MongoDB – Sitecore Configuration Encryption (Connectionstrings.config)

Posted on

This post aims to help you on how to harden your configuration mainly your connectstrings.config, but this post is also applicable if you are trying to secure other configuration that has a application credentials, username, password, secret keys and other confidential information in it.

Before proceeding, ensure that you have finished one of the following posts on the MongoDB hardening series.

  1. How to create and configure authentication to a MongoDB standalone replica set.
  2. How to enable internal authentication for your MongoDB replica set and disable bypass authentication via localhost exception.

We will use the MongoDb user account we have created from the previous post as our way to authenticate to the collection databases such as analytics, tracking_live, tracking_history, tracking_contact.

Moreover, to cover both standalone and replica set with dedicated servers:

  • For SIT, standlone replica set (1 server)
  • For UAT & PROD, replicaset with dedicates servers for its members. (3 servers)

Update Connectionstrings.config

Let’s get started. Open your connectionstrings.config, in this case, it’s located under D:\Instances\mongodb-series\Website\App_Config folder

For SIT:

From:

Replace the MONGO_DB_SERVER_IP_ADDRESS placeholder with your MongoDB server ip address.

<add name="analytics" connectionString="mongodb://MONGODB_SERVER_IP_ADDRESS:27017/analytics" />

<add name="tracking.live" connectionString="mongodb://MONGODB_SERVER_IP_ADDRESS:27017/tracking_live" />

<add name="tracking.history" connectionString="mongodb://MONGODB_SERVER_IP_ADDRESS:27017/tracking_history" />

<add name="tracking.contact" connectionString="mongodb://MONGODB_SERVER_IP_ADDRESS:27017/tracking_contact" />

To: 

<add name="analytics" connectionString="mongodb://scdbreadwrite:abcd4321@MONGODB_SERVER_IP_ADDRESS:27017/analytics" />

<add name="tracking.live" connectionString="mongodb://scdbreadwrite:abcd4321@MONGODB_SERVER_IP_ADDRESS:27017/tracking_live" />

<add name="tracking.history" connectionString="mongodb://scdbreadwrite:abcd4321@MONGODB_SERVER_IP_ADDRESS:27017/tracking_history" />

<add name="tracking.contact" connectionString="mongodb://scdbreadwrite:abcd4321@MONGODB_SERVER_IP_ADDRESS:27017/tracking_contact" />

Note: Please ensure update the host name, username (scdbreadwrite), and password (abcd4321) for every environment.

Important: In CD environment, there are only analytics, tracking_live and tracking_contact collection databases on the connectionstrings.config

For UAT & PROD

From:

Replace the MONGO_DB_SERVER_IP_ADDRESS placeholder with your MongoDB server ip address.

<add name="analytics" connectionString="mongodb://MONGODB_SERVER_IP_ADDRESS:27017/analytics" />

<add name="tracking.live" connectionString="mongodb://MONGODB_SERVER_IP_ADDRESS:27017/tracking_live" />

<add name="tracking.history" connectionString="mongodb://MONGODB_SERVER_IP_ADDRESS:27017/tracking_history" />

<add name="tracking.contact" connectionString="mongodb://MONGODB_SERVER_IP_ADDRESS:27017/tracking_contact" />

To: 

<add name="analytics" connectionString="mongodb://USERNAME:PASSWORD@MONGODB_PRIMARY_SERVER_IP_ADDRESS:27017,MONGODB_SECONDARY_SERVER_IP_ADDRESS:27017/analytics?connect=replicaset&amp;replicaSet=rs0&amp;readPreference=primaryPreferred"/>

<add name="tracking.live" connectionString="mongodb://USERNAME:PASSWORD@MONGODB_PRIMARY_SERVER_IP_ADDRESS:27017,MONGODB_SECONDARY_SERVER_IP_ADDRESS:27017/tracking_live?connect=replicaset&amp;replicaSet=rs0&amp;readPreference=primaryPreferred"/>

