Using Credential Store to securely store authentication, connection and other parameters

Introduction

• The "Password Safe" (Credential Store, CS) connection and other data to be encrypted and stored securely and independently of the application(s) such as.YADE that use this data. Access to the CS is only possible with access methods such as an SSH key or password.
• Currently CS is using "KeePass" and "KeePassX" with the db version 1.0, thus CS can be used on most popular OS platforms.
• The advantage of using CS is that CS stores the credentials (and other information/parameters) into a standardized, secure and encrypted database, i.e. Keepass. YADE will access the CS database using a standard interface. The CS database can only be accessed using password, encryption-key file (ppk) or a combination of both. The CS password is used to encrypt the contents stored in the CS database with AES.
• CS can be used to securely store information or parameters, database connection URL, run-time decryption key and other access data.

The following information can be retrieved from CS standard fields:

• UserID : The user identification of a user who is authorized for the operation.
• Password : Assigned password for the user.
• Server-Name : Target server name or IP address
• Notes : In the notes section of the CS other parameters/options can be stored, i.e. YADE parameters, database connection URL etc. The extra options are defined in a similarly way as used on the command line.
• File-Attachment : Files such as PGP or SSH private key files can be stored in the CS as attachments. Applications will retrieve the attached file at run-time and will delete the file immediately once operation is completed.

Scope

This article describes the use of the Credential Store with the YADE Client via the client's command line interface.

A description of the use of the Credential Store with the YADE JITL job can be found in the Jobs JADEJob & JADE4DMZJob article.

Configuration Procedure

The examples presented in this article are based on the simple file transfer example described in the The YADE Client Command Line Interface - Tutorial 1 - Getting Started article. This tutorial describes the configuration required to download a number of files from a online server provided by the SOS GmbH and save these file on the user's local file system. Using this server means that users can get a working example up and running with a minimum of effort. A simplified version of the configuration used in the tutorial (only specifying FTP) is available as a download: sos-berlin_demo_2_local.xml. Instructions for installing and configuring the YADE Client can be found in the YADE - Tutorials article.

The configuration provided in the download file will cause six files in the root server folder to be copied to a local /jade_demo/transfer_receive folder, generating the target folder in the user's home or profile directory if required and permissions are available. The files will be transferred by FTP and authentication for the server (user name and password) is specified in the download file.

Installing and configuring the Credential Store

The installation of KeePass II is described on the Keepass Web Site.

For the examples described in the current article the following database was configured (on a Windows system):

• Path & name: %USERPROFILE%\jade_demo\keepass\demo_cred_store.kdbx
• Master Password: sos

The following information was specified in the database:

• Database: demo_database
• Group: demo
• Title: demo on test.sos-berlin.com
• UserId: demo
• Password: demo
• URL: test.sos-berlin.com (alternatively, the IP address could have been specified here.

Integrating the Credential Store in a File Transfer Configuration

The use of the Credential Store is specified in YADE Client file transfer configuration files, which are written in XML. We recommend using the SOS XML Editor to edit these files. Instructions for downloading, installing and using the XML Editor are linked from this page.

In the remainder of the current article, it is assumed that readers have made themselves familiar with the organization of the YADE Client file transfer configurations into Profiles and Fragments. This is described in the Getting Started YADE tutorial linked above.

The following configuration elements are required to specify the use of a Credential Store:

• A Credential Store Fragments element that at the same level in the XML hierarchy as the Protocol Fragments elements.
• A Credential Store Fragment element that is referenced from the Protocol Fragment. This Fragment specifies the location and authentication for the Credential Store.
• The values of the connection and authentication elements are modified to refer to elements stored within the Credential Store.

