We help IT Professionals succeed at work.

ASP Connection String vs. Database Access DLL

Euless_Tech
Euless_Tech asked
on
I am working with our web developer to find a way to connect to our AS/400 from ASP.NET running on Server 2003. My first inclination is to create a database DLL that connects to the AS/400 and returns various data elements from Stored Procedures. I can hard code a connection string in the DLL that I create with C# to access the AS/400 database. The access to our AS/400 can be limited to calling only a select group of stored procedures. The ASP.NET application would simply utilize the DLL to connect to the AS/400.
We could also store the connection string in the Web.Config file on the ASP server. I understand that if our server gets hacked, that connection string could be viewed.
Is there a best practice for this kind of connection? Anybody doing ASP connecting to the AS/400 (System-i)?
Comment
Watch Question

i hope you have got correct ODBC Drivers for AS/400.

Its better to keep your connection string in web config and securing it using a very simple method given below:-

// This method is used to encrypt the connection string
Byte[] b = System.Text.ASCIIEncoding.ASCII.GetBytes(connectionString);

private string EncryptConnectionString(string connectionString)
{
string encryptedConnectionString = Convert.ToBase64String(b);
return encryptedConnectionString;
}

Explanation of the Code:

1) The method EncryptConnectionString takes in the connectionString and returns the encrypted ConnectionString

2) In this case we have used the ASCIIEncoding which gets the bytes representation of the connection string and store it in an array.

3) Finally, we encrypt the connection string using the ToBase64String method of the Convert class and the connection string is returned to the caller.

If you print out the connection string you will find something like this:

ZGF0YSBzb3VyY2U9Llx2c2RvdG5ldDtpbml0aWFsIA0KICAgY2F0YWx

Once you got the encrypted connection string you can copy and paste it in the web.config file.

<add key="ConnectionString"
value="ZGF0YSBzb3VyY2U9Llx2c2RvdG5ldDtpbml0aWFsIA0KICAgY2F"/>

</appSettings>

// This method is used to decrypt the connection string

 

Byte[] b = Convert.FromBase64String(ConfigurationSettings.AppSettings["ConnectionString"]);

private string DecryptConnectionString()
{
string decryptedConnectionString = System.Text.ASCIIEncoding.ASCII.GetString(b);

return decryptedConnectionString;

}

Hope it helps you

Author

Commented:
BuggyCoder,
I've heard that encrypting connection strings can be a nightmare and that as long as a network analyst sets up security correctly, the web.config file is safe.
Do you encrypt all your connection strings?
we do encrypt those strings that are to be shared over internet. you can go on with DLL Option as well but that would restrict you on re-compiling the DLL Again if you need to change something in your connection string. however since we are using Base64encryption with Ascii encoding and both these are part of standard .net framework so you need not to worry about any network issues coming in.

Hope it helps:-)
It should be noted that ToBase64String/FromBase64String are not encryption methods, but rather encoding methods. Anyone can run the strings and decode them. (Technically, it can be done manually.) The text is obscured for sure, but it shouldn't be considered "secure" by any stretch. Base 64 encoding is intended as a way to convert binary files into text characters that can safely pass through networked servers such as SMTP servers.

Tom
Use the aspnet_regiis.exe utility that is built into .NET.
By default, it encrypts all or part of the web.config file with a machine specific key.

For example, your web.config may have a section like this:

<connectionStrings>
  <add name="myAs400" connectionString="as00-connection-string-here"
    providerName="IBMDA400" />
  </connectionStrings>

the basic usage is to go to the windows command line,  and execute using the proper path to the web.config file
aspnet_regiis -pef "connectionStrings"  c:\inetpub\wwwroot

to decrypt
aspnet_regiis -pef "connectionStrings"  c:\inetpub\wwwroot


There is a possibility to use a PKI infrastructure for enterprise-wide deployments, like when you need clustering or high availability.
http://msdn.microsoft.com/en-us/library/68ze1hb2

ShalomC
error:
to decrypt use this

aspnet_regiis -pdf "connectionStrings"  c:\inetpub\wwwroot

this is what comes out of intensive copy/paste of my own text :)

Author

Commented:
tliotta/shalomc,
Is there any merit in just creating a DLL that is accessed by the ASP.NET code?
there is merit in separation of "levels of concern".
by creating a DLL you encapsulate the server access code, hide the access logic from the business level, can reuse the access logic between different business applications, and you can replace the AS400 with any other data repository.

However, such an approach will make maintenance more complex.