<add name="tracking.history" connectionString="mongodb://USERNAME:PASSWORD@MONGODB_PRIMARY_SERVER_IP_ADDRESS:27017,MONGODB_SECONDARY_SERVER_IP_ADDRESS:27017/tracking_history?connect=replicaset&amp;replicaSet=rs0&amp;readPreference=primaryPreferred"/>

<add name="tracking.contact" connectionString="mongodb://USERNAME:PASSWORD@MONGODB_PRIMARY_SERVER_IP_ADDRESS:27017,MONGODB_SECONDARY_SERVER_IP_ADDRESS:27017/tracking_contact?connect=replicaset&amp;replicaSet=rs0&amp;readPreference=primaryPreferred"/>

 

Note: If your MongoDB has alias, you can use that instead. Please ensure update the host name, USERNAME (scdbreadwrite), and PASSWORD (abcd4321) for every environment.

  • Replace MONGODB_PRIMARY_SERVER_IP_ADDRESS with your MongoDB primary server.
  • Replace MONGODB_SECONDARY_SERVER_IP_ADDRESS with your MongoDB secondary server.

Important: In CD environment, there are only analytics, tracking_live and tracking_contact collection databases on the connectionstring.config

Warning: In XML, & is not accetable character, hence we will use its encoded value as a replacement &amp;. The readPreferrence parameter is to read from the primary under normal circumstances, but to allow stale reads from secondaries when the primary is unavailable. This provides a “read-only mode” for your application during a failover. Find more from  MongoDB official documentation.

Encryption

  • Create a file named var.aspx, open it and paste this code inside.

<%@ Page Language="C#" %> <% foreach (string var in Request.ServerVariables) { Response.Write(var + " " + Request[var] + "
"); } %>

  • Drop the var.aspx in your website root so it can be accessed like this http://YOUR_WEBSITE/var.aspx
  • Once the page is rendered, look for ‘INSTANCE_META_PATH/LM/W3SVC/2‘.
    • Remember the integer, in this case 2. This integerer represents the IIS website id.
  • Open the windows command prompt as administrator.
  • Modify the site “2” to your application IIS metabase, then paste it to the command prompt, and hit enter.
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis -pe "connectionStrings" -site "2" -app "/"  -prov "RsaProtectedConfigurationProvider"

Note: You would get this message upon successful encryption..

  • To verify, check the connectionstring.config. You’ll get a similar result.

  • For testing purpose, you can descrypt it with this script.
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis -pd "connectionStrings" -site "2" -app "/"

To knowe more about encryption.

Marvin

Advertisements

10 thoughts on “MongoDB – Sitecore Configuration Encryption (Connectionstrings.config)

    […] Configuration Encryption/Hardening (Connectionstring.config) […]

    Like

    […] Configuration Encryption/Hardening (Connectionstring.config) […]

    Like

    […] Sitecore Configuration Encryption/Hardening (Connectionstring.config) […]

    Like

    […] Sitecore Configuration Encryption/Hardening (Connectionstring.config) […]

    Like

    arsenios said:
    June 2, 2017 at 8:12 pm

    […] Configuration Encryption/Hardening (Connectionstring. config) […]

    Like

    toddbschlueter said:
    August 22, 2017 at 8:48 pm

    […] Configuration Encryption/Hardening (Connectionstring. config) […]

    Like

    DevBlog said:
    August 26, 2017 at 3:03 pm

    […] Configuration Encryption/Hardening (Connectionstring. config) […]

    Like

    Web Development said:
    August 29, 2017 at 3:23 pm

    […] Configuration Encryption/Hardening (Connectionstring. config) […]

    Like

    jeffreydhairston said:
    September 13, 2017 at 6:36 pm

    […] configuration Encryption/Hardening (Connectionstring. config) […]

    Like

    nicholasjlennox said:
    October 18, 2017 at 8:52 pm

    […] configuration Encryption/Hardening (Connectionstring. config) […]

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s