Page History
...
- The job encrypts a secret using the target agents Agent's certificate.
- A new variable is added to the workflow that holds the encrypted secret.
Examples:
For details see JS7 - How to encrypt and decrypt using Unix Shell
Code Block language bash title Example for Encryption using Unix Shell collapse true # encrypt secret result=$($JS7_AGENT_HOME/bin/js7_encrypt.sh --cert=$JS7_AGENT_CONFIG_DIR/foobar.crt --in="12345678") # forward "new_var" workflow variable holding the encrypted result echo "new_var=$result" >> $JS7_RETURN_VALUES
For details see JS7 - How to encrypt and decrypt using Windows Shell
Code Block language powershell title Example for Encryption using Windows Shell collapse true @rem encrypt secret and return result with JS7_ENCRYPT_VALUE environment variable call "%JS7_AGENT_HOME%\bin\js7_encrypt.cmd" "--cert=%JS7_AGENT_CONFIG_DIR%\foobar.crt" "--in=12345678" @rem forward "new_var" workflow variable holding the encrypted result echo new_var=%JS7_ENCRYPT_VALUE% >> %JS7_RETURN_VALUES%
For details see JS7 - How to encrypt and decrypt using PowerShell
Code Block language powershell title Example for Encryption using PowerShell collapse true # encrypt secret and return result with JS7_ENCRYPT_VALUE environment variable $result = Invoke-JS7Encrypt -CertificatePath $env:JS7_AGENT_CONFIG_DIR/foobar.crt -Value '12345678' -JavaLib $env:JS7_AGENT_HOME/lib # forward "new_var" workflow variable holding the encrypted result "new_var=$result" | Out-File $env:JS7_RETURN_VALUES -Append
...
- Workflow variables are provided from environment variables for shell jobs, see JS7 - Job Instruction.
- The job decrypts a secret using the current agents Agent's Private Key.
Examples:
Code Block language bash title Example for Decryption using Unix Shell collapse true # encrypted result is assumed being available from NEW_VAR environment variable secret=$($JS7_AGENT_HOME/bin/js7_decrypt.sh \ --key=$JS7_AGENT_CONFIG_DIR/private/foobar.key \ --in="$NEW_VAR") echo $secretCode Block language powershell title Example for Decryption using Windows Shell collapse true @rem encrypted result is assumed being available from NEW_VAR environment variable call "%JS7_AGENT_HOME%\bin\js7_decrypt.cmd" ^ "--key=%JS7_AGENT_CONFIG_DIR%\private\foobar.key" ^ "--in=%NEW_VAR%" @echo %JS7_DECRYPT_VALUE%Code Block language powershell title Example for Decryption using PowerShell collapse true # encrypted result is assumed being available from NEW_VAR environment variable $secret = Invoke-JS7Decrypt -Value $env:NEW_VAR -KeyPath $env:JS7_AGENT_CONFIG_DIR/private/foobar.key -JavaLib $env:JS7_AGENT_HOME/lib Write-Output $secret
...
- The job encrypts a secret using the target AgentsAgent's certificate and stores the encrypted result to a Job Resource variable.
Examples:
For details see JS7 - How to update a Job Resource using Unix Shell
Code Block language bash title Example for Encryption using Unix Shell collapse true $JS7_AGENT_HOME/bin/js7_set_job_resource.sh \ --url=http://joc-2-0-primary:7446 \ --controller-id=controller \ --user=root \ --password=root \ --job-resource=/ProductDemo/Variables/pdBusinessSecret \ --key=businessSecret \ --value='12345678' \ --env-var=BUSINESS_SECRET \ --encrypt-cert=$JS7_AGENT_CONFIG_DIR/foobar.crtFor details see JS7 - How to update a Job Resource using PowerShell
Code Block language bash title Example for Encryption using PowerShell collapse true Set-JS7JobResource ` -Path /ProductDemo/Variables/pdBusinessSecret ` -Key 'businessSecret' ` -Value '12345678' ` -EnvVar 'BUSINESS_SECRET' ` -EncryptCertificatePath $env:JS7_AGENT_CONFIG_DIR/foobar.crt ` -JavaLib $env:JS7_AGENT_HOME/lib
...
- An external application encrypts a configuration file using the target agents Agent's certificate. The encrypted configuration file is added to a Job Resource.
- When the Job Resource is assigned a workflow or job then JS7 takes care to transfer the Job Resource to all agents Agents that operate related jobs.
Examples:
For details see JS7 - How to update a Job Resource using Unix Shell
Code Block language bash title Example for Encryption using Unix Shell collapse true ./js7_set_job_resource.sh \ --url=http://joc-2-0-primary:7446 \ --controller-id=controller \ --user=root \ --password=root \ --job-resource=/ProductDemo/Variables/pdConfigurationData \ --key=configurationData \ --file=application.conf \ --env-var=CONFIGURATION_DATA \ --encrypt-cert=foobar.crtFor details see JS7 - How to update a Job Resource using PowerShell
Code Block language powershell title Example for Encryption using PowerShell collapse true Set-JS7JobResource ` -Path /ProductDemo/Variables/pdConfigurationData ` -Key 'configurationData' ` -File application.conf ` -EnvVar 'CONFIGURATION_DATA' ` -EncryptCertificatePath foobar.crt ` -JavaLib /js7/js7.encryption/lib
...
