- Users frequently operate jobs that require credentials, e.g. to access a database, a file transfer SFTP server etc.
- Such jobs are implemented as simple shell jobs or by use of the API Interface.
- Users would like to store sensitive information that is used by jobs in a Credential Store similar to YADE.
- Security Considerations
- Sensitive information in jobs should not be hard-coded, not be used from parameters and should not be disclosed, e.g. written to log files, therefore the solution does not store sensitive information in parameters.
- Instead a run-time interface is offered that allows to retrieve sensitive information from a credential store. References to credential store entries can safely be stored with parameter values.
- Solution Outline
- Find detailed information from the Using a Credential Store for Jobs
- The Java class is parameterized with the path that identifies the requested entries from the credential store.
- This solution can be operated with JobScheduler Master and with Agents.
- For Windows and Unix the scripts jobscheduler_credential_value.cmd and jobscheduler_credential_value.sh are provided to invoke the the Java class SOSKeePassDatabase.
- The syntax includes to specify the Credential Store location (file path), access method (password, key file) and path to the Credential Store property that should be retrieved, e.g. a password.
- Syntax for Windows
- Syntax for Unix
- Read the article Using a Credential Store for Jobs for better understanding.
- Open JOE and create a standalone job.
- In that job add the script :
where cs://database/first/mysql is the path of entry in Keepass, C:\database.kdbx this is the path where .kdbx file is kept
- Login on to the JOC add task to the job created.
- The log file of the job contains the password of the entry eg. in the above script it shows the password of entry name "mysql"