Introduction
Users might use credentials holding an account name and password for database connections, see JS7 - Database. Such credentials can be encrypted and decrypted using asymmetric keys. This applies to the following database connections using Hibernate :
- Connections from JOC Cockpit to a database.
- Connections from JS7 - JITL Database Jobs to a database.
We find a number of requirements for management of credentials:
- Credentials should not be exposed to logging.
- Credentials should not be stored in more than one place.
- Credentials can be rotated at a regular basis.
We find a number of inadequate approaches that do not make it for a secure solution:
- Symmetric keys are a No-Go as they are available in two places and leave it up to the implementation where to store the key.
- Obfuscation is a No-Go as it does not resist to serious attacks.
The preferred solution with JS7 is use of asymmetric keys:
- JS7 - Encryption and Decryption includes to perform encryption outside of JS7 products.
- No JS7 product is directly involved in encryption as otherwise the JS7 product would know the credentials that potentially could be compromised by logging etc.
FEATURE AVAILABILITY STARTING FROM RELEASE 2.7.0
Asymmetric Keys
Encryption and decryption use asymmetric keys, for details see JS7 - Encryption and Decryption:
Encryption
In a Hibernate configuration file the following credentials can be encrypted:
<property name="hibernate.connection.password">jobscheduler</property> <property name="hibernate.connection.url">jdbc:mysql://mysql-5-7:3306/jobscheduler200</property> <property name="hibernate.connection.username">jobscheduler</property>
Users are free to encrypt the password only or to encrypt the username and URL too. Encrypted values look like this:
<property name="hibernate.connection.password">enc://gLjIPeUJP3o1cw4y9wNrFkNUIfe5Bi/eW+KMkLUy4mvVOH0Z41V0Iuob0lDN6UFXMG1//YDbUA3yFSpvHdmRlGnYsMPkbqz+tN+7Ypy5px7F7NGGpPFSeeGS4JOe7cmgkHx9i9ZPJEEK/xDLoPj/9zj4OLTcWxrHKR0bwT2NvpEZoBPWVnWMoBqTQfk+PBRRkQFYdtR+uKVl7qMEkNc6N92hYGRevUwIZ7h++ENazlgzUdNZc1K1LCRZ/BtB8/MopP3elZ6Vq2LmP3LGnzu6MwSSBgNbPN2vguDqWjnncO1h5MekmqHV5S9RY2L+7NZ7jJ3q233ZFwq56Xm/TWB92g== U2WnoXgh87kdOz7Zcumkpg== 3mnbt2Qe7JdQuN2Lm5SD0w==</property> <property name="hibernate.connection.url">enc://oe5qm3SOudO8LgcFXlW3cTlsdLycXEgUis2GFJdm+4w/NHF3KGYZXCEsqUFMwvWsdY/whfkCPOyUf4cj1eY1F5QSVzjsCgpfXtpvqUjqa7mzpAfzHfRr8gjZNHzCinefke8muCYFiZbb8s9rWHu4G8aIAJsxlWrhJeu7SXqs3JPrrrBt9EJ8kJw6w/xWbUhR5MVLAvj9mIg+w83qwAhZrvuz+McoTKskXvLcBlQPtXc+Yz3RuosczmaWgHYcc/++CtnHHtlSVQf9108jus13ab6mGGsDjodVJjm715VB+cUmWhBKpwyjksrISKcpkMnGlSK3KE+VsTMjzAMPPAyGEQ== zzEKadcxLgfl4GrRUYvApA== FM5ycloUYUbUeniZUDZpK7atxQR5bvmJmYJLS1k356oA/fCoioE6zFfOzENTKgxn</property> <property name="hibernate.connection.username">enc://WCWDGolHrQV4zWwF7i+QEOMrzXfhQSWoH4Azb+udCPSXsvDcNBiTam9zSVDyzCkVT3VAoBdT+WQbOSJRtdvYv6IaIJHJ98W5+H/F29UlOtKhJFbzVq+qxT4XPHSlMvzhub72lv5sWEyhNsjdFd6tJj0mVVH7+jmMAzFMCMKfMeNUbsXrH5Os6UR0Uqy6KbjVx8BOv02ooqFb69yFyI76/gwkxAV+9fYinCxIj3adSO1P6Cn0VNXLw1y2z/Xuv2PJ9CusshmMEiG95/G85VSNqlSMV0HfiQ71VS2EN0fcVcFlugyslTUDIcP4ed3pNlwblu86oPoenC4Xvw3Qh2Xj/A== IcI4xRV0fnO+qRLLg3/abQ== 1gV4bt2rvMgdtPOPXFt5qw==</property>
Explanation:
- Encrypted values start with the prefix
enc://
. - The value holds the following parts separated by spaces:
- an encrypted symmetric key,
- an initialization vector,
- the secret encrypted with the symmetric key.
- For decryption a private key and the initialization vector are used to decrypt the symmetric key. The secret is decrypted using the decrypted, symmetric key.
Use with Scripts
Credentials can be encrypted using scripts:
- JS7 - How to encrypt and decrypt using Unix Shell
- JS7 - How to encrypt and decrypt using Windows Shell
Explanation:
- The
js7_encrypt.sh | .cmd
script is called with the--cert
argument that specifies the path to the public key or certificate file. The--in
argument specifies the plain text password. - For Unix
- the script writes output to the stdout channel that is assigned an environment variable.
- the
sed
command is used to replace the related element value in thehibernate.cfg.xml
configuration file.
- For Windows
- the script writes output to the
JS7_ENCRYPT_VALUE
environment variable. - the powershell.exe command is used to replace the related element value in the
hibernate.cfg.xml
configuration file.
- the script writes output to the