- JS7 takes care to transfer the Job Resource to all agents Agents that operate workflows or jobs which are assigned the Job Resource. The encrypted configuration file included with the Job Resource variable is stored to a temporary file per instance of a job (task, process) and is automatically removed on termination of the job instance.
- Environment variables from the Job Resource variable denote the location of the temporary file and encryption result:
<env-var>: location of temporary file<env-var>_KEY: encryption result holding the encrypted symmetric key and intialization vector
- The job makes use of the
js7_decrypt.sh | .cmdscripts to decrypt the encrypted configuration file by use of its Private Key. Similarly theInvoke-JS7DecryptPowerShell cmdlet can be used. Examples:
Code Block language bash title Example for Decryption using Unix Shell collapse true # previous encryption is assumed to create the CONFIGURATION_DATA and CONFIGURATION_DATA_KEY environment variables in the Job Resource: # ./js7_set_job_resource.sh --job-resource=/ProductDemo/Variables/pdConfigurationData --key=configurationData --file=application.conf --env-var=CONFIGURATION_DATA ... # CONFIGURATION_DATA environment variable specifies the path to a temporary file provided by JS7 that holds the encrypted configuration data echo "$CONFIGURATION_DATA" # CONFIGURATION_DATA_KEY environment variable holds the encrypted symmetric key and initialization vector echo "$CONFIGURATION_DATA_KEY" # decrypt configuration file and store to a temporary file $JS7_AGENT_HOME/bin/js7_decrypt.sh \ --key=$JS7_AGENT_CONFIG_DIR/private/foobar.key \ --in="$CONFIGURATION_DATA_KEY" \ --infile="$CONFIGURATION_DATA" \ --outfile=application-$$.conf # on job termination JS7 automatically performs cleanup of the temporary file denoted by CONFIGURATION_DATA # user's job implementation has to clean up temporary files created by the job rm -f application-$$.confCode Block language powershell title Example for Decryption using Windows Shell collapse true @rem previous encryption is assumed to create the CONFIGURATION_DATA and CONFIGURATION_DATA_KEY environment variables in the Job Resource: @rem CONFIGURATION_DATA environment variable specifies the path to a temporary file provided by JS7 that holds the encrypted configuration data @echo %CONFIGURATION_DATA% @rem CONFIGURATION_DATA_KEY environment variable holds the encrypted symmetric key and initialization vector @echo %CONFIGURATION_DATA_KEY% set "TempFile=%TEMP%\application-%DATE%-%TIME::=.%.%RANDOM%.conf" call "%JS7_AGENT_HOME%\bin\js7_decrypt.cmd" ^ "--key=%JS7_AGENT_CONFIG_DIR%\private\foobar.key" ^ "--in=%CONFIGURATION_DATA_KEY%" ^ "--infile=%CONFIGURATION_DATA%" ^ "--outfile=%TempFile%" # on job termination JS7 automatically performs cleanup of the temporary file denoted by CONFIGURATION_DATA # user's job implementation has to clean up temporary files created by the job del /F %TempFile%Code Block language powershell title Example for Decryption using PowerShell collapse true # previous encryption is assumed to create the CONFIGURATION_DATA and CONFIGURATION_DATA_KEY environment variables in the Job Resource: # Set-JS7JobResource -Path /ProductDemo/Variables/pdConfigurationData -Key 'configurationData' -File application.conf -EnvVar 'CONFIGURATION_DATA' ... # CONFIGURATION_DATA environment variable specifies the path to a temporary file provided by JS7 that holds the encrypted configuration data Write-Output $env:CONFIGURATION_DATA # CONFIGURATION_DATA_KEY environment variable holds the encrypted symmetric key and initialization vector Write-Output $env:CONFIGURATION_DATA_KEY # decrypt configuration file $tempFile = New-TemporaryFile Invoke-JS7Decrypt ` -Value $env:CONFIGURATION_DATA_KEY ` -File $env:CONFIGURATION_DATA ` -OutFile $tempFile ` -KeyPath $env:JS7_AGENT_CONFIG_DIR/private/foobar.key ` -JavaLib $env:JS7_AGENT_HOME/lib # on job termination JS7 automatically performs cleanup of the temporary file denoted by CONFIGURATION_DATA # user's job implementation has to clean up temporary files created by the job Remove-Item -Path $tempFile -Force
...
- Users create individual Private Keys and Certificates for encryption/decryption of secrets per agentAgent.
- Users create Private Keys and Certificates that are shared amongst a number of agentsAgents.
- This applies to use of an Agent Cluster that allows to execute jobs on any agent Agent in the cluster.
It is possible that jobs access an agents Agent's Private Key and SSL Certificate that are used to secure HTTPS connections, see JS7 - Agent HTTPS Connections. This requires the agents Agent's SSL Certificate to be created with the dataEncipherment key usage option. Many users consider it more secure to use separate keys for HTTPS connections and for encryption/decryption of secrets.
...
Overview
Content Tools