Introduction
A number of JS7 - Job Templates that implement database access support use of a Credential Store:
Use with JITL Database Jobs
JITL Database Jobs can access a Credential Store in the following ways:
- when being used with a Hibernate configuration file,
- by use of arguments
Use with a Hibernate Configuration File
The Hibernate access layer is used for database access and therefore requires configuration files for credentials. The access information such as accounts, passwords and JDBC URLs etc. are specified in Hibernate configuration files.
Generally it is preferable not to use passwords to access a database but to use Integrated Security, Oracle Wallet etc. However, should there be a need to specify passwords then instead of using a plain text password in a configuration file you can add your password to a KeePass Credential Store and add a reference for the Credential Store to your Hibernate configuration file.
Referencing a Credential Store
Syntax for Hibernate Configuration Files
The Hibernate configuration file includes a number of XML elements that can be populated from a Credential Store. It provides two types of syntax:
Full Syntax
The Full syntax is used when the complete URI is specified with each element of the Hibernate configuration file:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<hibernate-configuration>
<session-factory>
... <property name="hibernate.connection.username">cs://secret/database/reporting@user?file=./config/secret.kdbx</property>
<property name="hibernate.connection.password">cs://secret/database/reporting@password?file=./config/secret.kdbx</property>
<property name="hibernate.connection.url">cs://secret/database/reporting@url?file=./config/secret.kdbx</property> ...
</session-factory>
</hibernate-configuration
Explanation:
- The
secret/database/reportingvalue is an example for a path to an entry in the KeePass database that holds the credentials. - The
./config/secret.kdbxvalue is an example for a relative path to the KeePass database that holds the Credential Store.
Short Syntax
The Short syntax is used when the credential store items are to be used in the hibernate configuration to provide the details about the credential store:
<property name="hibernate.sos.credential_store_file">./config/secret.kdbx</property>=> path to the Credential Store file<property name="hibernate.sos.credential_store_key_file">./config/secret.key</property>=> path of the key file for the Credential Store<property name="hibernate.sos.credential_store_password">secret</property>=> password of the Credential Store file<property name="hibernate.sos.credential_store_entry_path">/secret/database/reporting</property>=> specifies the folder hierarchy and entry name in the Credentials Store file
When adding the Credential Store reference to the Hibernate configuration file as above then credentials can be retrieved from the Credential Store by using the following elements:
<property name="hibernate.connection.username">cs://@user</property><property name="hibernate.connection.password">cs://@password</property><property name="hibernate.connection.url">cs://@url</property>
URI and Query Parameters Hibernate Configuration Files
URI
cs://<entry_path>@<property_name> - required
- The URI based syntax includes the protocol cs://
- followed by the <entry_path> that specifies the folder hierarchy and entry name in the Credentials Store.
- followed by the @ character
followed by the <property_name> that should be retrieved:
- frequently-used properties include Credential Store field names such as title, user, password, url, attachment. Custom field names are supported.
Query Parameters
file - required
the path to the Credential Store file. This file can be located anywhere in the file system.password - optional
the password for the Credential Store file.
It is recommended not to use this parameter and instead to use a key_file to access the Credential Store.key_file - optional, default: <credential_store_filename_without_extension>.key
Refer to the Using a Credential Store for Jobs article for a detailed description.
Use with Arguments
The JITL Database Jobs support the following arguments:
Name | Purpose | Required | Default Value | Example |
|---|---|---|---|---|
| JDBC connection string | Either a DB URL or a reference to a Credential Store is used. User and password for database access can be specified by arguments or a reference to a Credential Store is used. |
| |
| User name for database access | scott | ||
| Password for database access | tiger | ||
credential_store_file | Location of a credential store file (*.kdbx) | false | ./config/private/jobs.kdbx | |
credential_store_key | Location of a credential store file (*.key) | false | ./config/private/jobs.key |
JITL SAP Jobs can
- Starting Point
- Users frequently operate jobs that require credentials, e.g. to access a database, a file transfer SFTP server etc.
- Such jobs are implemented as simple shell jobs.
- Security Considerations
- Sensitive information in jobs should not be hard-coded, should not be used from parameters and should not be disclosed, e.g. written to log files. Therefore credentials cannot be forwarded by parameters to jobs.
- Instead, a run-time interface is offered that allows to retrieve sensitive information from a credential store. References to credential store entries can safely be stored with parameter values.
- Credential Store
- A credential store allows the secure storage and retrieval of credentials for authentication, as well as connection and other parameters, for a detailed features and supported products see YADE Credential Store.
- Solution Outline
- Access to the credential store is provided by a Java class that can be loaded from shell jobs and from JS7 - Job Templates.
