NWWCGI Config ini Security

LaJuan · February 27, 2006, 11:14pm

In addition to locking down my web server’s cgi-bin, are there any additional ways to protect the config.ini that’s used by nwwcgi.exe?

Since the NWW_PASSWORD and RPC_PASSWORD parameters both contain a password, our network guys have become concerned about potential security exploits… I locked down the cgi-bin; however management would like some sort of encryption on the ini file.

Does anyone have some suggestions?

Thanks!

LaJuan · March 11, 2006, 12:09am

After doing more research I now have the following question. Is there a way to avoid hard coding the passwords into the ini file when using EntireX Security and Natural Security?

I know how to restrict access to the NWW interface at the HTTP Server; however, our environment cycles passwords every 30 days and hard coding the EntireX security password into the .ini file is not feasible.

Please see what SAG documentaion has to say. Are there any other options?

Communication with Natural Security
The new version EntireX Broker SDK supports the usage of two passwords and userids.

The first userid is used to get access through EntireX Security and the second for Natural Security.

The HTTP Server Security is involved as a third security system.

HTTP Server Security:
Restrict the access of the NWW interface at your HTTP Server. For details, refer to your HTTP server documentation.

EntireX Security:
In the configuration File the NWW_USER_ID, NWW_PASSWORD has to be specified.

Natural Security:
A second UserId/Password (RPC_USER_ID, RPC_PASSWORD) has to be set.

If the parameter USE_REMOTE_USER is activated, the RPC_USR_ID will be set/overwritten. The RPC_PASSWORD remains unchanged.

It is necessary to setup Natural Security with “AUTO=ON” to pass security without Password. If no RPC_USER_ID/RPC_PASSWORD pair is set, the NWW_USER_ID/NWW_PASSWORD will be used to enshure the compatibility with the existing implementation.

anon29934956 · March 14, 2006, 2:41pm

There is currently no way around coding the passwords in the mentioned ini file. The problem is related to the way the http server handles the password, i.e. the http server does not provide the password to the application.