I would like to hand over a webapplication to some people but these people should not allowed to has access to the database with some tools. Using the webapplicaton and in the background the database is ok.
Wildfly has a config with these code:
<xa-datasource jndi-name="java:jboss/datasources/ExampleXADS" pool-name="ExampleXADS">
<driver>h2</driver>
<xa-datasource-property name="URL">jdbc:h2:mem:test</xa-datasource-property>
<xa-pool>
<min-pool-size>10</min-pool-size>
<max-pool-size>20</max-pool-size>
<prefill>true</prefill>
</xa-pool>
<security>
<user-name>sa</user-name>
<password>sa</password>
</security>
</xa-datasource>
As you can see, there is also the username and password available. How is it possible to exclude / encrypt these, so only the administrator know the password for the database.
The same also for the whole application server - there are also users and password.
How can I do this?
EDIT:
The "customer" will get the whole application inclusive the webserver configuration. (Wilfly and .war - file)
It´s only for saving the software key in the database.
The first time if the "customer" start the web application, he will be prompted so enter the licence key.
After entering the license key a Webservice will be called. The return code is "false" or "true" (is key valid or is key not valid)
My first idea was to store the flag in the database. But if a user has access to the database, he can manipulate this flag on his own.
Is there any other possibility to set a flag for "the software key is valid" instead saving the flag in the database.
Any ideas?
You can use security domain to get over this, there could be some specific changes for Wildfly but for JBoss 7.1.1 here is what you need to do.
Find the location of jboss-logging-3.1.0.GA.jar in your JBoss/Widlfy server. In case of JBoss 7.1.1 it should be something like - modules\org\jboss\logging\main\jboss-logging-3.1.0.GA.jar
Find the location of picketbox-4.0.7.Final.jar
Check if the picketbox jar has org.picketbox.datasource.security.SecureIdentityLoginModule class.
Run the following command from JBoss server root folder to encrypt your datasource connection password
java -cp modules\org\jboss\logging\main\jboss-logging-3.1.0.GA.jar;modules\org\picketbox\main\picketbox-4.0.7.Final.jar org.picketbox.datasource.security.SecureIdentityLoginModule PasswordXYZ
Get the output text and in the standalone.xml add following security domain under elements:
<security-domain name="encrypted-ds-WASM2" cache-type="default">
<authentication>
<login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required">
<module-option name="username" value="WASM2"/>
<module-option name="password" value="89471a19022f8af"/>
<module-option name="managedConnectionFactoryName" value="jboss.jca:service=LocalTxCM,name=MySqlDS_Pool"/>
</login-module>
</authentication>
</security-domain>
Use this security domain in the datasource element as follows:
<datasource jta="false" jndi-name="java:jboss/jdbc/JNDIDS" pool-name="OFS1" enabled="true" use-ccm="false">
<connection-url>jdbc:oracle:thin:#x.x.x.x:1521:xxxx</connection-url>
<driver-class>oracle.jdbc.driver.OracleDriver</driver-class>
<driver>oracle</driver>
<security>
<security-domain>encrypted-ds-WASM2</security-domain>
</security>
<validation>
<validate-on-match>false</validate-on-match>
<background-validation>false</background-validation>
<background-validation-millis>1</background-validation-millis>
</validation>
<statement>
<prepared-statement-cache-size>0</prepared-statement-cache-size>
<share-prepared-statements>false</share-prepared-statements>
</statement>
</datasource>
Reference Link: http://middlewaremagic.com/jboss/?p=1026
It is not possible. If the web application has to be able to decrypt the password to use the database, anyone on the server can do the same.
If you want to restrict access, keep the server under your control and let them access it only through a web front end.
(And even if it was possible to usefully encrypt, if they have server access they can trivially copy the database files onto their workstations, or add new user accounts to the database server).
Related
I've received an email from Amazon Web Services regarding certificate rotation. I need to know whether I should make any changes to my EC2 or Web.config to make it support the new database certificate.
Rotating your SSL/TLS certificate: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html
Updating Applications to Connect to Microsoft SQL Server DB Instances Using New SSL/TLS Certificates: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/ssl-certificate-rotation-sqlserver.html
A sample connection string from the Web.config that I use (sensitive data omitted).
<add name="temp" connectionString="Server=someaddress.us-east-3.rds.amazonaws.com;
Port=3306;Database=somedatabase;Uid=someuserid;Pwd=somepassword" providerName="MySql.Data.MySqlClient" />
All my websites have a similar connection string that connects to the RDS database server.
Is there any change needed to be made to the web.config or the EC2 server to make my websites support the new certificate rotation.
You don't need to make any changes since you are not using SSL certificate to connect to RDS. your website will continue to work as it is now without making any changes to your config. But you can consider using SSL to connect to your RDS in order to improve security in the future.
As long as you aren't using an SSL connection to your database, the certificate won't be used and you can update the certificate without any side effect.
This would have been the case if your connectionString included an sslmode as required:
<add
name="mySql"
providerName="MySql.Data.MySqlClient"
connectionString="...;SslMode=Required;" />
Since this is not the case, you can update your certificate right away.
Yes Web.config needs to changed definitely.The changes required are listed below.There might be additional changes based on the security group and vpc setup you have done.
You need to add SslMode=Required parameter to the connectionString
Also add a parameter SslCa=ca.pem
Download the https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem file from aws.
On one computer I have 2 projects - a client application and another that holds the identity server and identity manager. When I run the client site on this computer everything works. I am able to sign in, register etc. This project was already set up and working.
I made a copy of the projects and put them on another computer. I have set the sites up in IIS and created a self signed certificate.
