#1792 closed defect (fixed)
RFC-18: Encryption of database connection passwords in mapfiles
| Reported by: | dmorissette | Owned by: | dmorissette |
|---|---|---|---|
| Priority: | high | Milestone: | |
| Component: | MapServer C Library | Version: | 4.8 |
| Severity: | normal | Keywords: | |
| Cc: | mapserver@… |
Description
This bug is to track the implementation of RFC-18 in MapServer 4.9. From the RFC:
------------------------
Overview
--------
This proposal provides a mechanism to protect database connection passwords used
inside mapfiles by encrypting them instead of including them in plain text.
Technical Solution
------------------
MapServer will be extended to allow the use of encrypted passwords as part of
the CONNECTION string for the following layer types:
* Oracle Spatial
* PostGIS
* ESRI SDE
* OGR
The Tiny Encryption Algorithm (TEA) at
http://www.simonshepherd.supanet.com/tea.htm will be used for the
encryption/decryption functions.
------------------------
See the RFC at http://mapserver.gis.umn.edu/development/rfc/ms-rfc-18 for full
details.
Attachments (2)
Change History (6)
by , 18 years ago
| Attachment: | source.htm added |
|---|
comment:2 by , 18 years ago
| Cc: | added |
|---|
comment:3 by , 18 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Done. This was implemented and committed to 4.9 CVS earlier in June. The bulk of the implementation is in the new file mapcrypto.c and the new command-line utility msencrypt.c. The driver-specific files only needed very minor changes to add a call to decrypt the connection string before using it. The changes to mapogr.cpp and maporaclaspatial.c was committed to CVS back in June, they have both been well tested and haven't shown any side-effects. Support for encryption in mapsde.c and mappostgis.c was also implemented at the time but not committed to CVS since I had no way to test. I have committed those two files a few minutes ago.
comment:4 by , 18 years ago
I just added docs for the msencrypt utility in the "Utility Programs" manual on
the Mapserver website:
http://mapserver.gis.umn.edu/docs/reference/utilityreference/msencrypt
We also need to add something in the user documentation explaining how this
works. Here are some basic usage steps, there won't be much more to add in the
final docs really, perhaps just an intro and a couple of additional examples.
--------------------------
1- Create an encryption key using the new msencrypt command-line utility:
msencrypt -keygen /path/to/mykey.txt
2- Set MS_ENCRYPTION_KEY in your mapfile (or in an env. var.) to point to the
encryption key:
CONFIG MS_ENCRYPTION_KEY "/path/to/mykey.txt"
3- Encrypt portions or full connection strings using msencrypt:
msencrypt -key /path/to/mykey.txt <string_to_encrypt>
4- Embed the encrypted strings in a CONNECTION string in the mapfile:
CONNECTIONTYPE ORACLESPATIAL
CONNECTION "user/{MIIBugIBAAKBgQCP0Yj+Seh8==}@service"
--------------------------
Note:
See TracTickets
for help on using tickets.
