Encryption of Oracle connection passwords in mapfiles
Stephen Woodbridge
woodbri at SWOODBRIDGE.COM
Fri Mar 17 14:21:45 EST 2006
Another alternative would be to have apache set the credentials into
environment variables for the mapserver process, and then have mapserver
check for the existence of the environment variables and if they exist
then they would override any values that might be in the mapfile.
I guess this doesn't work too well if every mapfile needs different
credentials. I guess this could be worked around with substitution
strings like:
@ORA_USER_1@ @ORA_PASS_1@
@ORA_USER_2@ @OAR_PASS_2@
etc
I used '@' to refer to the environment instead of '%' that refers to the
CGI parameters. The actual strings between the @...@ could be anything
unique in the environment and mod_env in apache would handle setting the
values.
-Steve W.
Daniel Morissette wrote:
> We have a need to encrypt (or protect somehow) the Oracle connection
> passwords in map files to avoid having them as plain text. I will look
> into this some more and write a RFC, but before getting too far I wanted
> to gather feedback, in case anyone already had their own ideas on this.
>
> What I'm thinking of doing is creating a utility to encrypt a password,
> that the developer would then copy/paste into the connection string in
> the mapfile, possibly with some special delimiter to indicate that it's
> encrypted. MapServer would decrypt the password internally and use the
> decrypted password for the connection.
>
> Unfortunately this requires the use of reversible encryption which is
> not really that safe, especially when the decryption function is open
> source, but at least makes it harder to figure the password than just
> using plain text.
>
> I would also like to setup a mechanism that will work for all other DB
> CONNECTIONs so I am interested in comments from all the DB connection
> maintainers.
>
> Daniel
More information about the mapserver-dev
mailing list