Storing User Credentials Securely in Web.Config

Content Classification Service Integration Guide › CCS Deployment › How to Deploy the CCS › Install the CCS Servers › Storing User Credentials Securely in Web.Config

Storing User Credentials Securely in Web.Config

By default, the CCS web service connects to the classification cache as the ccsUser. Also by default, credentials for this user are stored in the web.config file in clear text. However, you can use CacheUtil.exe to store credentials in web.config file in encrypted form. When the CCS web service connects to the cache, an SSL connection gets activated automatically.

Important! The user account and password in web.config must match the user and password for the classification cache stored in CA Directory.

Installing a Key Container

The CCS uses the RSA cryptography provider to secure credentials. Before you can store user credentials, you must install the RSA key container on each CCS server that accesses the web.config file.

See your Microsoft documentation for details about creating an RSA Key Container. In particular, we recommend the following MSDN articles:

Understanding Machine-Level and User-Level RSA Key Containers
http://msdn.microsoft.com/en-us/library/f5cs0acs.aspx
Walkthrough: Creating and Exporting an RSA Key Container
http://msdn.microsoft.com/en-us/library/2w117ede.aspx

This MSDN article describes how to encrypt an entire web.config file. However, if you only want to encrypt the user password, the relevant sections in this article are: Prerequisites; Creating a Custom RSA Key Container; Granting Read Access to an RSA Encryption Key; and Exporting and Importing an RSA Key Container.

For example, the following instructions create a key container named 'CacheKey':

From a command line on your CCS server, change to the .NET Framework version 2.0 directory:
```
cd \WINDOWS\Microsoft.Net\Framework\v2.0.* 
```
Run this command to create the key container:
```
aspnet_regiis -pc "CacheKey" -exp
```

Storing the User Credentials Securely

Go to the CCS \bin folder and run the following command:

CacheUtil -creds -username <User name> -password <Password> -key-container <Container>

<User name>

Specifies the Distinguished Name (DN) of a user account. The CCS web service name uses this account to connect to the classification cache. For example:

cn=ccsUser,cn=Users,cn=ClassificationCache.

<Password>

(Optional) Specifies the password. If you omit this argument, CacheUtil.exe prompts you for the password.

<Container>

Specifies the name of the RSA Key Container.

Example

After you install a key container, run the following command to store credentials securely for the ccsUser in web.config. This command specifies an RSA key container named 'CacheKey'.

cacheutil -creds -username "cn=ccsUser,cn=Users,cn=ClassificationCache" -key-container "CacheKey"

CacheUtil.exe prompts you to enter the password for ccsUser. This password is stored in web.config in encrypted form:

<ccscache enabled="true" LDAPServer="localhost" LDAPPort="19389" 
 minConnections="10" maxConnections="20">
    <security useSSL="true" logonType="user">
    <credentials RSAKeyContainer="CacheKey">
        <user name="cn=ccsUser,cn=Users,cn=ClassificationCache" 
         securePassword="FyV5i/faPfH5l0N0Nvp4mojITpqWbCvAcm6BrKS6z
         RMAn++BTD/SU1k90I3z7VW4WZk1MneN0L8JA3GB9bMJV975RMHFVhVHaP
         +XGukbgaEH/yMVtTFWuHWDtXSUhSg4hcPUIwGRBECtWjqqscfIkh1LZ="/>
   </credentials>
  </security>
</ccscache>

More information:

Change the Default Password for ccsUser

About CacheUtil.exe