JS7 JobScheduler

Space shortcuts

Page tree

Introduction

A number of JS7 - Job Templates support the use of a Credential Store:

A number of JITL Job Templates require credentials, for example, to access a database.

  • Security Considerations
    • Sensitive information in jobs should not be hard-coded, should not be used from parameters and should not be disclosed, e.g. written to log files.
    • Instead, a run-time interface is offered that allows sensitive information to be retrieved from a Credential Store. References to Credential Store entries can safely be specified with argument values.
  • Credential Store
  • Solution Outline

Credential Store Access

Access to a Credential Store is specified with the URI and Query Parameters of the Credential Store.

URI

cs://<entry_path>@<property_name> - required 

  • The URI based syntax includes the protocol cs:// 
  • followed by the <entry_path> that specifies the folder hierarchy and entry name in the Credentials Store.
  • followed by the @ character

  • followed by the <property_name> that should be retrieved:

    • frequently-used properties include Credential Store field names such as title, userpassword, urlattachmentCustom field names are supported. 

Query Parameters

  • file - required 
    • the path to the Credential Store file. This file can be located anywhere in the file system.
    • A relative path can be used that is calculated from the Agent's working directory:
      • By default this is the Agent's configuration directory, for example,
        • /home/sos/js7/agent/var_<http-port> for Unix
        • C:\ProgramData\sos-berlin.com\js7\agent for Windows
      • Example:
        • a relative path ./config/secret.kdbx maps to C:\ProgramData\sos-berlin.com\js7\agent\config\secret.kdbx

  • password - optional 

    • the password for access to the Credential Store file. 

    • It is recommended that this parameter ia not used and that instead a key_file is used to access the Credential Store.

  • key_file - optional, default: the path and name of the Credential Store file using the extension .key, for example, by default ./config/jobs.key is assumed if the Credential Store file ./config/jobs.kdbx is specified.

Use with JITL Database Jobs

JS7 - JITL Database Jobs can access a Credential Store in the following ways:

  • using a Hibernate configuration file,
  • using arguments

Use with a Hibernate Configuration File

The Hibernate access layer is used for database access and is frequently used with database credentials. The access information such as accounts, passwords and JDBC URLs etc. is specified with the  Hibernate configuration files. 

Generally it is preferable not to use passwords to access a database directly but to use Integrated Security, Oracle Wallet etc. However, should there be a need to specify passwords, then instead of using a plain text password in a configuration file, users can add a password to a KeePass Credential Store and add a reference to the Credential Store to their Hibernate configuration file. This applies to the following JITL Database Jobs:

References to a Credential Store

The Hibernate configuration file includes a number of XML elements that can be populated from a Credential Store. It provides two types of syntax.

Full Syntax

The full syntax is used when the complete URI is specified with each element of the Hibernate configuration file:


Extract from Hibernate configuration file with credential store references using the full syntax
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<hibernate-configuration>
    <session-factory>
        ...
        <property name="hibernate.connection.username">cs://secret/database/reporting@user?file=./config/secret.kdbx</property> 
        <property name="hibernate.connection.password">cs://secret/database/reporting@password?file=./config/secret.kdbx</property>
        <property name="hibernate.connection.url">cs://secret/database/reporting@url?file=./config/secret.kdbx</property>
        ...
    </session-factory>
</hibernate-configuration


Explanation:

  • The secret/database/reporting value is an example for a path to an entry in the KeePass database that holds the credentials.
  • The ./config/secret.kdbx value is an example for a relative path to the KeePass database that holds the Credential Store.

