Allow encrypted argument values for JITL jobs and Job Templates

Current Situation

• Release 2.7.0 introduced encryption and decryption for use with Shell Jobs.

Desired Feature

• PKI Infrastructure
  • Two scenarios are supported:
    • Each Agent holds one or more unique Private Keys stored with this Agent only.
    • A number of Agents hold one or more shared Private Keys. This is useful for Agent Clusters when jobs can be executed on any Agent in the Subagent Cluster.
  • Certificate Management
    • Certificates for encryption are stored in a new database table as key/value pairs. The Certificate's alias name is the key, the PEM format of the Certificate is the value.
    • A join table is created for the relationship of Agents to Certificates. Each Certificate/alias name is unique. An Agent can reference any number of Certificate alias names. Different Agents can reference the same Certificate/alias name.
  • Web Service
    • A web service is offered to read the list of Certificates or to read a single Certificate by specifying the Certificate's alias name.
• Job API
  • The Job API is extended to offer new methods
    • to encrypt a string:

      • <string> encrypt( <string> secret, <string> alias )

• • • • • The method is parameterized with the secret and the Certificate's alias name.
        • The method reads the Certificate using JOC Cocpit's REST Web Service.

      • <string> encrypt( <string> secret, <string> certificate )

• • • • • The method is parameterized with the secret and the Certificate in pem format. It is up to the caller to read the Certificate from a file or other location.
      • The method returns the encrypted assymetric key, initialization vector and encrypted secret separated by spaces.
    • to decrypt a string.

      • <string> decrypt( <string> encryptedValue, <string> keyFile [, <string> keyPassword] )

• • • • • The method is parameterized with the encrypted value (as returned by encrypt(), the path to the location of the Private Key file in PEM format. Optionally the key password is specified.

      • <string> decrypt( <string> encryptedValue, <string> keystoreFile, [, <string> keyPassword [, <string> storePassword] [, <string> keyAlias] ] )    

• • • • • The encrypted secret as returned by encrypt() and the location of a keystore (p12/pfx) is specified. Optionally the key password, store password and alias name can be specified.
• JITL Job implementation
  • JITL jobs should support the new argument data type "CryptoString" that can hold encrypted values.
  • Existing JITL jobs that make use of secrets
    • Jobs such as SendMailJob, MailInboxJob etc. offer a second argument for encrypted values.
      • For example SendMailJob:
        • existing argument: mail.smtp.password
        • additional argument: mail.smtp.password_enc
    • Users are free to continue use of String arguments for secrets or to use CryptoString arguments.
    • The SetJobResourceJob is extended to encrypt the value stored to a Job Resource.
• JOC Cockpit GUI
  • Key Management
    • A new page "Encipherment Certificates" is offered. The page allows to store unique pairs of alias names and Certificates.
    • The "Manage Controllers/Agents" page is extended to allow any number of alias names for Certificates to be stored with an Agent. This applies to use of Standalone Agents and Subagents in an Agent Cluster. It is up to the user to distribute keys. No assumption is taken that all Subagents in an Agent Cluster would hold the same Private Key/Certificate.
  • JITL Job Arguments and Job Template Arguments
    • When specifying encrypted values for arguments of jobs then the GUI allows
      • to paste the encrypted value from the clipboard. This assumes that a user will have executed the ./js7_encrypt.sh|.cmd script to encrypte some value.
      • to enter the plain text of the secret that will be encrypted by calling the web service for encryption. The argument's input field will store the encrypted value.
      • the related Agent's Certificate is selected by the user with the GUI offering the list of Certificates that are referenced by the Agent that is assigned the current job. If no Agent is assigned the job then all Certificates are displayed. If an Agent Cluster is assigned the job then all Certificates of all Subagents in the Agent Cluster are displayed.