#1792 closed defect (fixed)
RFC-18: Encryption of database connection passwords in mapfiles
Reported by: | dmorissette | Owned by: | dmorissette |
---|---|---|---|
Priority: | high | Milestone: | |
Component: | MapServer C Library | Version: | 4.8 |
Severity: | normal | Keywords: | |
Cc: | mapserver@… |
Description
This bug is to track the implementation of RFC-18 in MapServer 4.9. From the RFC: ------------------------ Overview -------- This proposal provides a mechanism to protect database connection passwords used inside mapfiles by encrypting them instead of including them in plain text. Technical Solution ------------------ MapServer will be extended to allow the use of encrypted passwords as part of the CONNECTION string for the following layer types: * Oracle Spatial * PostGIS * ESRI SDE * OGR The Tiny Encryption Algorithm (TEA) at http://www.simonshepherd.supanet.com/tea.htm will be used for the encryption/decryption functions. ------------------------ See the RFC at http://mapserver.gis.umn.edu/development/rfc/ms-rfc-18 for full details.
Attachments (2)
Change History (6)
by , 18 years ago
Attachment: | source.htm added |
---|
comment:2 by , 18 years ago
Cc: | added |
---|
comment:3 by , 18 years ago
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
Done. This was implemented and committed to 4.9 CVS earlier in June. The bulk of the implementation is in the new file mapcrypto.c and the new command-line utility msencrypt.c. The driver-specific files only needed very minor changes to add a call to decrypt the connection string before using it. The changes to mapogr.cpp and maporaclaspatial.c was committed to CVS back in June, they have both been well tested and haven't shown any side-effects. Support for encryption in mapsde.c and mappostgis.c was also implemented at the time but not committed to CVS since I had no way to test. I have committed those two files a few minutes ago.
comment:4 by , 18 years ago
I just added docs for the msencrypt utility in the "Utility Programs" manual on the Mapserver website: http://mapserver.gis.umn.edu/docs/reference/utilityreference/msencrypt We also need to add something in the user documentation explaining how this works. Here are some basic usage steps, there won't be much more to add in the final docs really, perhaps just an intro and a couple of additional examples. -------------------------- 1- Create an encryption key using the new msencrypt command-line utility: msencrypt -keygen /path/to/mykey.txt 2- Set MS_ENCRYPTION_KEY in your mapfile (or in an env. var.) to point to the encryption key: CONFIG MS_ENCRYPTION_KEY "/path/to/mykey.txt" 3- Encrypt portions or full connection strings using msencrypt: msencrypt -key /path/to/mykey.txt <string_to_encrypt> 4- Embed the encrypted strings in a CONNECTION string in the mapfile: CONNECTIONTYPE ORACLESPATIAL CONNECTION "user/{MIIBugIBAAKBgQCP0Yj+Seh8==}@service" --------------------------
Note:
See TracTickets
for help on using tickets.