When I run the client site and attempt to sign in I get the yellow asp.net error page with the message "The remote certificate is invalid according to the validation procedure". When stepping through with the debugger I also see: "The underlying connection was closed: could not establish trust relationship for the ssl/tls secure channel"
I figure the errors have to do with the certificate so in MMC I made sure that the certificates are installed in the trusted root certification authorties folder.
The other thing I did was check the web.config files in the projects.
In the client site I have something like:
<oidcClient clientId="codeclienthere"
clientSecret="secrethere"
signingCertificate="keythatmatches_certificate_hash_here"
issuerName="https://identityurlhere/issuer"
...
Then in the identity server and identity manager web.config files I have something like:
<appSettings>
<add key="owin:AppStartup" value="startup" />
<add key="Issuer" value="identity_url_here/issuer" />
<add key="Thumbprint" value="keythatmatches_certificate_hash" />
<add key="WebClientId" value="codeclienthere"/>
<add key="WebClientSecret" value="secrethere"/>
...
I changed the signing certificate and thumbprint values to match the certificate hash. For the attribute "issuerName" and key "Issuer" I tried leaving it the same, setting it the name of the certificate and prepending "CN=" to the name of the certificate. I am unsure what value should go here. I am also unsure what other things I should check.
The problem here was that there were hidden characters in the thumbprint that I did not notice. I had pasted in a text editor to compare or something and they got removed so when I pasted them back in the config file they did not match as needed.
So I'm trying to set up a connectionstring in ASP.NET to connect to a SQL Server.
I've got the servername and that's the structure I'm currently using.
<add name="CRMSQL" connectionString="Data Source=servername\Instance;Initial Catalog=crm;User ID='CRM';Password='****';Integrated Security=True" providerName="System.Data.SqlClient" />
I know that the username and the password are right and for the Servername I use something like U444324.And as the instance name I use the name which pops up when I execute:
SELECT ##servername
What are possible sources of error?
Replace Integrated Security=True with Persist Security Info=True
Persist Security = true means that the Password used for SQL authentication is not removed from the ConnectionString property of the connection.
When Integrated Security = true is used then the Persist Security is completely irelevant since it only applies to SQL authentication, not to windows/Integrated/SSPI.
Reference : Differance Between Persist Security Info And Integrated Security
Create an empty text file
Change the extension to .udl
Once created, double click on the created file.
You will be presented with a GUI
Follow the steps in Connection tab and click on Test Connection
If successfull, click OK
Then right click on the file and open with note pad
Copy the connection string and replace it with your current one.
I have been using owin oauth bearer tokens for web.api authentication. I had only a single server. I never needed to custom generate a machine key. Right now, I need to move to a web farm behind a load balancer. I dont want my current users' bearer tokens to become invalid when I move to the farm. How do I export an auto generated machine key, and import to to another server?
The configuration file deployed on each server must have the same machine key. Some reference here.
Basically you have to copy this section to the other servers' config file:
<machineKey validationKey="A970D0E3C36AA17C43C5DB225C778B3392BAED4D7089C6AAF76E3D4243E64FD797BD17611868E85D2E4E1C8B6F1FB684B0C8DBA0C39E20284B7FCA73E0927B20" decryptionKey="88274072DD5AC1FB6CED8281B34CDC6E79DD7223243A527D46C09CF6CA58DB68" validation="SHA1" decryption="AES" />
It's always best to use a script to generate your own machine keys.
I'm using Azure Cloud Services, not Web Sites.
I would like to know if storing sensitive data (passwords) in Azure Service Configuration Settings is secure.
I really don't want to implement the 4-part blog series required to encrypt the web.config in Azure Web Roles, so I'm thinking I could just keep my settings in Azure config and then access them through RoleEnvironment.GetConfigurationSettingValue().
These settings are in a config file much like web.config, so my question is whether this config file is just used to build the cloud service and then discarded, or if it stays on disk during the life of the instance (thereby exposing sensitive data to attack).
I like the ability to update these settings at runtime through the Portal and I consider the Portal a secure endpoint, so I'm OK with it. However, if the file stays on disk then it is no more secure than the web.config file IMHO.
We encrypt/decrypt Azure config settings and other content using the domain certificate installed on the web roles. I posted a full example on my blog here: Securing Azure ServiceConfiguration values for Enterprise Deployment.
I created a feature request: http://feedback.azure.com/forums/34192--general-feedback/suggestions/9025255-certificate-based-settings-encryption
This is similar (but more idiomatic, imho) to what Remote Desktop plugin does. Remote Desktop adds:
<ConfigurationSettings>
<Setting name="Microsoft.WindowsAzure.Plugins.RemoteAccess.Enabled" value="true" />
<Setting name="Microsoft.WindowsAzure.Plugins.RemoteAccess.AccountUsername" value="<name-of-user-account>" />
<Setting name="Microsoft.WindowsAzure.Plugins.RemoteAccess.AccountEncryptedPassword" value="<base-64-encrypted-password>" />
<Setting name="Microsoft.WindowsAzure.Plugins.RemoteAccess.AccountExpiration" value="<certificate-expiration>" />
<Setting name="Microsoft.WindowsAzure.Plugins.RemoteForwarder.Enabled" value="true" />
</ConfigurationSettings>
<Certificates>
<Certificate name="Microsoft.WindowsAzure.Plugins.RemoteAccess.PasswordEncryption" thumbprint="<certificate-thumbprint>" thumbprintAlgorithm="sha1" />
</Certificates>
RDP plugin "knows" Microsoft.WindowsAzure.Plugins.RemoteAccess.AccountEncryptedPassword value is encrypted will use the certificate Microsoft.WindowsAzure.Plugins.RemoteAccess.PasswordEncryption to decrypt it.
My feature request is to add attribute named thumbprint to <Setting /> node. Calls to CloudCloudConfigurationManager.GetSetting() would seamlessly decrypt the value using the certificate indicated.
How wonderful that would be...