Monday, 06 February 2012 08:49

The Master Secret Key: the (forgotten) soul of BizTalk Environments

Written by 
Rate this item
(5 votes)

First of all, keep this in mind: "If for any reason your BizTalk Environment has to be restored, or there is a massive change that messed up your SSO and you do not have a backup of the Master Secret Key you will have a problem."

So why this warning?

Even if you do not use the Enterprise Single Sign-On (SSO) functionality for mapping credentials and single sign-on, Enterprise SSO is a critical part of the overall Microsoft BizTalk Server infrastructure, because BizTalk Server uses SSO to help secure information for port configuration.
The port configuration data is encrypted and stored in the SSO database. Each BizTalk server has a SSO service (ENTSSO.exe) that is used for encrypting and decrypting the port configuration data. When an SSO service starts up, it retrieves the encryption key from the master secret server. This encryption key is called the master secret.

The master secret server is another SSO service that has an additional subservice that maintains and distributes the master secret. After a master secret is retrieved, the SSO service caches it. Every 60 seconds, the SSO service synchronizes the master secret with the master secret server. If the master secret server fails, and the SSO service detects the failure in one of its refresh intervals, the SSO service and all run-time operations that were running before the server failed, including decryption of credentials, continue successfully.

However, you cannot encrypt new credentials or port configuration data. Therefore, the BizTalk Server environment has a dependency on the availability of the master secret server.
Therefore, it is important that the Master Secret Server be highly available and that the SSO database is highly available.

Following these arguments, please, refer to the links below to have no problems:

How to Back Up the Master Secret:
BizTalk 2006 R2: http://msdn.microsoft.com/en-us/library/cc982773%28v=bts.10%29.aspx
BizTalk 2009: http://msdn.microsoft.com/en-us/library/aa559192%28v=bts.10%29.aspx
BizTalk 2010: http://msdn.microsoft.com/en-us/library/aa559192.aspx


How to Restore the Master Secret Server:
BizTalk 2006 R2: http://msdn.microsoft.com/en-us/library/cc296749%28v=bts.10%29.aspx
BizTalk 2009: http://msdn.microsoft.com/en-us/library/aa560589%28v=bts.10%29.aspx
BizTalk 2010: http://msdn.microsoft.com/en-us/library/aa560589.aspx

If you are running a high available infrastructure, the next important thing to do is to cluster the Master Secret Server:

How to Cluster the Master Secret Server:
BizTalk 2006 R2: http://technet.microsoft.com/en-us/library/aa561823%28BTS.20%29.aspx
BizTalk 2009: http://msdn.microsoft.com/en-us/library/dd897477%28v=bts.10%29.aspx
BizTalk 2010: http://msdn.microsoft.com/en-us/library/aa561823.aspx

The final question is, what about the password of the master secret?
Two recommendations, first of all, keep a backup of the master secret on a save place!! Leave a copy on removable media, in a NFS, on hard disk units of your farm servers... where ever you imagine!!
Make sure it’s safe!!
The second recommendation is about the password. Never write down the password, keep it in mind, shared with other members of your team or store it in an encrypted password manager, but never lose it!!! You will need it to restore the master secret server!!!!

Read 26043 times Last modified on Monday, 06 February 2012 08:52
Tagged under
Miguel Angel Castaño

Miguel Angel Castaño is a Biztalk Server Adminitrator at AGS-ALPAMA. He manages pre-propduction and production environments with BizTalk Server 2004 and BizTalk Server 2006 servers. Working with several applications, one of this, using the SWIFT Adapter. During the last four years he was unix administrator at the Ya.Com Internet Factory. He is currently finishing his study Businees Management.

linkedin

Latest from Miguel Angel Castaño

More in this category: « A flying start for BizTalkAdminsblogging.com Delete old files »

4 comments

  • Comment Link Steef-Jan Wiggers Monday, 06 February 2012 19:01 posted by Steef-Jan Wiggers

    Great post. I have included link of your post in the Wiki TechNet Article BizTalk Server 2010: Enterprise SSO Survival Guide: http://social.technet.microsoft.com/wiki/contents/articles/6904.biztalk-server-2010-enterprise-sso-survival-guide.aspx

  • Comment Link Howard S. Edidin Saturday, 11 February 2012 21:52 posted by Howard S. Edidin

    Nice post. I always recommend that you give a copy of the Secret Password to a corporate officer to lock in their safe.

    If the BTS Admin ever leaves the company, the new BTS Admin will be able to restore.

  • Comment Link ontgooglen Monday, 29 April 2013 12:48 posted by ontgooglen

    You're so cool! I don't think I've truly read something like this before. So wonderful to discover someone with some genuine thoughts on this issue. Really.. thanks for starting this up. This web site is one thing that is needed on the web, someone with a bit of originality!

  • Comment Link Clark Saturday, 18 May 2013 00:45 posted by Clark

    ) Brain-food diets often prescribe nutrients in roughly the same concentrations that would be found in human breast milk.
    So allow yourself to do the best you can and forgive yourself for the rest.

    The Omega 3 helps to remove fats and triglycerides that build up in the arteries.

Leave a comment

Make sure you enter the (*) required information where indicated. HTML code is not allowed.

back to top