Page History
...
A number of JS7 - Job Templates support the use of a Credential Store:
...
A number of JITL Job Templates require credentials, e.g. , for example, to access a database.
- Security Considerations
- Sensitive information in jobs should not be hard-coded, should not be used from parameters and should not be disclosed, e.g. written to log files.
- Instead, a run-time interface is offered that allows to retrieve sensitive information to be retrieved from a Credential Store. References to Credential Store entries can safely be specified with argument values.
- Credential Store
- A credential store allows to the securely store storage and retrieve retrieval of credentials for authentication, as well as connection details and other parameters
- See JS7 - Use of Credential Store with Shell Jobs
- See YADE Credential Store.
- Solution Outline
- Access to the Credential Store is automatically provided for JS7 - Job Templates.
...
file- required- the path to the Credential Store file. This file can be located anywhere in the file system.
- A relative path can be used that is calculated from the Agent's working directory:
- By default this is the Agent's configuration directory, for example,
/home/sos/js7/agent/var_<http-port>for UnixC:\ProgramData\sos-berlin.com\js7\agentfor Windows
- Example:
- a relative path
./config/secret.kdbxmaps toC:\ProgramData\sos-berlin.com\js7\agent\config\secret.kdbx
- a relative path
- By default this is the Agent's configuration directory, for example,
password- optionalthe password for access to the Credential Store file.
It is recommended not to use that this parameter ia not used and that instead to use a
key_fileto is used to access the Credential Store.
key_file- optional, default: the path and name of the Credential Store file using the extension .key, for example, by default./config/jobs.keyis assumed if the Credential Store file ./config/jobs.kdbxis specified.
| Anchor | ||||
|---|---|---|---|---|
|
JS7 - JITL Database Jobs can can access a Credential Store in the following ways:
- by use of using a Hibernate configuration file,by use of arguments
- using arguments
Use with a Hibernate Configuration File
The Hibernate access layer is used for database access and is frequently requires used with database credentials. The access information such as accounts, passwords and JDBC URLs etc. are is specified with the Hibernate configuration files.
Generally it is preferable not to use passwords to access a database directly but to use Integrated Security, Oracle Wallet etc. However, should there be a need to specify passwords, then instead of using a plain text password in a configuration file you , users can add your a password to a KeePass Credential Store and add a reference for to the Credential Store to your their Hibernate configuration file. This applies to the following JITL Database Jobs:
...
The full syntax is used when the complete URI is specified with each element of the Hibernate configuration file:
| Code Block | ||||
|---|---|---|---|---|
| ||||
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<hibernate-configuration>
<session-factory>
...
<property name="hibernate.connection.username">cs://secret/database/reporting@user?file=./config/secret.kdbx</property>
<property name="hibernate.connection.password">cs://secret/database/reporting@password?file=./config/secret.kdbx</property>
<property name="hibernate.connection.url">cs://secret/database/reporting@url?file=./config/secret.kdbx</property>
...
</session-factory>
</hibernate-configuration |
...
References to a Credential Store can be directly specified from arguments. This applies to for the following JITL Database Jobs:
...
References to a Credential Store
References to a credential store Credential Store can be directly specified from arguments.
...
Name | Required | Purpose | Example |
|---|---|---|---|
| yes | JDBC connection string |
|
| yes | User name for database access | cs://jobs/oracle/minos.sos@user |
| yes | Password for database access | cs://jobs/oracle/minos.sos@password |
credential_store_file | yes | Location of the Credential Store database file (*.kdbx) | ./config/jobs.kdbx |
credential_store_key_file | no | Location of the Credential Store key file (*.key) | ./config/jobs.key |
credential_store_password | no | Password of the Credential Store | secret |
credential_store_entry_path | no | Folder hierarchy and entry name in the Credential Store | /jobs/oracle |
| Anchor | ||||
|---|---|---|---|---|
|
Use with Arguments
References to a Credential Store can be directly specified from arguments. This applies to for the following JITL Mail Jobs:
...
References to a Credential Store
References to a credential store Credential Store can be directly specified from arguments.
...
The full syntax is used when the complete URI is specified with an argument, for . For example:
Name | Purpose | Example |
|---|---|---|
| SMTP hostname or IP address |
|
| User account for SMTP authentication | cs://jobs/mail/mail.sos-berlin.com@user?file=./config/jobs.kdbx |
| Password for SMTP authentication |
|
...
Name | Required | Purpose | Example |
|---|---|---|---|
| yes | SMTP hostname or IP address |
|
| yes | User account for SMTP authentication | cs://jobs/mail/mail.sos-berlin.com@user |
| yes | Password for SMTP authentication | cs://jobs/mail/mail.sos-berlin.com@password |
credential_store_file | yes | Location of the Credential Store database file (*.kdbx) | ./config/jobs.kdbx |
credential_store_key_file | no | Location of the Credential Store key file (*.key) | ./config/jobs.key |
credential_store_password | no | Password of the Credential Store | secret |
credential_store_entry_path | no | Folder hierarchy and entry name in the Credential Store | /jobs/mail |
Use with JITL SAP Jobs
| Status | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
...
Use with Arguments
References to a Credential Store can be directly specified from arguments. This applies to the following JITL SSH Jobs:
References to a Credential Store
References to a credential store can be directly specified from arguments.
Full Syntax
The full syntax is used when the complete URI is specified with an argument, for example:
Name | Purpose | Example |
|---|---|---|
| This argument specifies the user account to be used when connecting to the SSH server. |
|
| This argument specifies the user account's password for authentication by the SSH server and has to be specified if the password authentication method is specified with the | cs://jobs/ssh/ssh.sos-berlin.com@password?file=./config/jobs.kdbx |
| This argument specifies the path and name of a private key file used for authentication with an SSH server. This argument has to be specified if the publickey authentication method is specified with the |
|
proxy_user | The value of this argument specifies the user account for authentication with the proxy server that is used to connect to the SSH server. | cs://jobs/ssh/ssh-proxy.sos-berlin.com@user?file=./config/jobs.kdbx |
proxy_password | This argument specifies the password for the proxy server user account if a proxy is used to connect to the SSH server. | cs://jobs/ssh/ssh-proxy.sos-berlin.com@password?file=./config/jobs.kdbx |
Explanation:
- The
jobs/mail/ssh.sos-berlin.com xvalue is an example for the path to an entry in the KeePass database that holds the credentials. - The
./config/jobs.kdbxvalue is an example for a relative path to the KeePass database that holds the Credential Store.
Short Syntax
The short syntax can be used if arguments are specified with references to the Credential Store location, for example:
Name | Example |
|---|---|
|
|
| cs://jobs/ssh/ssh.sos-berlin.com@password |
| cs://jobs/ssh/ssh.sos-berlin.com@attachment |
credential_store_file | ./config/jobs.kdbx |
credential_store_key_file | ./config/jobs.key |
credential_store_password | secret |
credential_store_entry_path | /jobs/ssh |
...
Overview
Content Tools