2

如果这些服务器都不在域中,但我们可以完全控制登录名和凭据,是否有任何好的选择可以通过 Service Broker 连接两个 SQL Server 2008 实例?

我们正在考虑将这种技术用于企业级数据整合,但我们的服务器在客户端站点上运行,并且未配置为任何域的成员。我们正在寻找让 Service Broker 在此环境中进行通信的最轻松的选项。

4

1 回答 1

2

您使用证书,这是专门为像您这样的场景设计的 Service Broker 身份验证选项。请参阅基于证书的身份验证如何工作。当端点配置了基于证书的身份验证时,握手将包含基于 SSPI Schannel 的身份验证交换(通常称为 SSL 或 TLS)。对等方使用的生成证书用于根据从证书部署派生的信任来授权连接。这意味着所使用的证书未针对特定属性进行验证,例如 ' https://example.com' 'example.com' 必须具有证书上的特定 OID 和受信任的权威签名的情况,但如果证书已部署(即在主数据库中找到),则已部署证书的所有者就是身份。这允许您以安全的方式使用自签名证书和部署中的信任根(即系统管理员),而不是权威(即威瑞信)。这可能比您需要的信息更多:)

它的要点是这样的:

-------------------------------------
-- connect to server
-------------------------------------
use master;
go
create master key encryption by password = '...';
create certificate [<servername>]
  with subject = '<servername>'
  , start_date = '20100216'
  , expiry_date = '20150216';

create endpoint broker 
state = started
as tcp (listener_port = 4022)
for service_broker (authentication = certificate [<servername>]);

-- Export the public key to disk
backup certificate [<servername>]
to file = '\\someshare\<servername>.cer';

--------------------------------
-- connect to client
--------------------------------
use master;
go
create master key encryption by password = '...';
create certificate [<clientname>]
  with subject = '<clientname>'
  , start_date = '20100216'
  , expiry_date = '20150216';

create endpoint broker 
state = started
as tcp (listener_port = 4022)
for service_broker (authentication = certificate [<clientname>]);

-- Export the public key to disk
backup certificate [<clientname>]
to file = '\\someshare\<clientname>.cer';

--create an identity for server and import the server's certificate:
create login [<servername>] with password = '...';
alter login [<servername>] disable;
create user [<servername>];

create certificate [<servername>]
  authorization [<servername>]
  from file = '\\someshare\<servername>.cer';

--authorize <servername> to connect on the broker endpoint 
grant connect on endpoint::broker to [<servername>];

---------------------------------------
-- connect to the server
---------------------------------------

--create an identity for client and import the client's certificate:
create login [<clientname>] with password = '...';
alter login [<clientname>] disable;
create user [<clientname>];

create certificate [<clientname>]
  authorization [<clientname>]
  from file = '\\someshare\<clientname>.cer';

--authorize <clientname> to connect on the broker endpoint 
grant connect on endpoint::broker to [<clientname>];
于 2010-02-16T18:11:52.907 回答