Introduction

Users might use credentials holding an account name and password for database connections, see JS7 - Database. Such credentials can be encrypted and decrypted using asymmetric keys. This applies to the following database connections using Hibernate :

• Connections from JOC Cockpit to a database.
• Connections from JS7 - JITL Database Jobs to a database.

We find a number of requirements for management of credentials:

• Credentials should not be exposed to logging.
• Credentials should not be stored in more than one place.
• Credentials can be rotated at a regular basis.

We find a number of inadequate approaches that do not make it for a secure solution:

• • Symmetric keys are a No-Go as they are available in two places and leave it up to the implementation where to store the key.
  • Obfuscation is a No-Go as it does not resist to serious attacks.

The preferred solution with JS7 is use of asymmetric keys:

• JS7 - Encryption and Decryption includes to perform encryption outside of JS7 products.
• No JS7 product is directly involved in encryption as otherwise the JS7 product would know the credentials that potentially could be compromised by logging etc.

FEATURE AVAILABILITY STARTING FROM RELEASE 2.7.0

Asymmetric Keys

Encryption and decryption use asymmetric keys, for details see JS7 - Encryption and Decryption:

Encryption

In a Hibernate configuration file the following credentials can be encrypted:

  <property name="hibernate.connection.password">jobscheduler</property>
  <property name="hibernate.connection.url">jdbc:mysql://mysql-5-7:3306/jobscheduler200</property>
  <property name="hibernate.connection.username">jobscheduler</property>

Users are free to encrypt the password only or to encrypt the username and URL too. Encrypted values look like this:

  <property name="hibernate.connection.password">enc://gLjIPeUJP3o1cw4y9wNrFkNUIfe5Bi/eW+KMkLUy4mvVOH0Z41V0Iuob0lDN6UFXMG1//YDbUA3yFSpvHdmRlGnYsMPkbqz+tN+7Ypy5px7F7NGGpPFSeeGS4JOe7cmgkHx9i9ZPJEEK/xDLoPj/9zj4OLTcWxrHKR0bwT2NvpEZoBPWVnWMoBqTQfk+PBRRkQFYdtR+uKVl7qMEkNc6N92hYGRevUwIZ7h++ENazlgzUdNZc1K1LCRZ/BtB8/MopP3elZ6Vq2LmP3LGnzu6MwSSBgNbPN2vguDqWjnncO1h5MekmqHV5S9RY2L+7NZ7jJ3q233ZFwq56Xm/TWB92g== U2WnoXgh87kdOz7Zcumkpg== 3mnbt2Qe7JdQuN2Lm5SD0w==</property>
  <property name="hibernate.connection.url">enc://oe5qm3SOudO8LgcFXlW3cTlsdLycXEgUis2GFJdm+4w/NHF3KGYZXCEsqUFMwvWsdY/whfkCPOyUf4cj1eY1F5QSVzjsCgpfXtpvqUjqa7mzpAfzHfRr8gjZNHzCinefke8muCYFiZbb8s9rWHu4G8aIAJsxlWrhJeu7SXqs3JPrrrBt9EJ8kJw6w/xWbUhR5MVLAvj9mIg+w83qwAhZrvuz+McoTKskXvLcBlQPtXc+Yz3RuosczmaWgHYcc/++CtnHHtlSVQf9108jus13ab6mGGsDjodVJjm715VB+cUmWhBKpwyjksrISKcpkMnGlSK3KE+VsTMjzAMPPAyGEQ== zzEKadcxLgfl4GrRUYvApA== FM5ycloUYUbUeniZUDZpK7atxQR5bvmJmYJLS1k356oA/fCoioE6zFfOzENTKgxn</property>
  <property name="hibernate.connection.username">enc://WCWDGolHrQV4zWwF7i+QEOMrzXfhQSWoH4Azb+udCPSXsvDcNBiTam9zSVDyzCkVT3VAoBdT+WQbOSJRtdvYv6IaIJHJ98W5+H/F29UlOtKhJFbzVq+qxT4XPHSlMvzhub72lv5sWEyhNsjdFd6tJj0mVVH7+jmMAzFMCMKfMeNUbsXrH5Os6UR0Uqy6KbjVx8BOv02ooqFb69yFyI76/gwkxAV+9fYinCxIj3adSO1P6Cn0VNXLw1y2z/Xuv2PJ9CusshmMEiG95/G85VSNqlSMV0HfiQ71VS2EN0fcVcFlugyslTUDIcP4ed3pNlwblu86oPoenC4Xvw3Qh2Xj/A== IcI4xRV0fnO+qRLLg3/abQ== 1gV4bt2rvMgdtPOPXFt5qw==</property>

Explanation:

• Encrypted values start with the prefix enc://.
• The value holds the following parts separated by spaces:
  • an encrypted symmetric key,
  • an initialization vector,
  • the secret encrypted with the symmetric key.
• For decryption a private key and the initialization vector are used to decrypt the symmetric key. The secret is decrypted using the decrypted, symmetric key.

Use with Scripts

Credentials can be encrypted using scripts:

• JS7 - How to encrypt and decrypt using Unix Shell
• JS7 - How to encrypt and decrypt using Windows Shell

result=$(./js7_encrypt.sh --cert="joc.crt" --in='jobscheduler')

sed -i'' -e "s@property[ ]*name[ ]*=[ ]*\"hibernate.connection.password\".*@property name=\"hibernate.connection.password\"\>enc://${result}\</property\>@g" hibernate.cfg.xml

call .\js7_encrypt.cmd "--cert=joc.crt" "--in=jobscheduler"

powershell.exe -Command ((Get-Content hibernate.cfg.xml) -replace 'property[ ]*name[ ]*=[ ]*`"hibernate.connection.password`".*, "property name=`"hibernate.connection.password`">$env:JS7_ENCRYPT_VALUE</property>" | Set-Content -Path hibernate.cfg.xml

Explanation:

• The js7_encrypt.sh | .cmd script is called with the --cert argument that specifies the path to the public key or certificate file. The --in argument specifies the plain text password.
• For Unix
  • the script writes output to the stdout channel that is assigned an environment variable.
  • the sed command is used to replace the related element value in the hibernate.cfg.xml configuration file.
• For Windows
  • the script writes output to the JS7_ENCRYPT_VALUE environment variable.
  • the powershell.exe command is used to replace the related element value in the hibernate.cfg.xml configuration file.