Credential Store using Hibernate file

Introduction

The Hibernate configuration files are the Database configuration files. The database information like database users, passwords, and jdbc URLs etc are specified in the hibernate configuration files. These files configuration files can be used at the time of installation or can be created for the using with the ManagedDatabaseJobJSAdapterClass job.

The Hibernate configuration files used by installation are: 

• The following hibernate configuration files are available with JobScheduler Master and JOC Cockpit:
  • JobScheduler run-time database: hibernate.cfg.xml for JobScheduler and jobscheduler.hibernate.cfg.xml for JOC Cockpit

  • Reporting database: reporting.hibernate.cfg.xml 

• Database accounts, passwords, and URLs are specified as plain text with the above hibernate configuration files when they are provided at the time of installation using option <entry key="databaseConfigurationMethod" value="withoutHibernateFile"/>. To make the hibernate configuration file to use the database information from the Credential Store it is required to first create the hibernate configuration files and then use the <entry key="databaseConfigurationMethod" value="withHibernateFile"/> at the time of installation and provide the path to the Hibernate configurations file.
• Hibernate configuration file also supports Credential Store. 
  FEATURE AVAILABILITY STARTING FROM RELEASE 1.13.3
  FEATURE AVAILABILITY STARTING FROM RELEASE 1.12.12

Create a custom hibernate file which accesses the Database accounts, password, and URL from the Credential Store.

URI

cs://<entry_path>@<property_name> - required 

• The URI based syntax includes the protocol cs:// 
• followed by the <entry_path> that specifies the directory structure and entry name in the credentials store file.
• followed by the @ character

• followed by the <property_name> that should be retrieved:

  • frequently used properties include credential store field names such as title, user, password,attachment Custom field names are supported. 

Query Parameters

• file - required 
  the path to the credential store database file. This file can be stored anywhere in the file system.

• password - optional 
  the password for the credential store database file. 
  It is recommended not to use this parameter and instead to use a key_file to access the credential store.

• key_file - optional, default: <credential_store_database_filename_without_extension>.key 

For detailed information about query parameter Query Parameters.

Syntax:

The Full syntax used in the hibernate file to access the credentials: 

• <property name="hibernate.connection.password">cs://<entry_path>@user?file=some/path/database.kdbx</property> 
• <property name="hibernate.connection.password">cs://<entry_path>@password?file=some/path/database.kdbx</property>

• <property name="hibernate.connection.url">cs://<entry_path>@url?file=some/path/database.kdbx</property>

Alternatively, use the short syntax in the hibetnate file : 

• <property name="hibernate.connection.username">cs://@user</property> 
• <property name="hibernate.connection.password">cs://@password</property> 
• <property name="hibernate.connection.url">cs://@url</property>

       Inroducing new hibernate configuration credential store items for the Short syntax:

• <property name="hibernate.sos.credential_store_file">some/path/database.kdbx</property> 
• <property name="hibernate.sos.credential_store_key_file">some/path/database.key</property> 
• <property name="hibernate.sos.credential_store_password">some password</property> 
• <property name="hibernate.sos.credential_store_entry_path">/some/entry/path</property> 

Save the custom hibernate.cfg.xml file on any location and assign the path of the hibernate file in the job parameter. 

Example of hibernate file that uses KeePass for access database credential

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<hibernate-configuration>
<session-factory>
<property name="hibernate.connection.url"><![CDATA[cs://server/test/reporting/MySQL@url?file=config/cs/kdbx-p-f.kdbx&password=test]]></property>
<property name="hibernate.connection.username"><![CDATA[cs://server/prod/reporting/MySQL@username?file=config/cs/kdbx-p-f.kdbx&password=test]]></property>
<property name="hibernate.connection.password"><![CDATA[cs://server/test/reporting/MySQL@password?file=config/cs/kdbx-p-f.kdbx&password=test]]></property>

<property name="hibernate.connection.driver_class">org.mariadb.jdbc.Driver</property>
<property name="hibernate.dialect">org.hibernate.dialect.MySQLInnoDBDialect</property>
<property name="hibernate.show_sql">false</property>
<property name="hibernate.connection.autocommit">false</property>
<property name="hibernate.format_sql">true</property>
<property name="hibernate.temp.use_jdbc_metadata_defaults">false</property>
</session-factory>
</hibernate-configuration>

Explanations

• Hibernate file make use of kdbx KeePass database for accessing Database credential
• <entry_path> of the kdbx database of KeePass Credential Store
• file-File path of kdbx keePass database.
• password- Password for accessing kdbx database where credentials store

Example of hibernate file with a key file for the credential store database file.  

<?xml version="1.0" encoding="UTF-8" standalone="no"?> 
<hibernate-configuration> 
<session-factory> 
<property name="hibernate.connection.url"><![CDATA[cs://kdbx-p-f/MySQL@url?file=./config/live/keepass/kdbx-p-f.kdbx]]></property> 
<property name="hibernate.connection.username"><![CDATA[cs://kdbx-p-f/MySQL@username?file=./config/live/keepass/kdbx-p-f.kdbx]]></property> 
<property name="hibernate.connection.password"><![CDATA[cs://kdbx-p-f/MySQL@password?file=./config/live/keepass/kdbx-p-f.kdbx]]></property> 
<property name="hibernate.connection.driver_class">org.mariadb.jdbc.Driver</property> 
<property name="hibernate.dialect">org.hibernate.dialect.MySQLInnoDBDialect</property> 
<property name="hibernate.show_sql">false</property> 
<property name="hibernate.connection.autocommit">false</property>  
<property name="hibernate.format_sql">true</property> 
<property name="hibernate.temp.use_jdbc_metadata_defaults">false</property> 
</session-factory> 
</hibernate-configuration> 

Explanations

• Hibernate file make use of kdbx Key File Authentication for accessing Database credential
• <entry_path> path where the MySQL database credential stores.
• file- is the file path where the kdbx key file stores.

Downloads

• Download the attached archive:
  • For Windows Operating System credential_store_using_hibernate_Key_file_example.zip
  • For Linux Operating System credential_store_using_hibernate_key_file_example.tar
• Unzip the archive to the live folder of JobScheduler installation 
• Add the database configuration according to your environment in the KDBX database (present in the example folder)  for using the kdbx with the key file which accesses the credential to log in to the database.

References

• Links to Change Management System 
  • JITL-587 - Getting issue details... STATUS