Details
-
Feature
-
Status: Released (View Workflow)
-
Minor
-
Resolution: Fixed
-
2.8.0
-
None
Description
Feature
- YADE supports use of KeePass to read credentials (account, password, URL etc.) from a Credential Store.
- In addition to KeePass, encryption using public/private keys should be supported.
Implementation
- Similar to the <CredentialStoreFragment> element a <DecryptionFragment> XML element is added. The element can be assigned a Transfer Fragment from a <DecryptionFragmentRef> element.
- The <DecryptionFragment> XML element holds
- the path to the private key file with the related Agent that will decrypt fiile transfer credentials. The private key must not be protected by a passphrase. A passphrase makes sense only when used from a different medium, for example from a user's brains. In batch mode the passphrase would have to specified in clear text which invalidates its usefulness.
- Decryption is offered for the same elements (account, password, URL etc.) as from a Credential Store.
- It is an option to store encrypted credentials to a KeePass Credential Store. The YADE first triggers use of a <CredentialStoreFragment> configuration and then will further decrypt using the <DecryptionFragment> configuration if both configurations are in place for a given connection.
Maintainer Note
- Documentation
- The JOC File Transfer configuration GUI provides documentation for all configuration items.
- For examples, the CredentialStoreFragment and DecryptionFragment documentation show the full list of elements that support the corresponding behavior.
- Additionally, each such element describes the syntax and explains the interaction between the CredentialStore and Decryption.
- Encryption support
- The GUI supports generating encrypted values for the corresponding ProtocolFragments elements.
- Requirement
- In the DecryptionFragment element the attribute encryption_key must be set.
- encryption_key is the name of the Job Resource or Certificate Alias managed under Manage Encryption Keys.
- If the Path to Private Key File is configured with the assigned Job Resource, then the DecryptionFragment / EnciphermentPrivateKey is automatically set using this path.
- In the DecryptionFragment element the attribute encryption_key must be set.
- Limitation
- CredentialStoreFragment
- CSAuthentication / PasswordAuthentication / CSPassword
- This element supports using encrypted values without the GUI supporting generation.
- If an encrypted value is set on CSPassword, it must be generated with the same certificate used for the ProtocolFragments referencing the CredentialStoreFragment.
- This element supports using encrypted values without the GUI supporting generation.
- CSAuthentication / PasswordAuthentication / CSPassword
- CredentialStoreFragment
- Jump Host
- General Rule
- Paths defined in a DecryptionFragment/CredentialStoreFragment must be accessible on the host where the YADE Client is executed.
- Configuration Scenarios
- JumpFragment + DecryptionFragmentRef
- The referenced DecryptionFragment must specify a path that is accessible on the system where the current YADE client is executed.
- The connection to the jump host is established from the system where the local YADE client is executed.
- The referenced DecryptionFragment must specify a path that is accessible on the system where the current YADE client is executed.
- SFTPFragment (as Source/Target using JumpFragmentRef) + DecryptionFragmentRef
- The referenced DecryptionFragment must specify a path that is accessible on the jump host.
- The connection to the Source/Target is established from the jump host where the remote YADE Client is executed.
- The referenced DecryptionFragment must specify a path that is accessible on the jump host.
- JumpFragment + DecryptionFragmentRef
- General Rule
Test Instructions
- Test encryption feature
- The encryption icon is available in all corresponding places that support decryption.
- Test without CredentialStore
- Configure DecryptionFragments.
- Set the encryption values in all available places (see DecryptionFragment as a reference).
- Test with all providers.
- Test with a CredentialStore
- Configure CredentialStoreFragments.
- Configure DecryptionFragments.
- Store the encryption values in the KeePass database and reference the database entries in the corresponding File Transfer elements.
- Special Case: DecryptionFragment / EnciphermentPrivateKey
- Configure in the KeePass database (Advanced):
- As string fields - should contain the path to the private key
- Example File Transfer GUI configuration:
- DecryptionFragment/EnciphermentPrivateKey = cs://my_entry@private_key_as_path
- Example File Transfer GUI configuration:
- As File attachments
- Example File Transfer GUI configuration:
- DecryptionFragment/EnciphermentPrivateKey = cs://my_entry@ec_test.key
- Example File Transfer GUI configuration:
- As string fields - should contain the path to the private key
- Configure in the KeePass database (Advanced):
- Test with a Jump (JumpFragment)