|Applies To||RSA Product Set: Archer|
RSA Product/Service Type: Archer
|Issue||RSA Archer integration code often makes use of .NET configuration files. Web applications use a web.config file and desktop applications use an app.config file that gets renamed when the application is compiled to YourAppName.exe.config. In each of these cases, it may be necessary to add sensitive information to the config file in order for the application to function properly. Maintaining the security of this information may require the encryption of one or more sections within the file. Microsoft provides a utility to perform this function called aspnet_regiis.exe. This utility is part of the .NET framework and will be found by default at a location similar to the following: C:\Windows\Microsoft.NET\Framework\v4.0.30319. Although this utility is designed for use with web.config files, app.config files share the same format and can also be encrypted with a little bit of additional preparation.|
To encrypt sections of a web.config, you only need to run the command. To encrypt sections of an app.config, you’ll need to:
For example, if I were working with an integration utility called Integration.Console.exe, it would have an app.config called Integration.Console.exe.config. I would have to rename this file to web.config and run the following command:
aspnet_regiis -pef "appSettings" "C:\Dev\Integration.Console\bin\Debug" -prov "DataProtectionConfigurationProvider"
The parameters being used in this call can be clarified with some additional detail.
After running this command, if I were to open the web.config file in Notepad++ and visually inspect it, I would see that the contents of the appSettings section are encrypted. This is an example of what an encrypted appSettings section might look like:
Note that the XML for the configuration section is still human-readable, but the configuration values for that section are now encapsulated inside the <CipherValue> node and are no longer human-readable.
aspnet_regiis -pdf "appSettings" "C:\Dev\Integration.Console\bin\Debug"
In order to use aspnet_regiis, you will need to open a command prompt and navigate to a location where it is in your execution path. If you have Visual Studio installed, you can do this easily by opening the Developer Command Prompt from the VS Tools menu in the Visual Studio program group under the start menu. If you’re on a machine that doesn’t have Visual Studio installed, you’ll need to navigate to your .NET framework folder. A typical installation will be in a path similar to C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe.
Once you’re in a location that has aspnet_regiis.exe in its execution path, you’ll be ready to issue the commands outlined above.
The encryption provider used in this example (DataProtectionConfigurationProvider)will use keys from the machine store, so the user running the application with the encrypted config file does NOT have to be the same user that encrypted it. If you want to use a key from the user store, you will need to make a few additional configuration changes, and the user running the application with the encrypted config file DOES have to be the same user that encrypted it. This article on How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI contains the details.
In both cases, you would need to edit the values of frameworkPath and originalPath to point to values appropriate for your environment. After that change, you can encrypt and decrypt your config files with a click of the mouse!
In this declaration, MyAssembly will be the name of the .dll containing the custom handler class. MyCustomSection.MyCustomSectionHandler is the fully qualified class name of the handler. If I wanted to encrypt the corresponding config section, I would need to copy MyAssembly.dll to a location where it is in the path for aspnet_regiis. The .NET framework folder will meet this need, but in order to copy a file to that location, you will need to have administrative privileges.
|Resolution||Your config file will contain (encrypted) cipher data representing the values you want to secure. .NET can decrypt these values at runtime, so the application can run normally with this encrypted configuration file. Batch files are in place to decrypt the settings should you ever need to update their values.|