Uploaded image for project: 'JITL - JobScheduler Integrated Template Library'
  1. JITL - JobScheduler Integrated Template Library
  2. JITL-473

Enable use of a Credential Store for jobs

    XMLWordPrintable

    Details

      Description

      Current Situation

      • Users frequently operate jobs that require credentials, e.g. to access a database, a file transfer SFTP server etc.
      • Such jobs are implemented as simple shell jobs or by use of the API Interface.
      • Users would like to store sensitive information that is used by jobs in a Credential Store similar to YADE.

      Desired Behavior

      • Security Considerations
        • Sensitive information in jobs should not be hard-coded, not be used from parameters and should not be disclosed, e.g. written to log files, therefore the solution does not store sensitive information in parameters.
        • Instead a run-time interface is offered that allows to retrieve sensitive information from a credential store. References to credential store entries can safely be stored with parameter values.
      • Solution Outline
        • Find detailed information from the Using a Credential Store for Jobs
        • Access to the credential store is provided by the Java class SOSKeePassDatabase that can be loaded from shell jobs and from API jobs implemented e.g. for JavaScript, PowerShell etc.
        • The Java class is parameterized with the path that identifies the requested entries from the credential store.
        • This solution can be operated with JobScheduler Master and with Agents.
      • Syntax
        • For Windows and Unix the scripts jobscheduler_credential_value.cmd and jobscheduler_credential_value.sh are provided to invoke the the Java class SOSKeePassDatabase.
        • The syntax includes to specify the Credential Store location (file path), access method (password, key file) and path to the Credential Store property that should be retrieved, e.g. a password.
          • Syntax for Windows
            call "%SCHEDULER_HOME%/bin/jobscheduler_credential_value.cmd" "cs://server/SFTP/homer.sos@password?file=%SCHEDULER_DATA%/config/credential_store.kdbx"
            if ERRORLEVEL 1 exit /b %ERRORLEVEL%...
            
          • Syntax for Unix
            SCHEDULER_CREDENTIAL_VALUE=`"$SCHEDULER_HOME/bin/jobscheduler_credential_value.sh" "cs://server/SFTP/homer.sos@password?file=$SCHEDULER_DATA/config/credential_store.kdbx"`
            RETURNCODE=$?
            ...
            

      Test Instruction

      Test Configuration

      • Open JOE and create a standalone job.
      • In that job add the script :
        @echo on
        call "%SCHEDULER_HOME%/bin/jobscheduler_credential_value.cmd" "cs://database/first/mysql@password?file=C:\database.kdbx&password=123"
        if ERRORLEVEL 1 exit /b %ERRORLEVEL%
        echo %SCHEDULER_CREDENTIAL_VALUE%
        

        where cs://database/first/mysql is the path of entry in Keepass, C:\database.kdbx this is the path where .kdbx file is kept

      Test Execution

      • Login on to the JOC add task to the job created.
      • The log file of the job contains the password of the entry eg. in the above script it shows the password of entry name "mysql"

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                re Robert Ehrlich
                Reporter:
                ap Andreas PĆ¼schel
                Approver:
                Uwe Risse
              • Votes:
                2 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 3 days
                  3d
                  Remaining:
                  Remaining Estimate - 3 days
                  3d
                  Logged:
                  Time Spent - Not Specified
                  Not Specified