jgetcredential, jtool getcredential
A platform agent tool used to retrieve a Redwood Server credential. You can call it as jgetcredential or jtool getcredential
This tool cannot be used outside job-context because it needs to retrieve either a user password credential from a Redwood login credential, or a private key passphrase from a Redwood passphrase credential, so the -j or -job-context parameter is implied.
It is typically used by other jtool modes, such as jscp, in order to obtain credentials to execute the SSH protocol. But it can also be used by ssh or sudo running in a job, because SSH_ASKPASS and SSH_ASKPASS default to jgetcredential as part of a job environment.
Syntax
jgetcredential [-h|-?|-help] [-l <loglevel>] [-f <logfile>] -j|-job-context [-p|-protocol <protocol>] [<prompt>]
| Argument | Description |
|---|---|
| -h, -?, -help | Show usage and exit. |
-l <loglevel> | Set the logging level. |
-f <logfile> | Log to file instead of stdout/stderr. |
| -j, -job-context | Run the command in job-context (implied) |
| -p, -protocol | Credential protocol (default: passwphrase) |
<prompt> | Prompt |
TLS Arguments
| Argument | Environment Variable | Description |
|---|---|---|
| -tlsv1_3, -tls13 | JCS_SSL_METHOD=tlsv1_3 | Use TLS v1.3 secured connection. |
| -tlsv1_2, -tls12 | JCS_SSL_METHOD=tlsv1_2 | Use TLS v1.2 secured connection. |
| -tlsv1_1, -tls11 | JCS_SSL_METHOD=tlsv1_1 | Use TLS v1.1 or better secured connection. |
| -tlsv1, -tls | JCS_SSL_METHOD=tlsv1 | Use TLS v1.0 or better secured connection (default). |
| -sslv3, -ssl | JCS_SSL_METHOD=sslv3 | Use SSL v3 or better secured connection. |
-cipherlist <text> | JCS_SSL_CIPHERLIST | Set list of available ciphers. |
-passphrase <text> | JCS_SSL_PASSPHRASE | Set passphrase for private key. |
-key <file> | JCS_SSL_KEYPATH | Set private key. |
-cert <file> | JCS_SSL_CERTIFICATE_PATH | Set public certificate. |
-ca <file_path> | JCS_SSL_TRUSTED_CERTIFICATE_FILE | Trusted CA certificates path or file. |
| -[no]verify | JCS_SSL_VERIFY_CERT | (Do not) verify peer (server or client) certificate. |
-verify-names <namelist> | JCS_SSL_VERIFY_SERVER_NAMES, JCS_SSL_VERIFY_CLIENT_NAMES | Verify peer (server or client) certificate hostname against list. |
Example
The following UNIX shell example shows how to retrieve a sudo password from a Redwood Server login credential:
SUDO_ASKPASS=`which jgetcredential`
sudo -A cat /var/log/syslog
The following UNIX shell example shows how to use ssh to retrieve a user password from a Redwood Server login credential:
# For user authentication by username/password we must ensure that
# $JCS_SSH_USER and $JCS_SSH_HOST are setup for the use of jgetcredential;
# you would usually set them on the process and provide defaults there.
# This example uses Bash parameter substitution for illustration purposes.
# SSH_ASKPASS defaults to jcredential in the environment of a running job.
# ssh will use jgetcredential to obtain a user password from the login credential on the Redwood Server.
${JCS_SSH_USER:=<user>} ${JCS_SSH_HOST:=<host>} ssh "#{JCS_SSH_USER}@${JCS_SSH_HOST}" uname
The following UNIX shell example shows how to use ssh to retrieve a private key passphrase from a Redwood Server passphrase credential:
# SSH_ASKPASS defaults to jcredential in the environment of a running job.
# For user authentication by publickey, jgetcredential is called to obtain the passphrase protecting the identity file (private key file).
# It obtains this from a passphrase credential on the Redwood Server.
ssh -i <identity_file> hostname uname
Note that there is a credential of credential protocol passphrase for the Run As User with Endpoint set to the current hostname in this system.