Introduction
A number of JS7 - Job Templates support use of a Credential Store:
A number of JITL Job Templates require credentials, e.g. to access a database.
- Security Considerations
- Sensitive information in jobs should not be hard-coded, should not be used from parameters and should not be disclosed, e.g. written to log files.
- Instead, a run-time interface is offered that allows to retrieve sensitive information from a Credential Store. References to Credential Store entries can safely be specified with argument values.
- Credential Store
- A credential store allows to securely store and retrieve credentials for authentication, as well as connection details and other parameters
- See JS7 - Use of Credential Store with Shell Jobs
- See YADE Credential Store.
- Solution Outline
- Access to the Credential Store is automatically provided for JS7 - Job Templates.
Credential Store Access
Access to a Credential Store is specified with the URI and Query Parameters of the Credential Store.
URI
cs://<entry_path>@<property_name> - required
- The URI based syntax includes the protocol
cs:// - followed by the
<entry_path>that specifies the folder hierarchy and entry name in the Credentials Store. - followed by the
@character followed by the
<property_name>that should be retrieved:- frequently-used properties include Credential Store field names such as
title,user,password,url,attachment. Custom field names are supported.
- frequently-used properties include Credential Store field names such as
Query Parameters
file- required- the path to the Credential Store file. This file can be located anywhere in the file system.
- A relative path can be used that is calculated from the Agent's working directory:
- By default this is the Agent's configuration directory, for example
/home/sos/js7/agent/var_<http-port>for UnixC:\ProgramData\sos-berlin.com\js7\agentfor Windows
- Example
- a relative path
./config/secret.kdbxmaps toC:\ProgramData\sos-berlin.com\js7\agent\config\secret.kdbx
- a relative path
- By default this is the Agent's configuration directory, for example
password- optionalthe password for access to the Credential Store file.
It is recommended not to use this parameter and instead to use a
key_fileto access the Credential Store.
key_file- optional, default: the path and name of the Credential Store file using the extension .key, for example, by default./config/jobs.keyis assumed if the Credential Store file ./config/jobs.kdbxis specified.
Use with JITL Database Jobs
JITL Database Jobs can access a Credential Store in the following ways:
- by use of a Hibernate configuration file,
- by use of arguments
Use with a Hibernate Configuration File
The Hibernate access layer is used for database access and frequently requires database credentials. The access information such as accounts, passwords and JDBC URLs etc. are specified with Hibernate configuration files.
Generally it is preferable not to use passwords to access a database but to use Integrated Security, Oracle Wallet etc. However, should there be a need to specify passwords then instead of using a plain text password in a configuration file you can add your password to a KeePass Credential Store and add a reference for the Credential Store to your Hibernate configuration file. This applies to the following JITL Database Jobs:
References to a Credential Store
The Hibernate configuration file includes a number of XML elements that can be populated from a Credential Store. It provides two types of syntax.
Full Syntax
The full syntax is used when the complete URI is specified with each element of the Hibernate configuration file:
Extract from Hibernate configuration file with credential store references using the full syntax
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<hibernate-configuration>
<session-factory>
...
<property name="hibernate.connection.username">cs://secret/database/reporting@user?file=./config/secret.kdbx</property>
<property name="hibernate.connection.password">cs://secret/database/reporting@password?file=./config/secret.kdbx</property>
<property name="hibernate.connection.url">cs://secret/database/reporting@url?file=./config/secret.kdbx</property>
...
</session-factory>
</hibernate-configuration
Explanation:
- The
secret/database/reportingvalue is an example for a path to an entry in the KeePass database that holds the credentials. - The
./config/secret.kdbxvalue is an example for a relative path to the KeePass database that holds the Credential Store.
Short Syntax
The short syntax can be used if the Hibernate configuration file includes explicit references to the Credential Store:
Extract from Hibernate configuration file with credential store references using the short syntax
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<hibernate-configuration>
<session-factory>
...
<property name="hibernate.connection.username">cs://@user</property>
<property name="hibernate.connection.password">cs://@password</property>
<property name="hibernate.connection.url">cs://@url</property>
...
<property name="hibernate.sos.credential_store_file">./config/secret.kdbx</property>
<property name="hibernate.sos.credential_store_key_file">./config/secret.key</property>
<property name="hibernate.sos.credential_store_password">secret</property>
<property name="hibernate.sos.credential_store_entry_path">/secret/database/reporting</property>
...
