Manage encrypted credentials for running jobs as different user on Windows

Current Situation

• If a job executed with a JS7 Agent for Windows should be running for a different user account, then the Agent will read credentials from the Windows Credential Manager and will start the job for the targeted user account.
• Users are requesting JS7 capabilities to manage such credentials without use of the Windows Credential Manager.

Desired Behavior

• JOC Cockpit offers management of Windows job credentials from its GUI and API:
  • User account and password are stored to variables in a Job Resource.
  • The password is encrypted using JS7 - Encryption and Decryption.
• The JOC Cockpit GUI offers the "Manage Job Credentials" operation from its administrative menu:
  • Users manage Windows job credentials using CRUD operations.
  • The password is encrypted from the GUI using one of the encryption keys, see JS7 - Encryption - Management of Encryption Keys.
  • A reference to the Job Resource holding the encryption key is stored with the job credentials. The encryption key includes the certificate that is used to encrypt the password of job credentials and it includes the path to the private key file that is used by the Agent for decryption.
  • The JOC Cockpit inventory offers to assign a job the Job Resource holding Windows job credentials as an alternative to specifying the key used with the Windows Credential Manager.
• Example of a Job Resource
  • User account, password, certificate and path to private key file are stored to variables in individual Job Resources, see windows-job-credentials-job-resource.png:
    • account: the variable holds the targeted Windows user account
    • password: the variable holds the targeted account's encrypted password.
    • encipherment_certificate: the variable holds the certificate in PEM format.
    • encipherment_private_key_path: the variable holds the path to the private key file used for decryption.
• The JOC Cockpit API can be used
  • to manage Windows job credentials (similar functionality as offered by the GUI),
  • with existing interfaces (REST API, Unix Shell, PowerShell) to store encypted Windows job credentials to Job Resources.
  • This allows for example to rotate passwords in the user's Secret Management System (Active Directory)  and to use existing interfaces to store encrypted passwords to JOC Cockpit.

Implementation for Agents

• A static class is offered for decryption of Windows job credentials that will be used by the Agent.
• The Agent specifies the encrypted password and the path to the private key file for decryption.
• The static class will return the decrypted password.