如果这些服务器都不在域中,但我们可以完全控制登录名和凭据,是否有任何好的选择可以通过 Service Broker 连接两个 SQL Server 2008 实例?
我们正在考虑将这种技术用于企业级数据整合,但我们的服务器在客户端站点上运行,并且未配置为任何域的成员。我们正在寻找让 Service Broker 在此环境中进行通信的最轻松的选项。
如果这些服务器都不在域中,但我们可以完全控制登录名和凭据,是否有任何好的选择可以通过 Service Broker 连接两个 SQL Server 2008 实例?
我们正在考虑将这种技术用于企业级数据整合,但我们的服务器在客户端站点上运行,并且未配置为任何域的成员。我们正在寻找让 Service Broker 在此环境中进行通信的最轻松的选项。
您使用证书,这是专门为像您这样的场景设计的 Service Broker 身份验证选项。请参阅基于证书的身份验证如何工作。当端点配置了基于证书的身份验证时,握手将包含基于 SSPI Schannel 的身份验证交换(通常称为 SSL 或 TLS)。对等方使用的生成证书用于根据从证书部署派生的信任来授权连接。这意味着所使用的证书未针对特定属性进行验证,例如 ' https://example.com' 'example.com' 必须具有证书上的特定 OID 和受信任的权威签名的情况,但如果证书已部署(即在主数据库中找到),则已部署证书的所有者就是身份。这允许您以安全的方式使用自签名证书和部署中的信任根(即系统管理员),而不是权威(即威瑞信)。这可能比您需要的信息更多:)
它的要点是这样的:
-------------------------------------
-- connect to server
-------------------------------------
use master;
go
create master key encryption by password = '...';
create certificate [<servername>]
with subject = '<servername>'
, start_date = '20100216'
, expiry_date = '20150216';
create endpoint broker
state = started
as tcp (listener_port = 4022)
for service_broker (authentication = certificate [<servername>]);
-- Export the public key to disk
backup certificate [<servername>]
to file = '\\someshare\<servername>.cer';
--------------------------------
-- connect to client
--------------------------------
use master;
go
create master key encryption by password = '...';
create certificate [<clientname>]
with subject = '<clientname>'
, start_date = '20100216'
, expiry_date = '20150216';
create endpoint broker
state = started
as tcp (listener_port = 4022)
for service_broker (authentication = certificate [<clientname>]);
-- Export the public key to disk
backup certificate [<clientname>]
to file = '\\someshare\<clientname>.cer';
--create an identity for server and import the server's certificate:
create login [<servername>] with password = '...';
alter login [<servername>] disable;
create user [<servername>];
create certificate [<servername>]
authorization [<servername>]
from file = '\\someshare\<servername>.cer';
--authorize <servername> to connect on the broker endpoint
grant connect on endpoint::broker to [<servername>];
---------------------------------------
-- connect to the server
---------------------------------------
--create an identity for client and import the client's certificate:
create login [<clientname>] with password = '...';
alter login [<clientname>] disable;
create user [<clientname>];
create certificate [<clientname>]
authorization [<clientname>]
from file = '\\someshare\<clientname>.cer';
--authorize <clientname> to connect on the broker endpoint
grant connect on endpoint::broker to [<clientname>];