In some companies encryption of the connection strings and other security-related information is required and checked security policies. NBi is supporting these requirements and offers the opportunity to encrypt the connection-strings in the config file. NBi is trying to not reinvent the wheel and, as such, is relying on the .Net framework native features for the encryption of the connection strings.
The first step to consider when using encrypted connection strings is to move them to the config file. In your test-suite you should find the following reference to a connection string named
<settings> <default apply-to="system-under-test"> <connectionString>@myDB</connectionString> </default> </settings>
And in the config file, you should have the information about the
myDB connection string:
<configuration> <configSections> <section name="nbi" type="NBi.NUnit.Runtime.NBiSection, NBi.NUnit.Runtime"/> </configSections> <nbi testSuite="TestSuite.nbits"/> <connectionStrings> <add name="myDB" connectionString="Provider=SQLNCLI11;Server=****.database.windows.net;Database=AdventureWorks2012;UId=****;Pwd=****;" /> </connectionStrings> </configuration>
The following walkthrough is using the
RsaProtectedConfigurationProvider. This provider uses RSA encryption to encrypt and decrypt configuration data.
Before you and the user running your test-suite can decrypt encrypted information in the config file, their identity must have read access to the encryption key that is used to encrypt and decrypt the encrypted sections. This walkthrough uses the default
RsaProtectedConfigurationProvider provider that is specified in the
Machine.config file and named
RsaProtectedConfigurationProvider. The RSA key container that is used by the default
RsaProtectedConfigurationProvider provider is named
To grant Read Access to an RSA Encryption Key, you’ll need to use
aspnet_regiis. This utility can be found in any version of the .Net framework installed on your machine. The latest version is available at
C:\Windows\Microsoft.NET\Framework\v4.0.30319. Granting read access to the user
xyz can be executed with the following command (you probably need admin rights to successfully execute this command):
aspnet_regiis -pa "NetFrameworkConfigurationKey" "xyz"
Once, read access granted to your development account don’t forget to also add the account executing your test-suite (if they are different accounts).
Next step is to rename you config file to
web.config. It could sound weird but the encryption tool is not looking for other files than
After renaming your config file to
web.config, you’ll need to use
aspnet_regiis again to encrypt your file. Use the following command:
aspnet_regiis -PeF "connectionStrings" "C:\Full Path\MyTestSuite"
Note that the name of section
connectionStrings is case-sensitive! Take into account the “S” in upper case. You should also be careful with the last parameter setting the path of your project (and not the path of your config file). Last but not least the path of your project shouldn’t contain a backslash “\” at the end.
Now, you should open the
web.config file and you’ll find the following section:
<connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider"> <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns="http://www.w3.org/2001/04/xmlenc#"> <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" /> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#"> <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" /> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <KeyName>Rsa Key</KeyName> </KeyInfo> <CipherData> <CipherValue>aloQVZs+EU3icflVqx+kl9TgCrJZ+qw+fMG5zu0y5SbjkflNgOPtv/Id0H07jNHW5QXA5dcTUa8vMXb4evJMqv281/PTnTq9D4+YtpS5n2eeoGNrlkenHA4L2hOkwbO5A5M8hRAm6MMCjWuvmIgxnczH+BY6tAMAfyU53cjkeWyYOL5SBbmeq0iZ3xcm256VDojqQUdddhuLzlBDQ/FPKeDEJhV9TsbQmaWxmkQ7ftWKsVrhgkzIiqlVjyUw/KM6S2iW/CwayOXhyOZhxYqZAVy6BmaE943/Hoky/UG8E1aOaLBrmUEt+ahl7hru/RZb2wNacGqCO5y+X8TqFdpk0g==</CipherValue> </CipherData> </EncryptedKey> </KeyInfo> <CipherData> <CipherValue>b2K1WbCd+0mOj5L6xL3ZczWqsgNwdV/RP6jqEA7U2ULYigXF7VccUS7LP7FIRGfVWPcgxQvVHTXanvfY+HKv6J8QfJV7IUopcrn9PYZYQBjm5gZ61AZA5ePfI16GaLsoPk4+VGyxjNCXwoaNSRLgUotA5vyA1cb7VuKKbGZMYixb7L9xPUj9sm5kb9r2PLGjjWDBKhGKBTxn6dGDnUHMjaBk1IXixuj8z1kx4l4CwvUtyLExddeWVu32PkgkIczlzxNb5VG11lI3M6KcptI/fkCCg9Vs/ZFd</CipherValue> </CipherData> </EncryptedData> </connectionStrings>
Your connection string is now encrypted. You can reverse the encryption by using the following command:
aspnet_regiis -PdF "connectionStrings" "C:\Full Path\MyTestSuite"
To use your encrypted config file (don’t forget to re-encrypt it if you just decrypt it), you’ll need to rename it to the original name.
Then, just run your test-suite! Nothing else to configure. with the help of native .Net features, NBi will understand that the config file is encrypted, where the encryption key is stored and how to decrypt it.