SSO Clustering, Backup Master Secret server & Restore Master Secret Server

Clustering SSO Master Secret Server

When you cluster the master secret server, the Single Sign-On servers communicate with the active clustered instance of the master secret server. Similarly, the active clustered instance of the master secret server communicates with the SSO database.

Pre-Requisite:  

You must be an SSO administrator to perform this procedure. Enterprise Single Sign On Service should be installed on the active and failover nodes. Un-used IP address from same subnet and unused NETBIOS name

Warning!  If the master secret server crashes and the key is lost, or if the key becomes corrupted, you will not be able to retrieve the configuration of adapters stored in the Credential database. You must back up the master secret key, or you risk losing data from the credential database.

Create SSO Cluster Group

  1. Open Failover Cluster Management
  2. Right Click “Services and Applications” on left-hand side
  3. Click “Configure a Service or Application”
  4. Click Next
  5. Select Generic Service
  6. Select Enterprise Single Sign-on Service
  7. Enter the Service name and new IP address for the service ( from the same subnet of a cluster)
  8. Click next on Select Storage frame.
  9. Click Next and Finish the Wizard

Update the master secret server name in the SSO database

  1. Type the following commands from a command prompt on the active cluster node to stop and restart the Enterprise SSO service:
    • net stop entsso
    • net start entsso
  2. Change the master secret server name in the SSO database to the cluster name by following these steps:
    • Paste the following code in a text editor:
      <sso> 
      <globalInfo> 
      <secretServer>BIZTALKCLUSTER</secretServer> 
      </globalInfo> 
      </sso>
      Save the file as an .xml file. For example, save the file as SSOCLUSTER.xml.
    • At a command prompt, change to the Enterprise SSO installation folder. By default, the installation folder is <drive>:\Program Files\Common Files\Enterprise Single Sign-On.
    • Type the following command at the command prompt to update the master secret server name in the database:

ssomanage -updatedb SSOCLUSTER.XML

3. To restore the master secret on the second cluster node

    • In Failover Cluster Management, right click the clustered service or application that contains the clustered Enterprise Single Sign-On service and then click Bring this service or application online to start all of the resources in the clustered service or application.
    • Right-click the clustered service or application, point to Move this service or application to another node, and click the second node. This step moves the clustered service or application that contains the clustered Enterprise Single Sign-On service from the first node to the second node.
    • Right-click the clustered Enterprise Single Sign-On service and click Take this service or application offline, then right-click the clustered instance of the Enterprise SSO service and click Bring this service or application online.
    • Copy the master secret backup file from the first node to the \Enterprise Single Sign-On installation folder on the second node. By default, the installation folder is <drive>:\Program Files\Common Files\Enterprise Single Sign-On.
    • Log on to the second node and at a command prompt, change to the Enterprise SSO installation folder.
    • Type the following command from the command prompt to restore the master secret to the second node:
      • ssoconfig -restoresecret RestoreFile 

              Note: Replace RestoreFile with the path of and the name of the  backup file that contains the master secret

    • The master secret is stored in the registry at the following location:

          HKEY_LOCAL_MACHINESOFTWAREMicrosoftENTSSOSSOSS

    • Move the clustered service or application that contains the clustered Enterprise Single Sign-On service from this cluster node to other cluster node to ensure failover functionality. Then move the cluster group back to verify fail-back functionality

Backing Up the SSO Master Secret Key

You can back up the master secret key from the master secret server onto an NTFS file system or removable media, such as a floppy disk.

You must be a Single Sign-On Administrator to perform this task. When prompted for a password to restore the secret later, you must specify the same password.

Warning   If the master secret server crashes and the key is lost, or if the key becomes corrupted, you will not be able to retrieve the configuration of adapters stored in the Credential database. You must back up the master secret key, or you risk losing data from the credential database.

To back up the master secret key

  1. Click Start, click Run, type cmd, and then click OK.
  2. At the command prompt, move to Enterprise Single Sign-On installation directory. The default installation directory is <install directory>:\Program Files\Common Files\Enterprise Single Sign-On.
  3. At the command prompt, type the following syntax to back up the master secret key:
ssoconfig -backupsecret <backup file>

The path and name of the file where BizTalk backs up the master secret is < drive :>\ backup file name .bak>. For example, a:\ssobackup.bak.

4. Enter the password, re-enter the password, add a password reminder if you want, and then click OK.

Restoring the Master Secret Server

The Enterprise Single Sign-On master secret is stored in an encrypted registry key on the master secret server in the production site. The master secret should be restored to the disaster recovery site as a normal part of disaster recovery preparations.
Use the following procedure to restore the master secret to a computer running BizTalk Server

To restore the master Key

1. On the Start menu, click Run, and then type cmd.
2.  At the command line prompt, change directories to the Enterprise Single Sign-On installation directory. The default installation directory is <drive>:\Program Files\Common Files\Enterprise Single Sign-On.
3. Type the following command, and then press ENTER:
ssoconfig -restoresecret <restore file>
Where <restore file> is the path and name of the file where the backed up master secret is located.
Completion of these steps will copy the backed up SSO master secret to the correct registry location so that the only step required during a disaster recovery event is to update the BizTalk group with the disaster recovery location of the master secret server.