Database Connection String Visibility
Is there any way to hide ONLY the "Connection String" text value shown on the Database / Details screen? Our information security team has advised that the connection string information (specifically, userid/password) should not be visible to any end users of dynaTrace. We don't necessarily want to hide all confidential strings from users of dynaTrace, so denying the 'Read Confidential Strings' permission is not an ideal solution for this issue.
Thanks.
Hi Jason,
well, unfortunately you just hit another special case. We find the password string with a regex, that unfortunately also does not work with "PWD=". However it does work with "Pwd=" or "pwd=". So, if you have the possibility to modify the connection string, this would be the easiest workaround.
Let me know if that works for you.
Thanks,
-Christoph
The problem is that we have 60+ production connection strings that would need to be changed in order to work with dynaTrace's limitations that we have recently discovered. It would be very time consuming on our side to go through our change control process to modify all of these connection strings in production. If this is the only workaround option that we have, that would be disappointing.
Hi Christoph,
I also got a case of the password being shown in the connection string for a Java application. The data looks like this:
Database Name: rel444;user=me;password=mine; Connection String: jdbc:jtds:sqlserver://hostname:1433/rel444;user=me;password=mine;
Should that have been covered? Or should I open a support case for that to be fixed?
Thx, Roman
Hi Christoph,
I just found an example connection string that is in the web.config file with no whitespaces, but the password is not stripped out. Perhaps it is due to the ";enlist=true;" following the password value?
Database=AAMGlobalCatalog;Server=CTNCORDDBD01\CORPDEV;UID=aamgc;PWD=laksjfi333;enlist=true;
Hi Jason,
The password should automatically be stripped out of all connection strings. The reason it does not work in your case might be the fact that you have whitespaces in your connection string between the assignment operators.
If you change
"Password = pw12345"
to
"Password=pw12345"
it should work.
regards,
-Christoph
Hi Jason,
you can create a ticket, but your chances to get this treated as bug are very low. PM will not easily accept this as a bug, it'll be treated as an enhancement and the chances to get this implemented on the current version are low because the next product release has that feature already. Also having the connection string information stored in the DB is not very common either, you are the first customer to complain about this.
I spoke to R&D, a back port of the 5.5 functionality is not possible because the architecture had to be changed in some areas to make this possible in the next release.
I'm with Ryan in terms of your options.
regards,
Günter
I would suggest that you open a support case.
In the meantime, your options are:
1. Enable security of confidential strings.
2. Unplace the ADO sensor (thus ignoring DB calls from your PurePaths)
3. Wait until 5.5 is released. Talk to your Compuware rep to see if you can get a copy of 5.5 sooner versus later.
4. Updated your app to retrieve the connection string from web.config
5. Do nothing
I realize none of these choices are ideal.
Where is the DB connection detailed stored? In the web.config in <connectionStrings> ?
The reason I am asking is because on my .NET application, dynaTrace masks the password in my connection string automatically.
My connection string looks this in dynaTrace... 
Below is my web.config
Generally, our DB connection string details are not in the web.config file. They are secured in a database and they are retrieved by using a web service call within the application.
I just checked and we do have small number of applications where the connection strings are in the web.config file. You're right, within dynaTrace, the connection string password displays as "***" instead of being displayed in clear text in cases where the connection strings are in the web.config file.
That being said, can this be considered a dynaTrace bug that the password is not being masked as "***" for connection strings that are NOT in the web.config file? Thanks.
SQL Server 2005 database. Here is an example of what the displayed connection string displays:
Data Source = CTNGESDB; Integrated Security = false; Persist Security Info = false; Database = db123; User ID =uid12345_rw; Password = pw12345
What kind of database? What version? It is unusual to see the user/pass in the connection string in the PurePath details. Without revealing your password, what does the connection string contain?
Hello,
Do you have any ideas on a workaround for this issue that we can use prior to 5.1 being released in the Spring? I need to come up with some method of preventing the database connection string userid/password from showing to any of our end users of dynaTrace without hiding all confidential strings.
Thanks.
Hi Andi
Thanks for the information. One follow up question - is the connection string data (specifically userids/passwords) stored within dynaTrace in clear text, or is it encrypted? Thank you.
All data is stored in a compressed custom format - so - no clear text in the dynaTrace stored sessions
