SQL Server Service Broker - 通过VPN在非域服务器之间进行通信

时间:2010-02-16 16:03:16

标签: sql-server sql-server-2008 dns service-broker

如果这些服务器都不在域中,但是我们可以完全控制登录和凭据,是否有通过Service Broker连接两个SQL Server 2008实例的良好选项?

我们正在考虑将此技术用于企业级数据整合,但我们的服务器在客户端站点运行,并未配置为任何域的成员。我们正在寻找让这个环境中的Service Broker进行通信的最少痛苦的选择。

1 个答案:

答案 0 :(得分:2)

您使用证书,这是专门为您的方案设计的Service Broker身份验证选项。见How does Certificate based Authentication work。当端点配置有基于证书的身份验证时,handhsake将包含基于SSPI Schannel的身份验证交换(更好地称为SSL或TLS)。对等体使用的结果证书用于基于从证书部署派生的信任来授权连接。这意味着所使用的证书未针对特定属性进行验证,例如“https://example.com”情况,其中'example.com'必须在证书上使用特定的OID和受信任的Authorithy签名,但是如果证书已部署(即在主数据库中找到),然后部署证书的所有者是身份。这允许您以安全的方式使用自签名证书,在部署中使用信任根(即sysadmin),而不是Authorithy(即Verisign)。这可能是你需要的更多信息:)

它的要点是这样的:

-------------------------------------
-- connect to server
-------------------------------------
use master;
go
create master key encryption by password = '...';
create certificate [<servername>]
  with subject = '<servername>'
  , start_date = '20100216'
  , expiry_date = '20150216';

create endpoint broker 
state = started
as tcp (listener_port = 4022)
for service_broker (authentication = certificate [<servername>]);

-- Export the public key to disk
backup certificate [<servername>]
to file = '\\someshare\<servername>.cer';

--------------------------------
-- connect to client
--------------------------------
use master;
go
create master key encryption by password = '...';
create certificate [<clientname>]
  with subject = '<clientname>'
  , start_date = '20100216'
  , expiry_date = '20150216';

create endpoint broker 
state = started
as tcp (listener_port = 4022)
for service_broker (authentication = certificate [<clientname>]);

-- Export the public key to disk
backup certificate [<clientname>]
to file = '\\someshare\<clientname>.cer';

--create an identity for server and import the server's certificate:
create login [<servername>] with password = '...';
alter login [<servername>] disable;
create user [<servername>];

create certificate [<servername>]
  authorization [<servername>]
  from file = '\\someshare\<servername>.cer';

--authorize <servername> to connect on the broker endpoint 
grant connect on endpoint::broker to [<servername>];

---------------------------------------
-- connect to the server
---------------------------------------

--create an identity for client and import the client's certificate:
create login [<clientname>] with password = '...';
alter login [<clientname>] disable;
create user [<clientname>];

create certificate [<clientname>]
  authorization [<clientname>]
  from file = '\\someshare\<clientname>.cer';

--authorize <clientname> to connect on the broker endpoint 
grant connect on endpoint::broker to [<clientname>];
相关问题
最新问题