JS7 JobScheduler

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Introduction

Jobs might require variables for parameterization that hold secrets. We find a number of requirements for management of such variables, see JS7 - How to encrypt and decrypt Variables

The preferred solution with JS7 is to use asymmetric keys:

  • Encryption and decryption can be performed directly by related jobs.
  • Encryption and decryption can be performed outside of JS7 products.
  • This includes that JS7 products have no knowledge of secret keys involved that potentially could be compromised by logging, database persistence etc.

Download

The solution ships with JS7 Agents that can use encyption/decryption from shell jobs.

The solution is provided for download to perform encryption and decryption outside of JS7.

Encryption

Usage

Invoking the script without arguments displays the usage clause:


Usage
Usage: js7_encrypt.cmd [Options] [Switches]

  Options:
     --cert=<path-to-certificate>  | path to X509 certificate or public key file used to encrypt the secret.
     --in=<secret>                 | secret that should be encrypted.
     --infile=<path-to-file>       | path to a file that should be encrypted. 

  Switches:
     -h | --help                   | displays usage

Options

  • --cert
    • Specifies the path to a file that holds the CA signed or self-signed x509 certificate. Alternatively the path to a file holding the public key can be specified.
  • --in
    • Specifies the input value that should be encrypted, typically a secret.
    • One of the options --in or --infile has to be specified.
  • --infile
    • Specifies the path to a file that should be encrypted.
    • One of the options --in or --infile has to be specified.

Switches

  • -h | --help
    • Displays usage.

Exit Codes

  • 1: argument errors
  • 2: processing errors

Examples

The following examples illustrate typical use cases.

Encrypting secret using Windows Shell

Example for Encryption using Windows Shell
call .\bin\js7_encrypt.cmd "--cert=agent.crt" "--in=secret"

for /f "tokens=1-3" %%i in ("%JS7_ENCRYPT_VALUE%") do (
  set encrypt_symmetric_key=%%i
  set encrypt_base64_iv=%%j
  set encrypt_string=%%k
)

@rem encrypts the given secret using an Agent's X509 certificate
@rem consider that for Windows Shell all arguments have to be quoted
@rem output includes the symmetric key, initialization vector and encrypted string separated by space that are passed to environment variables

Encrypting file using Windows Shell

Example for Encryption using Windows Shell
call .\bin\js7_encrypt.cmd "--cert=agent.crt" "--infile=%TEMP%\secret.txt"

for /f "tokens=1-3" %%i in ("%JS7_ENCRYPT_VALUE%") do (
  set encrypt_symmetric_key=%%i
  set encrypt_base64_iv=%%j
  set encrypt_string=%%k
)

@rem encrypts the given file using an Agent's X509 certificate
@rem consider that for Windows Shell all arguments have to be quoted
@rem output includes the symmetric key, initialization vector and encrypted file separated by space that are passed to environment variables

Decryption

Usage

Invoking the script without arguments displays the usage clause:


Usage
Usage: js7_decrypt.cmd [Options] [Switches]

  Options:
     --key=<path>                  | path to private key file for decryption.
     --iv=<initialization-vector>  | base64 encoded initialization vector (returned by encryption).
     --encrypted-key=<key>         | base64 encoded encrypted symmetric key (returned by encryption).
     --in=<encrypted-secret>       | encrypted secret to decrypt (returned by encryption).
     --infile=<path-to-file>       | path to encrypted file to decrypt.

  Switches:
     -h | --help                   | displays usage

Options

  • --key
    • Specifies the path to a the private key file that matches the X509 certificate or public key used for previous encryption.
  • --iv
    • Specifies the base64 encoded initialization vector as retured during encryption.
  • --encrypted-key
    • Specifies the base64 encoded, encrypted symmetric key as retured during encryption.
  • --in
    • Specifies the encrypted value that should be decrypted.
    • One of the options --in or --infile has to be specified.
  • --infile
    • Specifies the path to an encrypted file that should be decrypted.
    • One of the options --in or --infile has to be specified.

Switches

  • -h | --help
    • Displays usage.

Exit Codes

  • 1: argument errors
  • 2: processing errors

Examples

The following examples illustrate typical use cases.

Decrypting secret using Windows Shell

Example for Decryption using Windows Shell
@call .\bin\js7_decrypt.cmd "--key=agent.key" "--iv=%encrypt_base64_iv%" "--encrypted-key=%encrypt_symmetric_key%" "--in=%encrypt_string%"
@echo %JS7_DECRYPT_VALUE%

@rem decrypts the encrypted secret using an Agent's private key
@rem consider that for Windows Shell all arguments have to be quoted
@rem the JS7_DECRYPT_VALUE environment variable is automatically created that holds the decrypted secret

Decrypting file using Windows Shell

Example for Decryption using Windows Shell
@call .\bin\js7_decrypt.cmd "--key=agent.key" "--iv=%encrypt_base64_iv%" "--encrypted-key=%encrypt_symmetric_key%" "--in=%encrypt_string%"
@echo %JS7_DECRYPT_VALUE%

@rem decrypts the given encrypted file using an Agent's X509 private key
@rem consider that for Windows Shell all arguments have to be quoted
@rem output includes the path to the decrypted file


Further Resources



  • No labels