Short Syntax

The short syntax can be used if the Hibernate configuration file includes explicit references to the Credential Store:


Extract from Hibernate configuration file with credential store references using the short syntax
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<hibernate-configuration>
    <session-factory>
        ...
        <property name="hibernate.connection.username">cs://@user</property> 
        <property name="hibernate.connection.password">cs://@password</property> 
        <property name="hibernate.connection.url">cs://@url</property>
         ...
        <property name="hibernate.sos.credential_store_file">./config/secret.kdbx</property>
        <property name="hibernate.sos.credential_store_key_file">./config/secret.key</property>
        <property name="hibernate.sos.credential_store_password">secret</property>
        <property name="hibernate.sos.credential_store_entry_path">/secret/database/reporting</property>
        ...
    </session-factory>
</hibernate-configuration


Explanation:

  • <property name="hibernate.sos.credential_store_file"> => path to the Credential Store database file
  • <property name="hibernate.sos.credential_store_key_file"> => path to the key file for the Credential Store
  • <property name="hibernate.sos.credential_store_password"> => password of the Credential Store database file
  • <property name="hibernate.sos.credential_store_entry_path"> => folder hierarchy and entry name in the Credentials Store database file

Example for Hibernate Configuration File

A Hibernate configuration file using a reference to the Credential Store and the short syntax for credential references can look like this:


Example Hibernate configuration file for MySQL
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<hibernate-configuration>
 <session-factory>
  <property name="hibernate.sos.credential_store_file">./config/jobs.kdbx</property>
  <property name="hibernate.sos.credential_store_key">./config/private/jobs.key</property>
  <property name="hibernate.connection.driver_class">org.mariadb.jdbc.Driver</property>
  <property name="hibernate.connection.password">cs://jobs/mysql/mysql-5-7@password</property>
  <property name="hibernate.connection.url">cs://jobs/mysql/mysql-5-7@url</property>
  <property name="hibernate.connection.username">cs://jobs/mysql/mysql-5-7@user</property>
  <property name="hibernate.dialect">org.hibernate.dialect.MySQLInnoDBDialect</property>
  <property name="hibernate.show_sql">false</property>
  <property name="hibernate.connection.autocommit">false</property>
  <property name="hibernate.format_sql">true</property>
  <property name="hibernate.temp.use_jdbc_metadata_defaults">false</property>

  <!-- Hikari Connection Pool -->
  <property name="hibernate.connection.provider_class">org.hibernate.hikaricp.internal.HikariCPConnectionProvider</property>
  <property name="hibernate.hikari.maximumPoolSize">10</property>
 </session-factory>
</hibernate-configuration>


Explanation:

  • <property name="hibernate.sos.credential_store_file"> specifies the location of the Credential Store database file.
  • <property name="hibernate.sos.credential_store_key"> specifies the location of the Credential Store key file. In this example the key file is stored with a location different to the database file and therefore has to be specified. If the key file is available from the same folder as the database file and makes use of the same base name then this parameter can be omitted.

Use with Arguments

References to a Credential Store can be directly specified from arguments. This applies for the following JITL Database Jobs:

References to a Credential Store

References to a Credential Store can be directly specified from arguments.

Full Syntax

The full syntax is used when the complete URI is specified with an argument: 


Name

Purpose

Example

db_url

JDBC connection string

cs://jobs/oracle/minos.sos@url?file=./config/jobs.kdbx

db_user

User name for database access

cs://jobs/oracle/minos.sos@user?file=./config/jobs.kdbx

db_password

Password for database access

cs://jobs/oracle/minos.sos@password?file=./config/jobs.kdbx


Explanation:

  • The jobs/oracle/minos.sos value is an example for a path to an entry in the KeePass database that holds the credentials.
  • The ./config/jobs.kdbx value is an example for a relative path to the KeePass database that holds the Credential Store.

Short Syntax

The short syntax can be used if arguments are specified with references to the Credential Store location:


Name

Required

Purpose

Example

db_url

yes

JDBC connection string

cs://jobs/oracle/minos.sos@url

db_user

yes

User name for database access

cs://jobs/oracle/minos.sos@user

db_password

yes

Password for database access

cs://jobs/oracle/minos.sos@password
credential_store_fileyesLocation of the Credential Store database file (*.kdbx)./config/jobs.kdbx
credential_store_key_filenoLocation of the Credential Store key file (*.key)./config/jobs.key
credential_store_passwordnoPassword of the Credential Storesecret
credential_store_entry_pathno

Folder hierarchy and entry name in the Credential Store 

/jobs/oracle

Use with JITL Mail Jobs

Use with Arguments

References to a Credential Store can be directly specified from arguments. This applies for the following JITL Mail Jobs:

References to a Credential Store

References to a Credential Store can be directly specified from arguments.

