Encryption of Oracle connection passwords in mapfiles

Fernando Simon fsimon at UNIVALI.BR
Fri Mar 17 15:05:37 EST 2006 

Hi all,
    It's a good idea store a encrypted password for Oracle, but I
believe that this feature can be used for all databases (PostGIS,
Oracle, SDE, Mysql).
    The point that Steve wrote can be a problem because many times we
use more that one database in a single mapfile. The actual approach
that I use (Oracle and PostGIS) is create a specific user that just
have select grant and use it in my mapfile connecion.
    Best regrads.

Fernando Simon


Citando Stephen Woodbridge <woodbri at SWOODBRIDGE.COM>:

> Another alternative would be to have apache set the credentials
> into 
> environment variables for the mapserver process, and then have
> mapserver 
> check for the existence of the environment variables and if they
> exist 
> then they would override any values that might be in the mapfile.
> 
> I guess this doesn't work too well if every mapfile needs different
> 
> credentials. I guess this could be worked around with substitution
> 
> strings like:
> 
> @ORA_USER_1@  @ORA_PASS_1@
> @ORA_USER_2@  @OAR_PASS_2@
> etc
> 
> I used '@' to refer to the environment instead of '%' that refers
> to the 
>   CGI parameters. The actual strings between the @...@ could be
> anything 
> unique in the environment and mod_env in apache would handle
> setting the 
> values.
> 
> -Steve W.
> 
> Daniel Morissette wrote:
> > We have a need to encrypt (or protect somehow) the Oracle
> connection 
> > passwords in map files to avoid having them as plain text. I will
> look 
> > into this some more and write a RFC, but before getting too far I
> wanted 
> > to gather feedback, in case anyone already had their own ideas on
> this.
> > 
> > What I'm thinking of doing is creating a utility to encrypt a
> password, 
> > that the developer would then copy/paste into the connection
> string in 
> > the mapfile, possibly with some special delimiter to indicate
> that it's 
> > encrypted. MapServer would decrypt the password internally and
> use the 
> > decrypted password for the connection.
> > 
> > Unfortunately this requires the use of reversible encryption
> which is 
> > not really that safe, especially when the decryption function is
> open 
> > source, but at least makes it harder to figure the password than
> just 
> > using plain text.
> > 
> > I would also like to setup a mechanism that will work for all
> other DB 
> > CONNECTIONs so I am interested in comments from all the DB
> connection 
> > maintainers.
> > 
> > Daniel
> 




-------------------------------------------------
  Univali - Webmail - http://webmail.univali.br

More information about the mapserver-dev mailing list