Using a Credential Store for Job, Order and Job Chain Node Parameters

Introduction

Job, Order and Job Chain parameters conveying sensitive information can be stored in a Credential Store. FEATURE AVAILABILITY STARTING FROM RELEASE 1.12 This feature is similar to the method used by the YADE file transfer job (and command line utility) store information such as passwords.

A Credential Store can be used to store sensitive information that is used by the .
YADE allows use of a Credentials Store as explained in the YADE Credential Store article.

Desired Behavior

Users would like to store sensitive information that should be used by job and order parameters in a Credential Store similar to YADE.
This includes
- to specify the Credential Store location (file path) and access method (password, key file) globally.
- parameter values to reference credentials with a special syntax such as cs://<path>@<value>
  - Example
```
<job>
    <params>
        <param name="db_password" value="cs://databases/mysql_localhost@password"/>
    </params>
    ...
</job>
```
- to apply parameter values from a Credential Store to job, order and node parameters.
- substituted parameter values to be excluded from logging.

Current Behavior

Job/Order parameters are not substituted.
The SOSKeePassDatabase class can be called in a shell Job (master/agent), in a javascript Job (master/agent) or in a powershell Job (agent).
- If the Job is run successfully:
  - exit status = 0, output is sent to stdout
- If the Job ends in error:
  - exit status = 99, exception output is sent to stderr

Syntax

The following query parameters have been added:

file - required
- the path to a Credential Store database file.
- this path can be specified either relatively or absolutely. For example:
  - cs://databases/mysql_localhost@password?file=config/cs/mystore.kdbx
  - cs://databases/mysql_localhost@password?file=C:/jobscheduler/data/config/cs/mystore.kdbx
- Relative values for a Master are relative to the SCHEDULER_DATA directory.
- Relative values for an Agent are relative to the SCHEDULER_HOME (install) directory.
password - optional
- the password for the Credential Store database file.
key_file - optional
- If this parameter is set:
  - this path can be specified either relatively or absolutely. See the file example.
- If this parameter is not set:
  - es wird im Verzeichnis der file Datei nach einer <file_without_extension>.key Datei gesucht (Bsp.: mystore.kdbx -> mystore.key).
    - .key Datei gefunden - so wird sie auch verwendet
    - .key Datei nicht gefunden - wenn auch der Query parameter password nicht gesetzt ist - eine Exception wird geworfen
ignore_expired - optional, default: 0
- ignore_expired=0 - an exception is thrown when the entry expires
- ignore_expired=1 - expiring of an entry is ignored
attachment - optional, default: 0
- attachment=0 - a String field is read
- attachment=1 - a file attachment field wird gelesen and returned as new String (bytes).

JavaScript Job (master/agent) Example
2 methods can be used:

com.sos.keepass.SOSKeePassDatabase.getProperty(uri)
com.sos.keepass.SOSKeePassDatabase.getBinaryProperty(uri)

JavaScript Job Example (master/agent)

<job  order="no" stop_on_error="no">
  <script  language="java:javascript"><![CDATA[
		function getCredentialStoreProperty(uri){
			try{
				return Packages.com.sos.keepass.SOSKeePassDatabase.getProperty(uri);
			}
			catch (e) {
				throw new Error("can't get property: "+e.message);
			}
		}
		
		function exportCredentialStoreAttachment2File(uri, targetFile){
			var fos			= null;
			try{
				var data	= Packages.com.sos.keepass.SOSKeePassDatabase.getBinaryProperty(uri);
				fos 		= new Packages.java.io.FileOutputStream(targetFile)
				fos.write(data);
			} catch (e) {
				throw new Error("["+targetFile+"]can't write attachment to file: "+e.message);
			}
			finally{
				if(fos !== null){
					fos.close();
				}
			}
		}
				
		function spooler_process(){
			var file 		= "config/live/JITL-473-cs/kdbx-p.kdbx";
			
			spooler_log.info("--- get string property ---");
			var property 	= "server/SFTP/homer.sos@user";
			var uri 		= "cs://"+property+"?file="+file+"&password=test";
			var val 		= getCredentialStoreProperty(uri);
			spooler_log.info("["+property+"]=" + val);
		
