Securing Your Connection String in Windows Azure: Part 1
来源:互联网 发布:ag游戏平台源码 编辑:程序博客网 时间:2024/06/08 14:14
One of the challenges you face in running a highly secure SQL Azure environment is too keep your connection string to SQL Azure secure. If you are running Windows Azure you need to provide this connection string to your Windows Azure code, however you might not want to provide the production database password to the development staff creating the Windows Azure package. In this series of blogs posts I will take about how to secure your SQL Azure connection string in the Windows Azure environment.
Scoping the Scenario
Without any security measures your connection string appears in plain text, and includes your login and password to your production database. The goal is to allow the code running on Windows Azure be able to read your connection string, however the developers making the package for Windows Azure deployment should not be able to read it. In order to do that, Windows Azure needs know the “secret” to unlock the connection string; however the developers that are making the package should not. How is this accomplished when they have access to all the files in the package?
Using the Windows Azure Certificate Store
The way that we have a secret that only Windows Azure “knows” is to pre-deploy a certificate to the Windows Azure Certificate Store. This certificate contains the private key of a public/private key pair. Windows Azure then uses this private key to decrypt an encrypted connection string that is deployed in the configuration files of the Windows Azure package. The public key is passed out to anyone needing to encrypt a connection string. Users with the public key can use it to encrypt the connection string, but it doesn’t allow them to read the encrypted connection string.
In this technique there are three different types of users:
- The private key holder (the Windows Azure administrator) a very secure user that generates the private/public key pair, stores the private key backup, and puts the private key in place on Windows Azure. Only he and Windows Azure can decode the connection string.
- The SQL Administrator, he knows the connection string and he uses the public key (gotten from the Windows Azure Administrator) to encoded the connection string. The encoded bytes are giving to the web developers for the web.config.
- Web developers that make the Windows Azure package, they know the public key (everyone has access to it); however they don’t know the connection string nor the private key so they can’t get the SQL password.
Creating a Certificate
The first thing the Windows Azure administrator (private key holder) needs to do is use their local machine to create a certificate. In order to do this they will need Visual Studio 2008 or 2010 installed. The technique that I usually use to create a private/public key pair is with a program called makecert.exe.
Here are the steps to create a self-signed certificate in .pfx format.
- Open a Visual Studio command prompt (Run as administrator), you will find the command prompt in the start menu under Visual Studio tools.
- Execute this command:
makecert -r -pe -n "CN=azureconfig" -sky exchange "azureconfig.cer" -sv "azureconfig.pvk"
- You will be prompted for a password to secure the private key three times. Enter a password of your choice.
- This will generate an azureconfig.cer (the public key certificate) and anazureconfig.pvk (the private key file) file.
- Then enter the following command to create the .pfx file (this format is used to import the private key to Windows Azure). After the–pi switch, enter the password you chose.
pvk2pfx -pvk "azureconfig.pvk" -spc "azureconfig.cer" -pfx "azureconfig.pfx" -pi password-entered-in-previous-step
- You can verify that the certificate has been created by looking in the current directory in the Visual Studio command prompt.
Summary
In part two of the blog series I will show how the Windows Azure Administrator imports the private key (.pfx file) into Windows Azure. Do you have questions, concerns, comments? Post them below and we will try to address them.
- Securing Your Connection String in Windows Azure: Part 1
- Securing Windows Azure with SSL
- Code Quick Start: Capturing diagnostics in your Windows Azure application
- Store Your Database Connection String in Web.Config...
- Sharing Your Computer's Internet Connection in Windows 10
- Securing Your Web Browser
- Securing your Android apps
- Setting Timezone in Windows Azure
- Need in Windows Azure (Updating)
- Securing Windows Server 2008: Prevent Attacks from Outside and Inside Your Organization
- Windows Azure Platform体验(1):Windows Azure
- Windows Azure Platform体验(1):Windows Azure
- 在Azure Website 中配置 Entity Framework Connection String
- Link - Windows Azure - Transfer your account to another one
- 15 steps to launch your own startup in Europe - Part 1
- Safe, Simple Multithreading in Windows Forms, Part 1
- Multitouch Part 1: Getting Started with Multitouch in Windows 7
- What's new in windows server 2012 networking (Part 1)
- 一个js cookie操作类
- ibatis中SqlMapConfig的oracle数据库配置
- glib源码学习
- for循环的基础面试,确定能答对??
- 水利行业相关资料
- Securing Your Connection String in Windows Azure: Part 1
- cursor
- atoi函数实现
- 2012C++程序设计实验报告【9.2】
- 在Qt Creator中使用Opencv 2.3
- 李践版 绩效能力日志
- Oracle ROWID 方式访问数据库
- Spring 3.0 AOP学习
- IOS App资源路径