Encrypt connection string in Log4Net configuration

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Encrypt connection string in Log4Net configuration

UniqueDisplayName
I am trying to encrypt the log4net section to hide the username and password in the connection string. To do this I'm using .Net's implementation of encrypting the config file. The code is as follows:

Configuration config = WebConfigurationManager.OpenWebConfiguration("~/");
ConfigurationSection section = config.GetSection("log4net");
if (!section.SectionInformation.IsProtected)
{
      section.SectionInformation.ProtectSection("RsaProtectedConfigurationProvider");
      config.Save();
}

The same approach can be seen in this post: http://stackoverflow.com/questions/13688744/log4net-error-when-encrypting-config-file. The beauty of this approach is that your application will decrypt the config file at runtime, but for some reason this doesn't seem to be working with log4net. It works fine with other 3rd parties such as Entity Framework. I'm hoping I can get some advice on getting this to work. It feels like it's an issue with log4net grabbing the config file before .Net has a chance to decrypt it but I'm not quite sure how to fix it. Any advice would be great.

FWIW, this is an MVC site using .Net 4.5 and log4net 2.0.5.

Thank You,
UDN
Reply | Threaded
Open this post in threaded view
|

RE: Encrypt connection string in Log4Net configuration

Joe Joe-3
I would do this as follows:

- Use connectionStringName in the log4net ADONetAppender configuration to specify the name of a connection string in the "connectionStrings" configuration section

- Encrypt the connectionStrings configuration section.

I believe log4net reads its configuration as XML rather than as a .NET configuration section, which is why protected configuration doesn't work.

-----Original Message-----
From: UniqueDisplayName [mailto:[hidden email]]
Sent: 25 January 2016 21:55
To: [hidden email]
Subject: Encrypt connection string in Log4Net configuration

I am trying to encrypt the log4net section to hide the username and password in the connection string. To do this I'm using .Net's implementation of encrypting the config file. The code is as follows:

Configuration config = WebConfigurationManager.OpenWebConfiguration("~/");
ConfigurationSection section = config.GetSection("log4net"); if (!section.SectionInformation.IsProtected)
{
     
section.SectionInformation.ProtectSection("RsaProtectedConfigurationProvider");
      config.Save();
}

The same approach can be seen in this post:
http://stackoverflow.com/questions/13688744/log4net-error-when-encrypting-config-file.
The beauty of this approach is that your application will decrypt the config file at runtime, but for some reason this doesn't seem to be working with log4net. It works fine with other 3rd parties such as Entity Framework. I'm hoping I can get some advice on getting this to work. It feels like it's an issue with log4net grabbing the config file before .Net has a chance to decrypt it but I'm not quite sure how to fix it. Any advice would be great.

FWIW, this is an MVC site using .Net 4.5 and log4net 2.0.5.

Thank You,
UDN



--
View this message in context: http://apache-logging.6191.n7.nabble.com/Encrypt-connection-string-in-Log4Net-configuration-tp61227.html
Sent from the Log4net - Users mailing list archive at Nabble.com.
Reply | Threaded
Open this post in threaded view
|

RE: Encrypt connection string in Log4Net configuration

UniqueDisplayName
Thank you Joe Joe-3, that worked out perfectly for me. I really appreciate the advice/help. For those who may come across this in the future, here's what my code/config looks like.

Web.config
<log4net>
    <root>
      <level value="All" />
      <appender-ref ref="AdoNetAppender" />
    </root>

    <appender name="AdoNetAppender" type="log4net.Appender.AdoNetAppender">
      <bufferSize value="1" />
      <connectionType value="System.Data.SqlClient.SqlConnection, System.Data, Version=1.0.3300.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
      <connectionStringName value="Log4Net"/>
    ..........
</log4net>

<connectionStrings>
    <add name="Log4Net" connectionString="data source=ServerName;initial catalog=DatabaseName;User Id=UserID;Password=Somepassword"
      providerName="System.Data.EntityClient" />
</connectionStrings>


Encryption Method in Code Behind
Configuration config = WebConfigurationManager.OpenWebConfiguration("~/");
ConfigurationSection section = config.GetSection("connectionStrings");
if (!section.SectionInformation.IsProtected)
{
       section.SectionInformation.ProtectSection("RsaProtectedConfigurationProvider");
       config.Save();
}

I call the encryption method at startup of my website. It will encrypt the connectionStrings section of the file at rest and leave it encrypted forever unless you decrypt it. If anyone has any questions in the future feel free to reach out.

Once again thank you for the advice Joe,
UDN