- The Java class is parameterized with the path that identifies the requested entry from the credential store.
Usage
JS7 Agents provide the com.sos.keepass.SOSKeePassDatabase Java class that can be invoked
- in a shell job by calling the
javacommand line utility with the class name:- If the class is executed successfully:
- return code = 0, output is sent to stdout
- If execution of the class ends in error:
- return code = 99, exception output is sent to stderr
from the command line like this:
java com.sos.keepass.SOSKeePassDatabase "cs://server/SFTP/homer.sos@password?file=credential_store.kdbx"When invoking the class then the path to the entry in the credential store has to be specified.
- If the class is executed successfully:
- by use of a shell script provided with JS7 Agents
- for Unix environments:
$JS7_AGENT_HOME/bin/agent_credential_value.sh "cs://server/SFTP/homer.sos@password?file=credential_store.kdbx"
- for Windows environments:
%JS7_AGENT_HOME%\bin\agent_credential_value.cmd "cs://server/SFTP/homer.sos@password?file=credential_store.kdbx"
- The script hides the call to the
javacommand line utility.
- for Unix environments:
- A call to the
SOSKeePassDatabaseclass syntactically uses a single parameter string that holds the URI and a number of query parameters:
URI
cs://<entry_path>@<property_name>- required- The URI based syntax includes the protocol
cs:// - followed by the
<entry_path>that specifies the directory structure and entry name in the credentials store file. - followed by the @ character
- followed by the
<property_name>that should be retrieved:- frequently used properties include credential store field names such as
title, user, password. Custom field names are supported.- starting with JITL-585 the
attachmentproperty is supported
- starting with JITL-585 the
- for detailed explanations of available properties see the Using Credential Store to securely store authentication, connection and other parameters article.
- frequently used properties include credential store field names such as
- The URI based syntax includes the protocol
Query Parameters
Standard Parameters
file- required- the path to the credential store database file. This file can be stored anywhere in the file system.
- The path can be specified either relatively or absolutely. As a path separator both forward slashes and backslashes can be used. For example:
- Relative paths are considered with respect to the Agent's working directory, see
JS7_AGENT_WORK_DIRfrom the JS7 - Job Environment Variables
password- optional- the password for the credential store database file.
- It is recommended not to use this parameter and instead to use a
key_fileto access the credential store.
key_file- optional, default: <credential_store_database_filename_without_extension>.key- a key file for the credential store database file.
- If this parameter is set:
- this path can be specified either relatively or absolutely. See explanation for the
fileparameter. - An exception will be raised if the .key file cannot be found.
- this path can be specified either relatively or absolutely. See explanation for the
- If this parameter is not set:
- a <credential_store_database_filename_without_extension>.key file such as credential_store.kdbx -> credential_store.key will be looked up in the directory where the credential store database file is located.
- The .key file will be used if it exists.
- An exception will be raised if a .key file is not found and the
passwordparameter is not used.
- a <credential_store_database_filename_without_extension>.key file such as credential_store.kdbx -> credential_store.key will be looked up in the directory where the credential store database file is located.
ignore_expired- optional (boolean 0-1), default: 0- ignore_expired=0 - an exception is raised if the entry has expired.
- ignore_expired=1 - expiration of an entry is ignored.
attachment- optional (boolean 0-1)- attachment=1 - a attachment field is used.
Advanced Parameters
create_entry- optional (boolean 0-1), default:0create_entry=0 - an exception is raised if the entry cannot be found.create_entry=1 - creates an entry if it does not exist.- an exception is raised if the root group of the
cs://<entry_path>URI does not match the credential store root group. - creates the full path to the entry if it does not exist.
- an exception is raised if the root group of the
set_property- optional- set value of a string property:
cs://<entry_path>@<property_name>?...&set_property=<value><property_name>property exists:- property value will be updated.
<property_name>property does not exist:<property_name>property will be created with the given value.
- set value of a binary property:
cs://<entry_path>@<property_name>?...&set_property=<file path>&attachment=1<property_name>property exists:- property value will be updated with the
<file path>file content.
- property value will be updated with the
<property_name>property does not exist:<property_name>binary property will be created with the<file path>file content.
cs://<entry_path>@attachment?...&set_property=<file path>- creates a new binary property with the given file content if it does not exist (property name is a file name), or updates the binary property value from the given file content.
- set value of a string property:
stdout_on_set_binary_property- optional (boolean 0-1), default:0stdout_on_set_binary_property=0- does not create any output for the binary property set with the
set_property.
- does not create any output for the binary property set with the
stdout_on_set_binary_property=1- creates output to stdout for the binary property set with the
set_property.
- creates output to stdout for the binary property set with the
Overview
Content Tools