			spooler_log.info("--- get binary property as string ---");
			property 		= "server/SFTP/homer.sos@homer.privat.dsa";
			uri 			= "cs://"+property+"?file="+file+"&password=test&attachment=1";
			val				= getCredentialStoreProperty(uri);
			spooler_log.info("["+property+"]=" + val);

			spooler_log.info("--- get binary property as byte array and write to file ---");
			property 		= "server/SFTP/homer.sos@homer.privat.dsa";
			uri 			= "cs://"+property+"?file="+file+"&password=test";
			var targetFile 	= "D:/my_homer.privat.dsa";
			exportCredentialStoreAttachment2File(uri,targetFile);
			spooler_log.info("["+property+"] written to " + targetFile);
				
		return false;
		}
	]]></script>
    <run_time />
</job>

Powershell Job (agent) Example
Only the com.sos.keepass.SOSKeePassDatabase main method can be used:

Powershell Job (agent) Example

 <job  order="no" stop_on_error="no" process_class="/Agent">
    <script  language="powershell"><![CDATA[
		function Get-CredentialStoreProperty([string] $uri) {
			$command = "java"
			if (![string]::IsNullOrEmpty(${env:JAVA_HOME})){
				$command = "${env:JAVA_HOME}\bin\$command"
			}
				
			$arguments				= @("com.sos.keepass.SOSKeePassDatabase", $uri)
				
			$startInfo 				= New-Object System.Diagnostics.ProcessStartInfo
			$startInfo.FileName 			= $command
			$startInfo.RedirectStandardError 	= $true
			$startInfo.RedirectStandardOutput 	= $true
			$startInfo.UseShellExecute 		= $false
			$startInfo.WindowStyle 			= 'Hidden'
			$startInfo.CreateNoWindow 		= $true
			$startInfo.Arguments 			= $arguments
				
			try{
				$process 				= New-Object System.Diagnostics.Process
				$process.StartInfo 			= $startInfo
				$process.Start() | Out-Null
				$stdout 				= $process.StandardOutput.ReadToEnd()
				$stderr 				= $process.StandardError.ReadToEnd()
				$process.WaitForExit()
			}
			catch{
				throw "Failed $($startInfo.FileName): $error"
			}
				
			if ($process.exitCode -ne 0) {
				throw "Failed with exit code $($process.exitCode): $stderr"
			}
				
			$stdout
		}
			
		$file 		= "D:/jobscheduler.1.x/jobscheduler/data/1.12.x.x64-snapshot/config/live/JITL-473-cs/kdbx-p.kdbx";
			
		$spooler_log.info("--- get string property with exception handling ---");
		$property	= "server/SFTP/homer.sos@user";
		$uri 		= "cs://"+$property+"?file="+$file+"&password=test";
		$val 		= Get-CredentialStoreProperty($uri);
		$spooler_log.info("["+$property+"]=" + $val);
		
		$spooler_log.info("--- get string property without exception handling ---");
		$val 		= java com.sos.keepass.SOSKeePassDatabase $uri
		$spooler_log.info("["+$property+"]=" + $val);
		
		$spooler_log.info("--- get binary property as string with exception handling and formatted output ---");
		$property 	= "server/SFTP/homer.sos@homer.privat.dsa";
		$uri 		= "cs://"+$property+"?file="+$file+"&password=test&attachment=1";
		$val 		= Get-CredentialStoreProperty($uri);
		$spooler_log.info("["+$property+"]=" + $val);
		
		$spooler_log.info("--- get binary property as string without exception handling ---");
		$val 		= java com.sos.keepass.SOSKeePassDatabase $uri
		$spooler_log.info("["+$property+"]=" + $val);
		
    ]]></script>
    <run_time />
</job>

Bsp. Shell Job (master/agent)
Only the com.sos.keepass.SOSKeePassDatabase main method can be used:

Unix/Windows examples will follow ...

Space shortcuts

Page tree

Introduction

Syntax