Solved

Azure Indicium(Universal) appsettings.json encryption of the DB username and password

  • 22 October 2020
  • 10 replies
  • 239 views

Userlevel 3
Badge +12

How do we secure the username and password of the DB connection details in the appsettings.json not to be in plain text in Azure ? I saw from another article that the Azure Managed Identity is not supported.
 

Can we use Azure KeyVault? Is there another alternative?

icon

Best answer by Mark Jongeling 22 October 2020, 15:18

View original

This topic has been closed for comments

10 replies

Userlevel 7
Badge +22

Hi mperrott,

Maybe this topic can help you out:

Also see the documentation here:

https://docs.thinkwisesoftware.com/docs/deployment/azure.html

 

I hope this supplies you with all the information :wink:

Kind regards,
Mark Jongeling

Userlevel 3
Badge +12

Hi Mark,

I’m not looking for the deployment instructions, thank you for that.

I’m looking for the way to secure the MetaSourceConnection information not to be in the appsettings.json file in plain text.

I only found this article that was tried with Azure manage identity: https://community.thinkwisesoftware.com/installation-11/azure-managed-identity-for-iam-indicium-1289

I’m looking for another alternative from the suggested in the above article from using only a plain text for the username and password in the MetaSourceConnection section.

 

Regards

Michalis Perrott

Userlevel 7
Badge +22

Hi Michalis,

Within Thinkwise it has been tested and the following solution will solve your problem. This way the credentials are securely stored in the Application settings in the Azure WebApp.

When you have Indicium (Universal) in Azure as WebApp, you can go into the Application Settings and add the following settings. Note: the Names have double underscores e.g. MetaSourceConnection__Database

Application Settings

The appsettings.json can like the following:

{
"Logging": {
"ApplicationInsights": {
"LogLevel": {
"Default": "Information",
"System": "Information",
"Microsoft": "Warning",
"Indicium": "Debug"
}
},
"IncludeScopes": false,
"LogLevel": {
"Default": "Information",
"System": "Information",
"Microsoft": "Warning",
"Indicium": "Debug"
}
},
"MetaSourceConnection": {
"Server": "",
"Database": "",
"PoolUserName": "",
"PoolPassword": ""
}
}

To sum it up; 

Create four new application settings named:

  1. MetaSourceConnection__Server
  2. MetaSourceConnection__Database
  3. MetaSourceConnection__PoolUserName
  4. MetaSourceConnection__PoolPassword

and give them the value needed.

We will make a blog post about this and the documentation will soon be expanded accordingly. 

Kind regards,
Mark Jongeling

Userlevel 3
Badge +12

Thank you Mark,

This information is missing from the online documentation, this is very useful to have known in advance during the installation :) .

 

I have tested it and it is working. Can I assume that also other parts of the appsettings.json file can be placed in the same manner in the webapp application setting? e.g. EMAIL  SMTP?

Userlevel 7
Badge +22

It is safe to assume it is. You can try it out and let us know in this thread :wink:

Keep note of the double underscores in the settings.

Userlevel 3
Badge +12

I’m pleased to let you know that I have transferred all the below configuration and everything is working as expected.

With this movement of configuration Upgrading is so much easier.

Only automation I need to implement is for the images/icons/logos that need to be replaced in Indicium and Universal after upgrade, and the replacement of the name of “Universal” in the index.html file of Universal.

Thanks a million Mark.

Userlevel 5
Badge +15

I’m pleased to let you know that I have transferred all the below configuration and everything is working as expected.

With this movement of configuration Upgrading is so much easier.

Only automation I need to implement is for the images/icons/logos that need to be replaced in Indicium and Universal after upgrade, and the replacement of the name of “Universal” in the index.html file of Universal.

Thanks a million Mark.

Maybe a tip of interest; What we currently do is commit an updated GUI to a Git repository and let a build automation tool (Bamboo) add/update some assets using PowerShell scripts, returning a .zip file which we then directly can upload to Azure (that even could be done by using the automation tool). The only manual labour is now do a check-in in of the updated GUI files, the build automation should take care of the rest.

Userlevel 3
Badge +12

 

Maybe a tip of interest; What we currently do is commit an updated GUI to a Git repository and let a build automation tool (Bamboo) add/update some assets using PowerShell scripts, returning a .zip file which we then directly can upload to Azure (that even could be done by using the automation tool). The only manual labour is now do a check-in in of the updated GUI files, the build automation should take care of the rest.

Thanks Rene. :relaxed:

I was planning to use Jenkins as I’m more familiar with it.

Userlevel 7
Badge +22

Thanks a million Mark.

Thank my colleague @Barry , he's the one to find out all this :wink: We are happy to help

Badge +1

Hi Michalis,

Within Thinkwise it has been tested and the following solution will solve your problem. This way the credentials are securely stored in the Application settings in the Azure WebApp.

When you have Indicium (Universal) in Azure as WebApp, you can go into the Application Settings and add the following settings. Note: the Names have double underscores e.g. MetaSourceConnection__Database

Application Settings

The appsettings.json can like the following:

{
"Logging": {
"ApplicationInsights": {
"LogLevel": {
"Default": "Information",
"System": "Information",
"Microsoft": "Warning",
"Indicium": "Debug"
}
},
"IncludeScopes": false,
"LogLevel": {
"Default": "Information",
"System": "Information",
"Microsoft": "Warning",
"Indicium": "Debug"
}
},
"MetaSourceConnection": {
"Server": "",
"Database": "",
"PoolUserName": "",
"PoolPassword": ""
}
}

To sum it up; 

Create four new application settings named:

  1. MetaSourceConnection__Server
  2. MetaSourceConnection__Database
  3. MetaSourceConnection__PoolUserName
  4. MetaSourceConnection__PoolPassword

and give them the value needed.

We will make a blog post about this and the documentation will soon be expanded accordingly. 

Kind regards,
Mark Jongeling


This Best answer, provided by Mark Jongeling, is now documented in topic: Store database user credentials securely.