ASP.NET加密 - ASPNET_REGIIS - 农场 [英] ASP.NET Encryption - aspnet_regiis - Farm
问题描述
我们有网站,使用NT AUTHORITY \网络服务。
We have website that uses "NT Authority\Network Service".
Response.Write(WindowsIdentity.GetCurrent().Name);
目前,我们正在使用以下命令将配置文件进行加密。
We are currently using the following command to encrypt the config files.
aspnet_regiis -pc "NetFrameworkConfigurationKey"
aspnet_regiis -pa "NetFrameworkConfigurationKey" "NT Authority\Network Service"
aspnet_regiis.exe -pef "connectionStrings" "C:\WebAppLocation\Folder"
请注意:我们不使用-exp。当我们使用-exp它不是建立RSA密钥容器。
Note: We are not using "-exp". When we use "-exp" it is not creating RSA Key Container.
正如你所看到的,我们使用的是默认的键盘NetFrameworkConfigurationKey。我们的网站有一个负载平衡器。 Webserver1(W1)和WebServer2(W2)是可用的。
AS you can see, we are using the default key- NetFrameworkConfigurationKey. Our website has a load balancer. Webserver1(W1) and WebServer2 (W2) are available.
如果我按照上面提到的命令,我们将使用在W1和W2单独的密钥。但是该网站适用于本办法。
If I follow the above mentioned commands, we will be using separate keys on W1 and W2. However the website works with this approach.
是这种做法是否足够? 它是否有任何缺点或secuirty孔? 在任何情况下它会失败?
Is this approach sufficient? Does it got any shortcomings or secuirty holes? Will it fail in any scenario?
注:机器的关键是在我们的web.config中添加。它是在两个相同的配置。然而,我们的configProtectedData是不是在Web.config。另外,我觉得,NetFrameworkConfigurationKey将在这两个服务器上的不同。
Note: Machine key is added in our web.config. It is same in both config. However, our configProtectedData is not in the Web.Config. Also,I think, NetFrameworkConfigurationKey will be different in both the servers.
我已经阅读下面的MSDN aricle为加密的Web场方案。 http://msdn.microsoft.com/en-us/library/ff650304.aspx
I have read the following msdn aricle for Encryption in Web Farm Scenarios. http://msdn.microsoft.com/en-us/library/ff650304.aspx
推荐答案
我听起来并不像你对我已经正确所做的一切。首先,有两个问题:
I doesn't sound to me like you've done everything correctly. First of all, there's two issues here:
- 确保
的machineKey是在两个Web服务器相同。 - 在确保安装在两台服务器上的一个关键的容器相同的RSA私钥,这样加密的配置可以由每个服务器进行解密。
- Ensuring the
machineKeyis the same on both web servers. - Ensuring the same RSA private key is installed in a key container on both servers so that the encrypted configuration can be decrypted by each server.
这些是分开的担忧:将machineKey是不相关的加密/解密,你要保护的配置部分
所以首先在为aspnet_regiis -pc 命令用于创建一个新的RSA密钥容器和它的失败的原因是,您所指定的容器名称已经存在因为它是默认的。在这个容器中的密钥对是输不出去的,所以你需要创建一个新的密钥容器,并指定 -exp 开关来表示,该密钥对是出口。
So first of all the aspnet_regiis -pc command is used to create a new RSA key container and the reason it's failing is that the container name you've specified already exists because it's the default. The keypair in this container is not exportable so you need to create a new key container and specify the -exp switch to denote that the keypair is exportable.
aspnet_regiis -pc "MyDeploymentKeyContainer" -exp
然后将密钥导出到文件中,包括私钥:私钥用于对配置部分进行解密,以便Web服务器将需要它。
Then export the key to a file, including the private key: the private key is used to decrypt the config section so the web server will need it.
aspnet_regiis -px "MyDeploymentKeyContainer" deploykey.xml -pri
现在添加在配置部分你的web.config并保存。
Now add the config section to your web.config and save it.
<configProtectedData>
<providers>
<add keyContainerName="MyDeploymentKeyContainer"
useMachineContainer="true"
description="Uses RsaCryptoServiceProvider to encrypt and decrypt"
name="DeploymentProvider"
type="System.Configuration.RsaProtectedConfigurationProvider,System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</configProtectedData>
然后加密的web.config部分,指定供应商的名称,如上图所示(这里是DeploymentProvider)
Then encrypt the web.config section specifying the provider name as shown above (here it is "DeploymentProvider")
aspnet_regiis -pef "connectionStrings" "C:\WebAppLocation\Folder" -prov "DeploymentProvider"
现在需要部署该应用服务器和导入导出到文件前面的RSA密钥容器。复制文件并在每个服务器上运行:
Now you need to deploy the app to both servers and import the RSA key container you exported to the file earlier. Copy the file up and on each server run:
aspnet_regiis -pi deploykey.xml
完成之后从服务器删除文件 - 你不希望它挂的。在这两个网站的服务器上运行的Web应用程序访问密钥容器最后授予应用程序池的用户帐户。
Once that's done delete the file from the server - you don't want it hanging about. Finally grant the user account for the app pool running your web app access to the key container on both web servers.
aspnet_regiis -pa "MyDeploymentKeyContainer" SomeDomain\SomeAccount
这篇关于ASP.NET加密 - ASPNET_REGIIS - 农场的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
