Page History
...
A number of JS7 - Job Templates support the use of a Credential Store:
...
A number of JITL Job Templates require credentials, e.g. , for example, to access a database.
- Security Considerations
- Sensitive information in jobs should not be hard-coded, should not be used from parameters and should not be disclosed, e.g. written to log files.
- Instead, a run-time interface is offered that allows to retrieve sensitive information to be retrieved from a Credential Store. References to Credential Store entries can safely be specified with argument values.
- Credential Store
- A credential store allows to the securely store storage and retrieve retrieval of credentials for authentication, as well as connection details and other parameters
- See JS7 - Use of Credential Store with Shell Jobs
- See YADE Credential Store.
- Solution Outline
- Access to the Credential Store is automatically provided for JS7 - Job Templates.
...
file
- required- the path to the Credential Store file. This file can be located anywhere in the file system.
- A relative path can be used that is calculated from the Agent's working directory:
- By default this is the Agent's configuration directory, for example,
/home/sos/js7/agent/var_<http-port>
for UnixC:\ProgramData\sos-berlin.com\js7\agent
for Windows
- Example:
- a relative path
./config/secret.kdbx
maps toC:\ProgramData\sos-berlin.com\js7\agent\config\secret.kdbx
- a relative path
- By default this is the Agent's configuration directory, for example,
password
- optionalthe password for access to the Credential Store file.
It is recommended not to use that this parameter ia not used and that instead to use a
key_file
to is used to access the Credential Store.
key_file
- optional, default: the path and name of the Credential Store file using the extension .key, for example, by default./config/jobs.key
is assumed if the Credential Store file ./config/jobs.kdbx
is specified.
...
JS7 - JITL Database Jobs can access a Credential Store in the following ways:
- by use of using a Hibernate configuration file,by use of
- using arguments
Use with a Hibernate Configuration File
The Hibernate access layer is used for database access and is frequently is used with database credentials. The access information such as accounts, passwords and JDBC URLs etc. are is specified with the Hibernate configuration files.
Generally it is preferable not to directly use passwords to access a database directly but to use Integrated Security, Oracle Wallet etc. However, should there be a need to specify passwords, then instead of using a plain text password in a configuration file, users can add a password to a KeePass Credential Store and add a reference to the Credential Store to their Hibernate configuration file. This applies to the following JITL Database Jobs:
...
References to a Credential Store can be directly specified from arguments. This applies to for the following JITL Database Jobs:
...
References to a Credential Store can be directly specified from arguments. This applies to for the following JITL Mail Jobs:
...
The full syntax is used when the complete URI is specified with an argument, for . For example:
Name | Purpose | Example |
---|---|---|
| SMTP hostname or IP address |
|
| User account for SMTP authentication | cs://jobs/mail/mail.sos-berlin.com@user?file=./config/jobs.kdbx |
| Password for SMTP authentication |
|
...
- The
jobs/mail/ssh.sos-berlin.com x
value is an example for a the path to an entry in the KeePass database that holds the credentials. - The
./config/jobs.kdbx
value is an example for a relative path to the KeePass database that holds the Credential Store.
...