The XML Configuration

The parts of the XML configuration relevant to the use of the Credential Store are shown in the following screenshot of the XML Editor:

Running the YADE Client with the Credential Store

The use of the Credential Store is contained within the settings file and is not exposed when calling the client. For example, for Windows systems:

C:\Program Files\sos-berlin.com\jade\client\bin>jade.cmd -settings="%USERPROFILE%\jade_demo\sos-berlin_demo_2_local.xml" -profile="ftp_server_2_local_cs"

The output produced when successful:

C:\Program Files\sos-berlin.com\jade\client\bin>jade.cmd -settings="%USERPROFILE%\jade_demo\sos-berlin_demo_2_local.xml" -profile="ftp_server_2_local_cs"

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+                       START  : JADE.CMD                         +
+                       -----------------                         +
+ DATE     : 17.04.2018 14:56:51,26
+ HOSTNAME : JS-PC
+ USER     : aa
+ CALL     : C:\Program Files\sos-berlin.com\jade\client\bin\jade.cmd -settings="C:\Users\aa\jade_demo\sos-berlin_demo_2_local.xml" -profile="ftp_server_2_local_cs"
+                                                                 +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

main INFO  14:56:54,679   (SOSDataExchangeEngineMain.java:76) ::Execute SOSDataExchange - Kommandozeilenprogram startet ....
main INFO  14:56:54,711   (SOSDataExchangeEngine.java:536) ::showBanner
************************************************************************
*                                                                      *
*                     YADE - Managed File Transfer                     *
*                     -----www.sos-berlin.com-----                     *
*                                                                      *
************************************************************************
  Version                 = 1.12.3-SNAPSHOT (2018-04-15 23:09, revision f156fa1144fe219789e9bf2ad1d3a4b52a68cd24) Copyright 2003-2018 SOS GmbH Berlin
  Date                    = 2018-04-17 14:56:54
  SettingsFile            = C:\Users\aa\jade_demo\sos-berlin_demo_2_local.xml
  Profile                 = ftp_server_2_local_cs
  Operation               = copy
  Transactional           = false  
+------------Source------------
  | Protocol              = ftp
  | Host                  = test.sos-berlin.com
  | IP                    = 93.157.51.161
  | User                  = demo
  | Password              = ***
  | Passive               = false
  | TransferMode          = binary
  | Directory             = ./
  | FileSpec              = .*
  | ErrorWhenNoFilesFound = true
  | Recursive             = false
  | Remove                = false

  +------------Target------------
  | Protocol              = local
  | Host                  = JS-PC
  | IP                    = 192.11.0.85
  | Directory             = C:\Users\aa\jade_demo\transfer_receive/
  | OverwriteFiles        = true

main INFO  14:56:55,164   (SOSVfsFtpBaseClass.java:242) ::doConnect SOSVfs_D_0102: Verbunden mit Rechner 'test.sos-berlin.com' ³ber Port-Nummer '21'.
main INFO  14:56:55,539   (SOSVfsFtpBaseClass.java:958) ::login (demo@test.sos-berlin.com:21) SOSVfs_D_133: Benutzer 'demo' eingeloggt.
main INFO  14:56:55,695   (SOSVfsFtpBaseClass.java:1295) ::transferMode SOSVfs_D_123: Antwort des FTP-Servers ['binary']: '200 Type set to I'.
main INFO  14:56:56,148   (SOSDataExchangeEngine.java:897) ::setInfo 6 files found for regexp '.*'.
main INFO  14:56:56,945   (SOSDataExchangeEngine.java:788) ::printState SOSJADE_I_0101: Es wurden 6 Dateien ³bertragen
main INFO  14:56:56,961   (SOSDataExchangeEngine.java:359) ::showResult
*************************************************************************
 Ausf³hrungsstatus                 = Ohne Fehler.
 Erfolgreiche ▄bertragungen        = 6
 ▄bersprungene ▄bertragungen       = 0
 Fehlgeschlagene ▄bertragungen     = 0
 letzter aufgetretener Fehler      =
*************************************************************************
main INFO  14:56:56,976   (SOSDataExchangeEngineMain.java:78) ::Execute Execute - Programm wurde ohne Fehler beendet

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+                        END   : JADE.CMD                         +
+                        ----------------                         +
+ DATE     : 17.04.2018 14:56:57,03
+ HOSTNAME : JS-PC
+ USER     : aa
+ CALL     : C:\Program Files\sos-berlin.com\jade\client\bin\jade.cmd -settings="C:\Users\aa\jade_demo\sos-berlin_demo_2_local.xml" -profile="ftp_server_2_local_cs"
+ EXIT     : 0
+                                                                 +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

See Also:

• YADE User Manual - Credential Store