Upgrade your Internet Experience
Microsoft.com
Welcome Sign in
SQL Server Developer Center
Click to Rate and Give Feedback
MSDN
MSDN Library
SQL Server
SQL Server 2008
Service Broker
Security: How To
 How to: Allow Service Broker Networ...
Community Content
In this section
Statistics Annotations (0)
Collapse All/Expand All Collapse All
Other versions are also available for the following:
SQL Server 2008 Books Online (October 2009)
How to: Allow Service Broker Network Access by Using Certificates (Transact-SQL)

To allow another instance to send messages using certificate-based Service Broker transport security, you create a user for the other instance and install the certificate for the other instance.

 To permit access from another instance using certificates

  1. Obtain the certificate for the other instance from a trusted source. Typically, this involves sending the certificate using encrypted e-mail or transferring the certificate on physical media such as a floppy disk.

    ms166077.security(en-us,SQL.100).gifSecurity Note:
    Only install certificates from trusted sources.

  2. Create a login.

  3. Create a user for the login in the master database.

  4. Install the certificate for the other instance in the master database. The user created in step 3 owns the certificate.

  5. Grant the login CONNECT access to the Service Broker endpoint.

  6. Dump the certificate that is used for Service Broker transport security in the local instance.

    ms166077.security(en-us,SQL.100).gifSecurity Note:
    Only dump the certificate used for transport security. Do not dump or distribute the private key associated with the certificate.

  7. Provide the certificate to the administrator of the other database. The administrator of the remote database installs this certificate using steps 1-4 above.

Once access is configured in each instance, then communications between the two instances use Service Broker transport security when the endpoints for both instances are configured to allow transport security.
 Example 
USE master ;
GO

-- Create a login for the remote instance.

CREATE LOGIN RemoteInstanceLogin
    WITH PASSWORD = '#gh!3A%!1@f' ;
GO

-- Create a user for the login in the master database.

CREATE USER RemoteInstanceUser
    FOR LOGIN RemoteInstanceLogin ;
GO

-- Load the certificate from the file system. Notice that
-- the login owns the certificate.

CREATE CERTIFICATE RemoteInstanceCertificate
    AUTHORIZATION RemoteInstanceUser
    FROM FILE='C:\Certificates\AceBikeComponentsCertificate.cer' ;
GO
GRANT CONNECT ON ENDPOINT::ThisInstanceEndpoint to RemoteInstanceLogin ;
GO
-- Write the certificate from this instance
-- to the file system. This command assumes
-- that the certificate used by the Service Broker
-- endpoint is named TransportSecurity.

BACKUP CERTIFICATE TransportSecurity
    TO FILE = 'C:\Certificates\ThisInstanceCertificate.cer' ;
GO
 See Also

Tasks

How to: Create Certificates for Service Broker Transport Security (Transact-SQL)

Other Resources

CREATE CERTIFICATE (Transact-SQL)
CREATE LOGIN (Transact-SQL)
CREATE USER (Transact-SQL)
BACKUP CERTIFICATE (Transact-SQL)

Help and Information

Getting SQL Server 2008 Assistance
Tags What's this?: Add a tag
Community Content   What is Community Content?
Add new content RSS  Annotations
© 2009 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy Statement | Site Feedback
Page view tracker