Machine Code Generator - Entrust Guard Identity

Web Farm Deployment Consideration

 

DevOps Repository: https://dev.azure.com/transport-canada/DSD-CIVAV Support/_git/MachineCodeGenerator

 

If you deploy your application in a Web farm, you must ensure that the configuration files on each server share the same value for validationKey and decryptionKey, which are used for hashing and decryption respectively. This is required because you cannot guarantee which server will handle successive requests.

With manually generated key values, the <machineKey> settings should be similar to the following example.

codeCopy

<machineKey validationKey="21F090935F6E49C2C797F69BBAAD8402ABD2EE0B667A8B44EA7DD4374267A75D7 AD972A119482D15A4127461DB1DC347C1A63AE5F1CCFAACFF1B72A7F0A281B" decryptionKey="ABAA84D7EC4BB56D75D217CECFFB9628809BDB8BF91CFCD64568A145BE59719F" validation="SHA1" decryption="AES" />

If you want to isolate your application from other applications on the same server, place the <machineKey> in the Web.config file for each application on each server in the farm. Ensure that you use separate key values for each application, but duplicate each application's keys across all servers in the farm.

Generate Cryptographically Random Keys

To generate cryptographically random keys:

  • Use the RNGCryptoServiceProvider class to generate a cryptographically strong random number.

  • Choose an appropriate key size. The recommended key lengths are as follows:

    • For SHA1, set the validationKey to 64 bytes (128 hexadecimal characters).

    • For AES, set the decryptionKey to 32 bytes (64 hexadecimal characters).

    • For 3DES, set the decryptionKey to 24 bytes (48 hexadecimal characters).

The following code shows how to generate random key values. Compile the code to create a console application, and then pass the required key size as a command line argument expressed as the desired number of hexadecimal characters. Each byte is represented by two hexadecimal characters; therefore, to request a 32-byte key, pass 64 as a command line argument. If you do not specify an argument, the code returns a 128 hexadecimal character (64-byte) key.

C# Example

codeCopy

using System; using System.Text; using System.Security; using System.Security.Cryptography; class App { static void Main(string[] argv) { int len = 128; if (argv.Length > 0) len = int.Parse(argv[0]); byte[] buff = new byte[len/2]; RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider(); rng.GetBytes(buff); StringBuilder sb = new StringBuilder(len); for (int i=0; i<buff.Length; i++) sb.Append(string.Format("{0:X2}", buff[i])); Console.WriteLine(sb); } }


Please refer to the following article from Microsoft for more details:

How To: Configure MachineKey in ASP.NET 2.0