Configuring WCF ports in BTDF deployment

Question

Currently for configuring WCF ports in BizTalk, I am giving username and password in the PortBindingsMaster file which anyone can see. This is a major security hole. I want to keep my username and password encrypted and also at the time of BTDF deployment, it should configure respective WCF ports with the respective username and password.

My current configuration for CustomProps of one of the WCF port is given below:-

     <CustomProps>
       <OrderedProcessing vt="11">0</OrderedProcessing>
       <BindingConfiguration vt="8">
         <binding   name="oracleDBBinding" pollWhileDataFound="true"/>
       </BindingConfiguration>
       <InboundBodyPathExpression vt="8" />
       <OutboundBodyLocation vt="8">UseBodyElement</OutboundBodyLocation>
       <AffiliateApplicationName vt="8" />
       <BindingType vt="8">oracleDBBinding</BindingType>
       <DisableLocationOnFailure vt="11">0</DisableLocationOnFailure>
       <InboundBodyLocation vt="8">UseBodyElement</InboundBodyLocation>
       <OutboundXmlTemplate vt="8">
         <bts-msg-body xmlns="http://www.microsoft.com/schemas/bts2007" encoding="xml" />
       </OutboundXmlTemplate>
       <IncludeExceptionDetailInFaults vt="11">0</IncludeExceptionDetailInFaults>
       <InboundNodeEncoding vt="8">Xml</InboundNodeEncoding>
       <CredentialType vt="8">UserAccount</CredentialType>
       <UserName vt="8">Adminxyz</UserName>
       <Password vt="8">angf123#%</Password>             
       <SuspendMessageOnFailure vt="11">0</SuspendMessageOnFailure>
     </CustomProps>

As you can see, I am providing username and password in the PortBindingsMaster file. I don't want to add this in the PortBindingsMaster file. Any help will be appreciated.

Note:- I have one more constraint that I cant even add username and password in my environment settings file.

Answer 1

Another option is also to SSO, but to use the SSO Affiliate settings on the port if the adapter has it. See the answer I made for How can I set SB-Messaging adapter credentials securely?

With this approach you store the credentials in SSO as an Affiliate application and map the BizTalk credentials to your target credentials. You also need to create a SSO Ticket, but that can easily be done via the BRE Pipeline Framework.

One of the advantages to this approach is that you only have to create and set the credentials once per environment, and they persist even when you un-deploy and re-deploy using BTDF.

Answer 2

For one particular client I have written a WCF extension (MessageInspector), which retrieved username and password from SSO and insert them into the request.

This will tell you more about WCF message inspectors: https://msdn.microsoft.com/en-us/library/aa717047(v=vs.110).aspx

This is exactly what you need to store/retrieve data from SSO: https://seroter.wordpress.com/2007/09/21/biztalk-sso-configuration-data-storage-tool/

What you need to do is store the values into SSO using the tool. Your message inspector will then retrieve them and put them into the request before sending them out. They will not even show up into the BizTalk tracking, since they only get added after tracking! (was a requirement for me as well back then).

These can be different on each environment you need to deploy on. It also offers the possibility for administrators to roll/change passwords without you having to configure or change anything in your bindings!