Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

A number of JS7 - Job Templates support the use of a Credential Store:

...

A number of JITL Job Templates require credentials, e.g. , for example, to access a database.

  • Security Considerations
    • Sensitive information in jobs should not be hard-coded, should not be used from parameters and should not be disclosed, e.g. written to log files.
    • Instead, a run-time interface is offered that allows to retrieve sensitive information to be retrieved from a Credential Store. References to Credential Store entries can safely be specified with argument values.
  • Credential Store
  • Solution Outline

...

  • file - required 
    • the path to the Credential Store file. This file can be located anywhere in the file system.
    • A relative path can be used that is calculated from the Agent's working directory:
      • By default this is the Agent's configuration directory, for example,
        • /home/sos/js7/agent/var_<http-port> for Unix
        • C:\ProgramData\sos-berlin.com\js7\agent for Windows
      • Example:
        • a relative path ./config/secret.kdbx maps to C:\ProgramData\sos-berlin.com\js7\agent\config\secret.kdbx
  • password - optional 

    • the password for access to the Credential Store file. 

    • It is recommended not to use that this parameter ia not used and that instead to use key_file to is used to access the Credential Store.

  • key_file - optional, default: the path and name of the Credential Store file using the extension .key, for example, by default ./config/jobs.key is assumed if the Credential Store file ./config/jobs.kdbx is specified.

...

JS7 - JITL Database Jobs can access a Credential Store in the following ways:

  • by use of using a Hibernate configuration file,by use of
  • using arguments

Use with a Hibernate Configuration File

The Hibernate access layer is used for database access and is frequently is used with database credentials. The access information such as accounts, passwords and JDBC URLs etc. are is specified with the  Hibernate configuration files. 

Generally it is preferable not to directly use passwords to access a database directly but to use Integrated Security, Oracle Wallet etc. However, should there be a need to specify passwords, then instead of using a plain text password in a configuration file, users can add a password to a KeePass Credential Store and add a reference to the Credential Store to their Hibernate configuration file. This applies to the following JITL Database Jobs:

...

References to a Credential Store can be directly specified from arguments. This applies to for the following JITL Database Jobs:

...

References to a Credential Store can be directly specified from arguments. This applies to for the following JITL Mail Jobs:

...

The full syntax is used when the complete URI is specified with an argument, for . For example:


Name

Purpose

Example

mail.smtp.host

SMTP hostname or IP address

cs://jobs/mail/mail.sos-berlin.com@url?file=./config/jobs.kdbx

mail.smtp.user

User account for SMTP authentication

cs://jobs/mail/mail.sos-berlin.com@user?file=./config/jobs.kdbx

mail.smtp.password

Password for SMTP authentication

cs://jobs/mail/mail.sos-berlin.com@password?file=./config/jobs.kdbx

...

  • The jobs/mail/ssh.sos-berlin.com xvalue is an example for a the path to an entry in the KeePass database that holds the credentials.
  • The ./config/jobs.kdbx value is an example for a relative path to the KeePass database that holds the Credential Store.

...