Allow encrypted credentials for Hibernate database connections from JOC Cockpit and JITL Jobs

Feature

• With JS-2127 asymmetric encryption and decryption is made available for shell jobs.
• Encryption and decryption are similarly made available to Hibernate configuration files ("hibernate.cfg.xml") used to connect to databases from JOC Cockpit and JITL Jobs.
• Users can encrypt the following configuration items in a Hibernate configuration file:

    <property name="hibernate.connection.password">jobscheduler</property>
    <property name="hibernate.connection.url">jdbc:mysql://mysql-5-7:3306/jobscheduler200</property>
    <property name="hibernate.connection.username">jobscheduler</property>
  

  • Users can encrypt the username, password and URL using the script js7_encrypt.sh | .cmd, see linked article. The script is available wiith the Agent's ./bin directory and is available for download, see JS7 - Download
    • Unix:

      • ./bin/js7_encrypt.sh --cert=joc.crt --in="jobscheduler"
        ./bin/js7_encrypt.sh --cert=joc.crt --in="jdbc:mysql://mysql-5-7:3306/jobscheduler200"
        

      • Update the password/username in the hibernate.cfg.xml file from the output of the script.
    • Windows

      • .\bin\js7_encrypt.cmd "--cert=joc.crt" "--in=jobscheduler"
        @echo %JS7_ENCRYPT_VALUE%
        .\bin\js7_encrypt.cmd "--cert=joc.crt" "--in=jdbc:mysql://mysql-5-7:3306/jobscheduler200"
        @echo %JS7_ENCRYPT_VALUE%
        

      • Update the password/username in the hibernate.cfg.xml file from the value of the %JS7_ENCRYPT_VALUE% environment variable AND prefix it with "enc://" so that it can be recognized as an encrypted value.
    • Example for updated hibernate.cfg.xml file

        <property name="hibernate.connection.password">enc://GuiPrBZwUAnytiGw3NZfSvJUTi1NvB+NL4ajPwzzCOOfpOvcYxrj6cnOZP+e5vdtM5y7qeLKQXby+RQSP1Qs7UkMLu80IOOPD8CeKEI0/Ts8OAo15VVki6xqpb8k6EGLBbCduywWq27skZsfmCChgGU4WkLqOC03tglnSROTrvVkPt9uZvPrWQDh5qcbx7hu4nm7A69S5gH0b41TbEUvuye9bPg4m28uGGJ4w4pwgpPi+D7eVXJLWLiGGaBD7smgdk2dVmqSPV9xDmxCoEO896liazHYZ3tTyEltcP5DQLREJ2B7ZAUJY78d1YwZwuQM5QjSEDtdn+9F13kK6akbgA== OFsz8MYEFAnzAjhSatV4Aw== zxLHRkYMmbCNqNRjepqTEQ==</property>
        <property name="hibernate.connection.url">jdbc:mysql://mysql-5-7:3306/jobscheduler200</property>
        <property name="hibernate.connection.username">jobscheduler</property>
      

• Encryption/decryption can use
  • an individual private key and certificate created by the user, see linked article. This includes use of PEM files and use of keystores.
  • The location of the private key to decrypt is determined as follows:
    • Users can add the following entry to a hibernate.cfg.xml file that points to the location of a private key file:

        <property name="hibernate.sos.decryption_key">/home/sos/joc.key</property>
      

      • additionally a password for the private key can be provided too if the private key is encrypted with one

        <property name="hibernate.sos.decryption_keypassword">keypassword</property>
        

      • An absolute path can be specified and a path relative to JETTY_BASE/resources/joc can be specified.
    • Users can add the following entries to a hibernate.cfg.xml file that points to the location of a keystore file:

        <property name="hibernate.sos.keystore_path">/home/sos/credentials-keystore.p12</property>
        <property name="hibernate.sos.keystore_type">PKCS12</property>
        <property name="hibernate.sos.keystore_password">jobscheduler</property>
        <property name="hibernate.sos.keystore_keypassword">jobscheduler</property>
      

      • additionally an alias name for the private key has to be specified if more than one private key is available with the keystore.

          <property name="hibernate.sos.keystore_keyalias">joc-2-0-primary</property>
        

      • An absolute path to the keystore can be specified and a path relative to JETTY_BASE/resources/joc can be specified.