</session-factory>
</hibernate-configuration
Explanation:
<property name="hibernate.sos.credential_store_file">=> path to the Credential Store database file<property name="hibernate.sos.credential_store_key_file">=> path to the key file for the Credential Store<property name="hibernate.sos.credential_store_password">=> password of the Credential Store database file<property name="hibernate.sos.credential_store_entry_path">=> folder hierarchy and entry name in the Credentials Store database file
Example for Hibernate Configuration File
A Hibernate configuration file using a reference to the Credential Store and the short syntax for credential references can look like this:
Example Hibernate configuration file for MySQL
<?xml version="1.0" encoding="UTF-8" standalone="no"?> <hibernate-configuration> <session-factory> <property name="hibernate.sos.credential_store_file">./config/jobs.kdbx</property> <property name="hibernate.sos.credential_store_key">./config/private/jobs.key</property> <property name="hibernate.connection.driver_class">org.mariadb.jdbc.Driver</property> <property name="hibernate.connection.password">cs://jobs/mysql/mysql-5-7@password</property> <property name="hibernate.connection.url">cs://jobs/mysql/mysql-5-7@url</property> <property name="hibernate.connection.username">cs://jobs/mysql/mysql-5-7@user</property> <property name="hibernate.dialect">org.hibernate.dialect.MySQLInnoDBDialect</property> <property name="hibernate.show_sql">false</property> <property name="hibernate.connection.autocommit">false</property> <property name="hibernate.format_sql">true</property> <property name="hibernate.temp.use_jdbc_metadata_defaults">false</property> <!-- Hikari Connection Pool --> <property name="hibernate.connection.provider_class">org.hibernate.hikaricp.internal.HikariCPConnectionProvider</property> <property name="hibernate.hikari.maximumPoolSize">10</property> </session-factory> </hibernate-configuration>
Explanation:
<property name="hibernate.sos.credential_store_file">specifies the location of the Credential Store database file.<property name="hibernate.sos.credential_store_key">specifies the location of the Credential Store key file. In this example the key file is stored with a location different to the database file and therefore has to be specified. If the key file is available from the same folder as the database file and makes use of the same base name then this parameter can be omitted.
Use with Arguments
References to a Credential Store can be directly specified from arguments. This applies to the following JITL Database Jobs:
References to a Credential Store
References to a credential store can be directly specified from arguments.
Full Syntax
The full syntax is used when the complete URI is specified with an argument:
Name | Purpose | Example |
|---|---|---|
| JDBC connection string |
|
| User name for database access | cs://jobs/oracle/minos.sos@user?file=./config/jobs.kdbx |
| Password for database access |
|
Explanation:
- The
jobs/oracle/minos.sosvalue is an example for a path to an entry in the KeePass database that holds the credentials. - The
./config/jobs.kdbxvalue is an example for a relative path to the KeePass database that holds the Credential Store.
Short Syntax
The short syntax can be used if arguments are specified with references to the Credential Store location:
Name | Required | Purpose | Example |
|---|---|---|---|
| yes | JDBC connection string |
|
| yes | User name for database access | cs://jobs/oracle/minos.sos@user |
| yes | Password for database access | cs://jobs/oracle/minos.sos@password |
credential_store_file | yes | Location of the Credential Store database file (*.kdbx) | ./config/jobs.kdbx |
credential_store_key | no | Location of the Credential Store key file (*.key) | ./config/jobs.key |
credential_store_password | no | Password of the Credential Store | secret |
credential_store_entry_path | no | Folder hierarchy and entry name in the Credential Store | /jobs/oracle |
Use with JITL Mail Jobs
Use with Arguments
References to a Credential Store can be directly specified from arguments. This applies to the following JITL Mail Jobs:
References to a Credential Store
References to a credential store can be directly specified from arguments.
Full Syntax
The full syntax is used when the complete URI is specified with an argument, for example:
Name | Purpose | Example |
|---|---|---|
| SMTP hostname or IP address |
|
| User account for SMTP authentication | cs://jobs/mail/mail.sos-berlin.com@user?file=./config/jobs.kdbx |
| Password for SMTP authentication |
|
Explanation:
- The
jobs/mail/mail.sos-berlin.comvalue is an example for a path to an entry in the KeePass database that holds the credentials. - The
./config/jobs.kdbxvalue is an example for a relative path to the KeePass database that holds the Credential Store.
Short Syntax
The short syntax can be used if arguments are specified with references to the Credential Store location, for example:
Name | Required | Purpose | Example |
|---|---|---|---|
| yes | SMTP hostname or IP address |
|
| yes | User account for SMTP authentication | cs://jobs/mail/mail.sos-berlin.com@user |
| yes | Password for SMTP authentication | cs://jobs/mail/mail.sos-berlin.com@password |
credential_store_file | yes | Location of the Credential Store database file (*.kdbx) | ./config/jobs.kdbx |
credential_store_key | no | Location of the Credential Store key file (*.key) | ./config/jobs.key |
credential_store_password | no | Password of the Credential Store | secret |
credential_store_entry_path | no | Folder hierarchy and entry name in the Credential Store | /jobs/mail |
Use with JITL SAP Jobs
TODO
Use with JITL SSH Jobs
TODO
Overview
Content Tools