Enable use of a Credential Store for jobs

Current Situation

• Users frequently operate jobs that require credentials, e.g. to access a database, a file transfer SFTP server etc.
• Such jobs are implemented as simple shell jobs or by use of the API Interface.
• Users would like to store sensitive information that is used by jobs in a Credential Store similar to YADE.

Desired Behavior

• Security Considerations
  • Sensitive information in jobs should not be hard-coded, not be used from parameters and should not be disclosed, e.g. written to log files, therefore the solution does not store sensitive information in parameters.
  • Instead a run-time interface is offered that allows to retrieve sensitive information from a credential store. References to credential store entries can safely be stored with parameter values.
• Solution Outline
  • Find detailed information from the Using a Credential Store for Jobs
  • Access to the credential store is provided by the Java class SOSKeePassDatabase that can be loaded from shell jobs and from API jobs implemented e.g. for JavaScript, PowerShell etc.
  • The Java class is parameterized with the path that identifies the requested entries from the credential store.
  • This solution can be operated with JobScheduler Master and with Agents.
• Syntax
  • For Windows and Unix the scripts jobscheduler_credential_value.cmd and jobscheduler_credential_value.sh are provided to invoke the the Java class SOSKeePassDatabase.
  • The syntax includes to specify the Credential Store location (file path), access method (password, key file) and path to the Credential Store property that should be retrieved, e.g. a password.
    • Syntax for Windows

      call "%SCHEDULER_HOME%/bin/jobscheduler_credential_value.cmd" "cs://server/SFTP/homer.sos@password?file=%SCHEDULER_DATA%/config/credential_store.kdbx"
      if ERRORLEVEL 1 exit /b %ERRORLEVEL%...
      

    • Syntax for Unix

      SCHEDULER_CREDENTIAL_VALUE=`"$SCHEDULER_HOME/bin/jobscheduler_credential_value.sh" "cs://server/SFTP/homer.sos@password?file=$SCHEDULER_DATA/config/credential_store.kdbx"`
      RETURNCODE=$?
      ...
      

Test Instruction

• Read the article Using a Credential Store for Jobs for better understanding.

Test Configuration

• Open JOE and create a standalone job.
• In that job add the script :

  @echo on
  call "%SCHEDULER_HOME%/bin/jobscheduler_credential_value.cmd" "cs://database/first/mysql@password?file=C:\database.kdbx&password=123"
  if ERRORLEVEL 1 exit /b %ERRORLEVEL%
  echo %SCHEDULER_CREDENTIAL_VALUE%
  

  where cs://database/first/mysql is the path of entry in Keepass, C:\database.kdbx this is the path where .kdbx file is kept

Test Execution

• Login on to the JOC add task to the job created.
• The log file of the job contains the password of the entry eg. in the above script it shows the password of entry name "mysql"