" @remand return result $result = Invoke-JS7Encrypt -CertificatePath agent.crt -Value '12345678' -JavaLib /js7/js7.encryption\lib # update <password> placeholder in application.conf file powershell.exe -Command "((Get-Content application.conf) -replace '<password>', 'enc://' + $env:JS7_ENCRYPT_VALUE$result) | Set-Content -Path application.conf"
Reading Secrets from Configuration Files
Graphviz | ||
---|---|---|
| ||
digraph structs { compound=true; rankdir=LR; Job [label=" Job ",style="filled",fillcolor="dodgerblue"] Secret [label=" Secret ",style="filled",fillcolor="limegreen"] Encrypted_Secret [label=" Encrypted \n Secret ",style="filled",fillcolor="dodgerblue"] PrivateKey [shape="ellipse",label=" Private Key ",style="filled",fillcolor="orange"] Configuration_File [label=" Configuration \n File ",style="filled",fillcolor="dodgerblue"] UsePrivateKey [shape="rectangle",label="Access",fontname="Arial",fontsize="10pt",style="filled",fillcolor="white"] UseEncryptedSecret [shape="rectangle",label="Access",fontname="Arial",fontsize="10pt",style="filled",fillcolor="white"] DecryptSecret [shape="rectangle",label="Decrypt\njs7_decrypt.sh\njs7_decrypt.cmdcmd\nInvoke-JS7Decrypt",fontname="Arial",fontsize="10pt",style="filled",fillcolor="white"] ReadConfigurationFile [shape="rectangle",label="Access",fontname="Arial",fontsize="10pt",style="filled",fillcolor="white"] subgraph encrypt { fontname="Arial"; fontsize="12pt"; Job -> UsePrivateKey; Job -> ReadConfigurationFile; ReadConfigurationFile -> Configuration_File [label="",fontname="Arial",fontsize="10pt"]; Configuration_File -> UseEncryptedSecret [label="",fontname="Arial",fontsize="10pt"]; UseEncryptedSecret -> Encrypted_Secret [label="",fontname="Arial",fontsize="10pt"]; UsePrivateKey -> PrivateKey [label="",fontname="Arial",fontsize="10pt"]; PrivateKey -> DecryptSecret [label="",fontname="Arial",fontsize="10pt"]; Encrypted_Secret -> DecryptSecret [label="",fontname="Arial",fontsize="10pt"]; DecryptSecret -> Secret [label="",fontname="Arial",fontsize="10pt"]; } } |
...
- A job reads the encrypted secret from the configuration file.
- The job makes use of the
js7_decrypt.sh | .cmd
scripts to decrypt the secret by use of its Private Key. Similarly theInvoke-JS7Decrypt
PowerShell cmdlet can be used. Examples:
Code Block language bash title Example for Decryption with using Unix Shell # read secret from application.conf file that is assumed to look like this: # username=foo # password=gE4NPEbrrUFFdjbnvtX9ZWF9owz1ghwbjl2WLAP19k6ps1tXX+fug== KeU1ZYgNfF1kNfYQaIp/Wg== osXNvG2evsSnf3WUE8I8TQ== result=$(grep -E 'password=.*' application.conf | cut -d '=' -f 2-) # encrypted result is assumed being available from RESULT environment variable secret=$(./js7_decrypt.sh \ --key=agent.key \ --encrypted-key="$(printf "%s" "${RESULT}$result" | cut -d' ' -f 1)" \ --iv="$(printf "%s" "${RESULT}$result" | cut -d' ' -f 2)" \ --in="$(printf "%s" "${RESULT}$result" | cut -d' ' -f 3)") echo ${secret}$secret
Code Block language powershell title Example for Decryption using Windows Shell tbd
Code Block language powershell title Example for Decryption with Windowsusing PowerShell @rem# encrypted result is assumed being availableread secret from RESULTapplication.conf environmentfile variable for /f "tokens=1-3" %%i in ("%RESULT%") do ( that is assumed to look like this: # set encrypted_symmetric_key=%%i username=foo # set encrypted_base64_iv=%%j set encrypted_string=%%k ) call .\js7_decrypt.cmd ^ "--key=agent.key" ^ "--encrypted-key=%encrypted_symmetric_key%" ^ "--iv=%encrypted_base64_iv%" ^ "--in=%encrypted_string%" @echo %JS7_DECRYPT_VALUE% password=gE4NPEbrrUFFdjbnvtX9ZWF9owz1ghwbjl2WLAP19k6ps1tXX+fug== KeU1ZYgNfF1kNfYQaIp/Wg== osXNvG2evsSnf3WUE8I8TQ== $matches = ( Get-Content application.conf | Select-String "password=(.*)" ).Matches $result = if ( $matches.Groups.count -gt 1 ) { $matches.Groups[1].Value } $secret = Invoke-JS7Decrypt -Value $result -KeyPath agent.key -JavaLib /js7/js7.encryption\lib Write-Output $secret
Key Distribution
Keys can be distributed in a number of ways. Find a few frequently Frequently used scenarios .include that
- Users can create individual Private Keys and Certificates for encryption/decryption of secrets per Agent.
- Users can create Private Keys and Certificates that are shared amongst a number of Agents.
- This applies to use of an Agent Cluster that allows to execute jobs on any Agent in the cluster.
...
Overview
Content Tools