Full Syntax

The full syntax is used when the complete URI is specified with an argument. For example:


Name

Purpose

Example

mail.smtp.host

SMTP hostname or IP address

cs://jobs/mail/mail.sos-berlin.com@url?file=./config/jobs.kdbx

mail.smtp.user

User account for SMTP authentication

cs://jobs/mail/mail.sos-berlin.com@user?file=./config/jobs.kdbx

mail.smtp.password

Password for SMTP authentication

cs://jobs/mail/mail.sos-berlin.com@password?file=./config/jobs.kdbx


Explanation:

  • The jobs/mail/mail.sos-berlin.com value is an example for a path to an entry in the KeePass database that holds the credentials.
  • The ./config/jobs.kdbx value is an example for a relative path to the KeePass database that holds the Credential Store.

Short Syntax

The short syntax can be used if arguments are specified with references to the Credential Store location, for example:


Name

Required

Purpose

Example

mail.smtp.host

yes

SMTP hostname or IP address

cs://jobs/mail/mail.sos-berlin.com@url

mail.smtp.user

yes

User account for SMTP authentication

cs://jobs/mail/mail.sos-berlin.com@user

mail.smtp.password

yes

Password for SMTP authentication

cs://jobs/mail/mail.sos-berlin.com@password
credential_store_fileyesLocation of the Credential Store database file (*.kdbx)./config/jobs.kdbx
credential_store_key_file noLocation of the Credential Store key file (*.key)./config/jobs.key
credential_store_passwordnoPassword of the Credential Storesecret
credential_store_entry_pathno

Folder hierarchy and entry name in the Credential Store 

/jobs/mail

Use with JITL SSH Jobs

Use with Arguments

References to a Credential Store can be directly specified from arguments. This applies to the following JITL SSH Jobs:

References to a Credential Store

References to a credential store can be directly specified from arguments.

Full Syntax

The full syntax is used when the complete URI is specified with an argument, for example:


Name

Purpose

Example

user

This argument specifies the user account to be used when connecting to the SSH server.

cs://jobs/ssh/ssh.sos-berlin.com@user?file=./config/jobs.kdbx

password

This argument specifies the user account's password for authentication by the SSH server and has to be specified if the password authentication method is specified with the auth_method argument. 
Alternatively, this argument is used to specify the passphrase for a private key if the publickey authentication method is used with the auth_method argument.

cs://jobs/ssh/ssh.sos-berlin.com@password?file=./config/jobs.kdbx

auth_file

This argument specifies the path and name of a private key file used for authentication with an SSH server. This argument has to be specified if the publickey authentication method is specified with the auth_method argument. 
If the private key file is secured with a passphrase then the passphrase has to be specified with the password argument.

cs://jobs/ssh/ssh.sos-berlin.com@attachment?file=./config/jobs.kdbx

proxy_userThe value of this argument specifies the user account for authentication with the proxy server that is used to connect to the SSH server.cs://jobs/ssh/ssh-proxy.sos-berlin.com@user?file=./config/jobs.kdbx
proxy_passwordThis argument specifies the password for the proxy server user account if a proxy is used to connect to the SSH server.cs://jobs/ssh/ssh-proxy.sos-berlin.com@password?file=./config/jobs.kdbx


Explanation:

  • The jobs/mail/ssh.sos-berlin.com xvalue is an example for the path to an entry in the KeePass database that holds the credentials.
  • The ./config/jobs.kdbx value is an example for a relative path to the KeePass database that holds the Credential Store.

Short Syntax

The short syntax can be used if arguments are specified with references to the Credential Store location, for example:


Name

Example

user

cs://jobs/ssh/ssh.sos-berlin.com@user

password

cs://jobs/ssh/ssh.sos-berlin.com@password

auth_file

cs://jobs/ssh/ssh.sos-berlin.com@attachment
credential_store_file./config/jobs.kdbx
credential_store_key_file ./config/jobs.key
credential_store_passwordsecret
credential_store_entry_path/jobs/ssh



  • No labels