3

We have created the Web API which creates a connection with the Oracle Database like

using (OracleConnection dbconn = new OracleConnection("DATA SOURCE=J;PASSWORD=CM;PERSIST SECURITY INFO=True;USER ID=TR"))

But want it to encrypted when we are publishing in the IIS. Do we do them in the web.config file. In the web. config after publishing in the File System from VS, I just see the below code. Do I need to create a new connection string as dbconn which I gave in the Controller code.

<oracle.manageddataaccess.client>
 <version number="*">
  <dataSources>
    <dataSource alias="SampleDataSource" descriptor="(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=localhost)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=ORCL))) " />
  </dataSources>
</version>
</oracle.manageddataaccess.client>
<connectionStrings>
 <add name="OracleDbContext" providerName="Oracle.ManagedDataAccess.Client" connectionString="User Id=oracle_user;Password=oracle_user_password;Data Source=oracle" />
</connectionStrings>

Creating the application for the first time. Any help is greatly appreciated.

trx
  • 2,077
  • 9
  • 48
  • 97
  • I don't understand what you mean by "we want it encrypted"...What do you want encrypted, your API? It looks like your connecting to localhost for your DB connection. There is nothing to encrypt when connecting to localhost if that's what you mean. – mituw16 Jul 28 '16 at 17:14
  • instead of giving the user name and password directly in the web.config any way for securing it. Also do I have to put a new connection string in the published web.config file? – trx Jul 28 '16 at 17:17
  • It's common password to store user name / password in plaintext in your web.config (You could encrypt it but you wouldn't gain much). What you really should be doing instead of worrying about encrypting something in your web.config is making sure that your server is hardened and also having your webapp connect via a user of least privilege – mituw16 Jul 28 '16 at 17:19
  • @mituw16 Thank you. Just for knowledge how can I do encrypt the name and password instead of plain text – trx Jul 28 '16 at 17:23
  • You could need to first go encrypt the username / password using the encryption method of your choice. Next store the encrypted username / password in your webconfig. Next when you reference that username / password that you stored in your web.config in your `OracleConnection` object you would need to first decrypt it back to a plain text username / password. **Note**: This is different from hasing as you need to be able to convert between plain text and the encryption (which is why I said you wouldn't gain much from doing it as encrypting is not considered safe compared to hashing) – mituw16 Jul 28 '16 at 17:25
  • You can read up on the differences between hashing and encrypting here. http://stackoverflow.com/a/4948393/1729859 – mituw16 Jul 28 '16 at 17:27
  • Do I need to create a new connection string as dbconn with all the username and password in web.config. which is not there when I published from VS – trx Jul 28 '16 at 17:37
  • Windows actually has a built in mechanism for encrypting this sort of data in a .config file. Search for "DPAPI (Data Protection API)". Note that the password must be encrypted on the machine it will be read on - so you might need to have some sort of installation routine that will do that for you. – RB. Jul 28 '16 at 18:51
  • I tried giving the command different ways but I get the same error message configruation file cannot be created for the requested Configuration object , aspnet_regiis -pe "connectionStrings" -app "/E:\Dropbox\NewTestAPI" -prov "RsaProtectedConfigurationProvider" or giving the physical path of the website created in IIS as aspnet_regiis -pe "connectionStrings" -app "/E:\Dropbox\ABC\TestAPI" -prov "RsaProtectedConfigurationProvider" I even tried giving the Site ID as aspnet_regiis -pe "connectionStrings" -app "/E:\Dropbox\ABC\TestAPI" -site "3" -prov "RsaProtectedConfigurationProvider" – trx Jul 29 '16 at 12:34

1 Answers1

5

It's standard practice to encrypt connection strings and many other sections of web.config. The standard way of doing this is using the Aspnet_regiis.exe tool located at %windows%\Microsoft.NET\Framework\<versionNumber>. It's easy to do. Here is a tutorial.

Clint B
  • 4,610
  • 2
  • 18
  • 22
  • I am understanding the encryption part. I will encrypt the connection string that is the web.config aspnet_regiis -pe "connectionStrings" -app "/SampleApplication" -prov "RsaProtectedConfigurationProvider". And use the connection string in the aplication. where exactly will I be decrypting them. – trx Jul 29 '16 at 02:40
  • @trx Decryption will be done automatically by .net. You will see decrypted connection string in your application. There are some additional steps to be done when you are deploying to a [web farm](https://msdn.microsoft.com/en-us/library/ms998283.aspx#paght000006_webfarmscenarios). You need to decrypt the connection string only when you are editing the configuration (i.e. db server changed location, user credentials changed etc.). In the before mentioned link there is a guide how to do that. – pepo Jul 29 '16 at 06:55
  • I keep getting the error saying Configruation file cannot be created for the requested Configuration object.Failed! – trx Jul 29 '16 at 11:56
  • I tried giving the command different ways but I get the same error message configruation file cannot be created for the requested Configuration object , aspnet_regiis -pe "connectionStrings" -app "/E:\Dropbox\NewTestAPI" -prov "RsaProtectedConfigurationProvider" or giving the physical path of the website created in IIS as aspnet_regiis -pe "connectionStrings" -app "/E:\Dropbox\ABC\TestAPI" -prov "RsaProtectedConfigurationProvider" I even tried giving the Site ID as aspnet_regiis -pe "connectionStrings" -app "/E:\Dropbox\ABC\TestAPI" -site "3" -prov "RsaProtectedConfigurationProvider" – trx Jul 29 '16 at 12:34