Details

      Description

      Current Situation

      • Users frequently operate jobs that require credentials, e.g. to access a database, a file transfer SFTP server etc.
      • Such jobs are implemented as simple shell jobs or by use of the API Interface.
      • Users would like to store sensitive information that is used by jobs in a Credential Store similar to YADE.

      Desired Behavior

      • Security Considerations
        • Sensitive information in jobs should not be hard-coded, not be used from parameters and should not be disclosed, e.g. written to log files, therefore the solution does not store sensitive information in parameters.
        • Instead a run-time interface is offered that allows to retrieve sensitive information from a credential store. References to credential store entries can safely be stored with parameter values.
      • Solution Outline
        • Find detailed information from the Using a Credential Store for Jobs
        • Access to the credential store is provided by the Java class SOSKeePassDatabase that can be loaded from shell jobs and from API jobs implemented e.g. for JavaScript, PowerShell etc.
        • The Java class is parameterized with the path that identifies the requested entries from the credential store.
        • This solution can be operated with JobScheduler Master and with Agents.
      • Syntax
        • For Windows and Unix the scripts jobscheduler_credential_value.cmd and jobscheduler_credential_value.sh are provided to invoke the the Java class SOSKeePassDatabase.
        • The syntax includes to specify the Credential Store location (file path), access method (password, key file) and path to the Credential Store property that should be retrieved, e.g. a password.
          • Syntax for Windows
            call "%SCHEDULER_HOME%/bin/jobscheduler_credential_value.cmd" "cs://server/SFTP/homer.sos@password?file=%SCHEDULER_DATA%/config/credential_store.kdbx"
            if ERRORLEVEL 1 exit /b %ERRORLEVEL%...
            
          • Syntax for Unix
            SCHEDULER_CREDENTIAL_VALUE=`"$SCHEDULER_HOME/bin/jobscheduler_credential_value.sh" "cs://server/SFTP/homer.sos@password?file=$SCHEDULER_DATA/config/credential_store.kdbx"`
            RETURNCODE=$?
            ...
            

      Test Instruction

      Test Configuration

      • Open JOE and create a standalone job.
      • In that job add the script :
        @echo on
        call "%SCHEDULER_HOME%/bin/jobscheduler_credential_value.cmd" "cs://database/first/mysql@password?file=C:\database.kdbx&password=123"
        if ERRORLEVEL 1 exit /b %ERRORLEVEL%
        echo %SCHEDULER_CREDENTIAL_VALUE%
        

        where cs://database/first/mysql is the path of entry in Keepass, C:\database.kdbx this is the path where .kdbx file is kept

      Test Execution

      • Login on to the JOC add task to the job created.
      • The log file of the job contains the password of the entry eg. in the above script it shows the password of entry name "mysql"

        Issue Links

          Activity

          There are no comments yet on this issue.

            People

            • Assignee:
              Robert Ehrlich
              Reporter:
              Andreas Püschel
              Approver:
              Uwe Risse
            • Votes:
              2 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 3 days
                3d
                Remaining:
                Remaining Estimate - 3 days
                3d
                Logged:
                Time Spent - Not Specified
                Not Specified