search cancel

APM .NET Agent password in Backend

book

Article ID: 190175

calendar_today

Updated On:

Products

CA Application Performance Management Agent (APM / Wily / Introscope) CA Application Performance Management (APM / Wily / Introscope) INTROSCOPE DX Application Performance Management

Issue/Introduction

When monitoring a .NET application, the app owner expressed concerns that sensitive data is visible to the APM users in the Investigator and requested that such information not be recorded.
Specifically that the username and password used to connect to a database instance is shown as part of a metric name, for example:

      Backends| on -3306 user <username>;password <password> 

 

 

Environment

Release : 10.7.0

Component : APM Agents

Cause

The application makes a connection to MySQL and documented connection information puts the username and password as part of the connection string, for example

"server=127.0.0.1;uid=root;pwd=12345;database=test"

It appears that the whole connection string is processed as the database name so the username and password are posted as metrics

Resolution

A workaround was supplied to change the reference in the pbds so it would hard-code the database name.
The update was required in both sqlagent.pbd and errors.pbd

Essentially, all references to {database} were replaced by a selected DB name. For example to fix a name of MyDB you would change the lines

from

     TraceOneMethodIfFlagged: SQLAgentConnections Open SqlMethodTraceIncrementor "Backends|{database}:Connection Count"

to

     TraceOneMethodIfFlagged: SQLAgentConnections Open SqlMethodTraceIncrementor "Backends|MyDB:Connection Count"


The limitation of this is that it will not report communications where there are multiple databases/datasources; everything will be collected under the name you choose.


The problem was not investigated further than this at this time.

Additional Information

Information from MySQL developer guides about .NET connection strings

https://dev.mysql.com/doc/connector-net/en/connector-net-connections-string.html