Clear text passwords and Oracle - arrrrrrgh - please help!

[John Smith]

Hi,

I am working on a mobile application that consists of a number of handheld
scanners, an Xml Web service and an Oracle 9i database in a highly secure
environment. The .Net Compact Framework application running on the scanners
executes Web service methods, which in turn execute Oracle database
functions. The Web service and the Oracle database are running on separate
servers. The Web service uses the Microsoft OLE DB driver for Oracle.

The Web.config file contains a connection string in the <Appsettings>
section that includes the Oracle username and password. The application
simply reads this connection string and uses it internally to create a
connection object. The idea is that we can't afford to expose these
credentials in the connection string, because the firewall is reporting a
security violation when the application runs.

I am wondering what the best alternative is, if any. Preventing the username
and password travelling down the wire from the Web server to the Oracle
server is the main requirement, and preferably the DBA will have the option
of changing the Oracle account details (ie a different username and
password) at any time, therefore it would be preferable not to have the
ASP.Net worker process (ASPNET) as the Oracle user. I'm assuming that this
means that they want SQL Authentication and it therefore rules out Windows
Authentication. Please let me know if I *can* still use Windows
Authentication under these circumstances.

I have played with the idea of using Impersonation but I understand that it
cannot be used if the Oracle server is on a separate box to the Web server
and also that connection pooling will be affected, which we can't afford.

Can anyone please let me know if I can use either Windows Authentication or
a Trusted Connection to provide a solution in these circumstances, or
anything else!

If I can use Windows Authentication with a Web.config entry <authentication
mode="Windows" >, how can I allow the DBA to change the username/password,
if indeed I can have a user other than ASPNET, without having a major impact
on the system?

If I can use a Trusted connection with a connection string something like
"Data Source=MyOracleDB;Integrated Security=yes;" where do I specify the
Oracle username/password?

Preferably there will be no need for a code change if the DBA decides to
change the Oracle username.

Are there any alternatives, such as encryption, programmatic security or
other forms of authentication?

Please help, I am getting desperate! Many thanks.

DJ

[RobJUK66]

I've been looking into this also. What you need to do is use Impersonation.
This allows a Web Service to run as a specific user. Set this user up with
an OS Authenticated accout (ops$ in old language). In the web config file you
put the username/password to impersonate, but to avoid the same cleartext
problem you do something like this :

<identity impersonate="true" username="encytped in the registry..."
password="pointing at an encytped password in the registry..."

in fact check out this article :

[url]http://support.microsoft.com/default.aspx?scid=kb;en-us;329290[/url]

Regards

Rob J





"John Smith" wrote:

> Hi,
>
> I am working on a mobile application that consists of a number of handheld
> scanners, an Xml Web service and an Oracle 9i database in a highly secure
> environment. The .Net Compact Framework application running on the scanners
> executes Web service methods, which in turn execute Oracle database
> functions. The Web service and the Oracle database are running on separate
> servers. The Web service uses the Microsoft OLE DB driver for Oracle.
>
> The Web.config file contains a connection string in the <Appsettings>
> section that includes the Oracle username and password. The application
> simply reads this connection string and uses it internally to create a
> connection object. The idea is that we can't afford to expose these
> credentials in the connection string, because the firewall is reporting a
> security violation when the application runs.
>
> I am wondering what the best alternative is, if any. Preventing the username
> and password travelling down the wire from the Web server to the Oracle
> server is the main requirement, and preferably the DBA will have the option
> of changing the Oracle account details (ie a different username and
> password) at any time, therefore it would be preferable not to have the
> ASP.Net worker process (ASPNET) as the Oracle user. I'm assuming that this
> means that they want SQL Authentication and it therefore rules out Windows
> Authentication. Please let me know if I *can* still use Windows
> Authentication under these circumstances.
>
> I have played with the idea of using Impersonation but I understand that it
> cannot be used if the Oracle server is on a separate box to the Web server
> and also that connection pooling will be affected, which we can't afford.
>
> Can anyone please let me know if I can use either Windows Authentication or
> a Trusted Connection to provide a solution in these circumstances, or
> anything else!
>
> If I can use Windows Authentication with a Web.config entry <authentication
> mode="Windows" >, how can I allow the DBA to change the username/password,
> if indeed I can have a user other than ASPNET, without having a major impact
> on the system?
>
> If I can use a Trusted connection with a connection string something like
> "Data Source=MyOracleDB;Integrated Security=yes;" where do I specify the
> Oracle username/password?
>
> Preferably there will be no need for a code change if the DBA decides to
> change the Oracle username.
>
> Are there any alternatives, such as encryption, programmatic security or
> other forms of authentication?
>
> Please help, I am getting desperate! Many thanks.
>
> DJ
>
>
>
>