Database Connection String Visibility
Is there any way to hide ONLY the "Connection String" text value shown on the Database / Details screen? Our information security team has advised that the connection string information (specifically, userid/password) should not be visible to any end users of dynaTrace. We don't necessarily want to hide all confidential strings from users of dynaTrace, so denying the 'Read Confidential Strings' permission is not an ideal solution for this issue.
Thanks.
Hi Jason
The upcoming Spring Release will provide that capability as we give you more control about which strings are confidential and which are not
Andi
Hi Andi
Thanks for the information. One follow up question - is the connection string data (specifically userids/passwords) stored within dynaTrace in clear text, or is it encrypted? Thank you.
All data is stored in a compressed custom format - so - no clear text in the dynaTrace stored sessions
Hello,
Do you have any ideas on a workaround for this issue that we can use prior to 5.1 being released in the Spring? I need to come up with some method of preventing the database connection string userid/password from showing to any of our end users of dynaTrace without hiding all confidential strings.
Thanks.
What kind of database? What version? It is unusual to see the user/pass in the connection string in the PurePath details. Without revealing your password, what does the connection string contain?
SQL Server 2005 database. Here is an example of what the displayed connection string displays:
Data Source = CTNGESDB; Integrated Security = false; Persist Security Info = false; Database = db123; User ID =uid12345_rw; Password = pw12345
Where is the DB connection detailed stored? In the web.config in <connectionStrings> ?
The reason I am asking is because on my .NET application, dynaTrace masks the password in my connection string automatically.
My connection string looks this in dynaTrace... 
Below is my web.config
Generally, our DB connection string details are not in the web.config file. They are secured in a database and they are retrieved by using a web service call within the application.
I just checked and we do have small number of applications where the connection strings are in the web.config file. You're right, within dynaTrace, the connection string password displays as "***" instead of being displayed in clear text in cases where the connection strings are in the web.config file.
That being said, can this be considered a dynaTrace bug that the password is not being masked as "***" for connection strings that are NOT in the web.config file? Thanks.
I would suggest that you open a support case.
In the meantime, your options are:
1. Enable security of confidential strings.
2. Unplace the ADO sensor (thus ignoring DB calls from your PurePaths)
3. Wait until 5.5 is released. Talk to your Compuware rep to see if you can get a copy of 5.5 sooner versus later.
4. Updated your app to retrieve the connection string from web.config
5. Do nothing
I realize none of these choices are ideal.
Hi Jason,
you can create a ticket, but your chances to get this treated as bug are very low. PM will not easily accept this as a bug, it'll be treated as an enhancement and the chances to get this implemented on the current version are low because the next product release has that feature already. Also having the connection string information stored in the DB is not very common either, you are the first customer to complain about this.
I spoke to R&D, a back port of the 5.5 functionality is not possible because the architecture had to be changed in some areas to make this possible in the next release.
I'm with Ryan in terms of your options.
regards,
Günter
Hi Jason,
The password should automatically be stripped out of all connection strings. The reason it does not work in your case might be the fact that you have whitespaces in your connection string between the assignment operators.
If you change
"Password = pw12345"
to
"Password=pw12345"
it should work.
regards,
-Christoph
Hi Christoph,
I just found an example connection string that is in the web.config file with no whitespaces, but the password is not stripped out. Perhaps it is due to the ";enlist=true;" following the password value?
Database=AAMGlobalCatalog;Server=CTNCORDDBD01\CORPDEV;UID=aamgc;PWD=laksjfi333;enlist=true;
