• Article

How to: Allow Service Broker Network Access by Using Certificates (Transact-SQL)

To allow another instance to send messages using certificate-based Service Broker transport security, you create a user for the other instance and install the certificate for the other instance.

To permit access from another instance using certificates

  1. Obtain the certificate for the other instance from a trusted source. Typically, this involves sending the certificate using encrypted e-mail or transferring the certificate on physical media such as a floppy disk.

    Security noteSecurity Note

    Only install certificates from trusted sources.

  2. Create a login.

  3. Create a user for the login in the master database.

  4. Install the certificate for the other instance in the master database. The user created in step 3 owns the certificate.

  5. Grant the login CONNECT access to the Service Broker endpoint.

  6. Dump the certificate that is used for Service Broker transport security in the local instance.

    Security noteSecurity Note

    Only dump the certificate used for transport security. Do not dump or distribute the private key associated with the certificate.

  7. Provide the certificate to the administrator of the other database. The administrator of the remote database installs this certificate using steps 1-4 above.

Once access is configured in each instance, then communications between the two instances use Service Broker transport security when the endpoints for both instances are configured to allow transport security.

Example

USE master ;
GO

-- Create a login for the remote instance.

CREATE LOGIN RemoteInstanceLogin
    WITH PASSWORD = '#gh!3A%!1@f' ;
GO

-- Create a user for the login in the master database.

CREATE USER RemoteInstanceUser
    FOR LOGIN RemoteInstanceLogin ;
GO

-- Load the certificate from the file system. Notice that
-- the login owns the certificate.

CREATE CERTIFICATE RemoteInstanceCertificate
    AUTHORIZATION RemoteInstanceUser
    FROM FILE='C:\Certificates\AceBikeComponentsCertificate.cer' ;
GO
GRANT CONNECT ON ENDPOINT::ThisInstanceEndpoint to RemoteInstanceLogin ;
GO
-- Write the certificate from this instance
-- to the file system. This command assumes
-- that the certificate used by the Service Broker
-- endpoint is named TransportSecurity.

BACKUP CERTIFICATE TransportSecurity
    TO FILE = 'C:\Certificates\ThisInstanceCertificate.cer' ;
GO