Uploaded image for project: 'JOC - JobScheduler Operations Center'
  1. JOC - JobScheduler Operations Center
  2. JOC-1770

Allow encrypted credentials for Hibernate database connections from JOC Cockpit and JITL Jobs

    XMLWordPrintable

Details

    Description

      Feature

      • With JS-2127 asymmetric encryption and decryption is made available for shell jobs.
      • Encryption and decryption are similarly made available to Hibernate configuration files ("hibernate.cfg.xml") used to connect to databases from JOC Cockpit and JITL Jobs.
      • Users can encrypt the following configuration items in a Hibernate configuration file:
          <property name="hibernate.connection.password">jobscheduler</property>
          <property name="hibernate.connection.url">jdbc:mysql://mysql-5-7:3306/jobscheduler200</property>
          <property name="hibernate.connection.username">jobscheduler</property>
        
        • Users can encrypt the username, password and URL using the script js7_encrypt.sh | .cmd, see linked article. The script is available wiith the Agent's ./bin directory and is available for download, see JS7 - Download
          • Unix:
            • ./bin/js7_encrypt.sh --cert=joc.crt --in="jobscheduler"
              ./bin/js7_encrypt.sh --cert=joc.crt --in="jdbc:mysql://mysql-5-7:3306/jobscheduler200"
              
            • Update the password/username in the hibernate.cfg.xml file from the output of the script.
          • Windows
            • .\bin\js7_encrypt.cmd "--cert=joc.crt" "--in=jobscheduler"
              @echo %JS7_ENCRYPT_VALUE%
              .\bin\js7_encrypt.cmd "--cert=joc.crt" "--in=jdbc:mysql://mysql-5-7:3306/jobscheduler200"
              @echo %JS7_ENCRYPT_VALUE%
              
            • Update the password/username in the hibernate.cfg.xml file from the value of the %JS7_ENCRYPT_VALUE% environment variable AND prefix it with "enc://" so that it can be recognized as an encrypted value.
          • Example for updated hibernate.cfg.xml file
              <property name="hibernate.connection.password">enc://GuiPrBZwUAnytiGw3NZfSvJUTi1NvB+NL4ajPwzzCOOfpOvcYxrj6cnOZP+e5vdtM5y7qeLKQXby+RQSP1Qs7UkMLu80IOOPD8CeKEI0/Ts8OAo15VVki6xqpb8k6EGLBbCduywWq27skZsfmCChgGU4WkLqOC03tglnSROTrvVkPt9uZvPrWQDh5qcbx7hu4nm7A69S5gH0b41TbEUvuye9bPg4m28uGGJ4w4pwgpPi+D7eVXJLWLiGGaBD7smgdk2dVmqSPV9xDmxCoEO896liazHYZ3tTyEltcP5DQLREJ2B7ZAUJY78d1YwZwuQM5QjSEDtdn+9F13kK6akbgA== OFsz8MYEFAnzAjhSatV4Aw== zxLHRkYMmbCNqNRjepqTEQ==</property>
              <property name="hibernate.connection.url">jdbc:mysql://mysql-5-7:3306/jobscheduler200</property>
              <property name="hibernate.connection.username">jobscheduler</property>
            
      • Encryption/decryption can use
        • an individual private key and certificate created by the user, see linked article. This includes use of PEM files and use of keystores.
        • The location of the private key to decrypt is determined as follows:
          • Users can add the following entry to a hibernate.cfg.xml file that points to the location of a private key file:
              <property name="hibernate.sos.decryption_key">/home/sos/joc.key</property>
            
            • additionally a password for the private key can be provided too if the private key is encrypted with one
              <property name="hibernate.sos.decryption_keypassword">keypassword</property>
              
            • An absolute path can be specified and a path relative to JETTY_BASE/resources/joc can be specified.
          • Users can add the following entries to a hibernate.cfg.xml file that points to the location of a keystore file:
              <property name="hibernate.sos.keystore_path">/home/sos/credentials-keystore.p12</property>
              <property name="hibernate.sos.keystore_type">PKCS12</property>
              <property name="hibernate.sos.keystore_password">jobscheduler</property>
              <property name="hibernate.sos.keystore_keypassword">jobscheduler</property>
            
            • additionally an alias name for the private key has to be specified if more than one private key is available with the keystore.
                <property name="hibernate.sos.keystore_keyalias">joc-2-0-primary</property>
              
            • An absolute path to the keystore can be specified and a path relative to JETTY_BASE/resources/joc can be specified.

      Attachments

        Issue Links

          Activity

            People

              sp Santiago Aucejo Petzoldt
              ap Andreas Püschel
              Andreas Püschel Andreas Püschel
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: