http://www.databasejournal.com/features/mssql/article.php/3788696/Conducting-Service-Broker-Conversation-Using-Full-Dialog-Security-in-SQL-Server-2005-Express-Service.htm

Back to article

Conducting Service Broker Conversation Using Full Dialog Security in SQL Server 2005 Express Service

December 31, 2008

In the previous installment of our series covering the most relevant features of SQL Server 2005 Express Edition, we started an overview of Service Broker full dialog-level security. As we have pointed out, its primary advantages include the ability to encrypt individual conversations as well as to identify and authorize their participants. In order to make our presentation more palpable, we also decided to demonstrate a sample implementation of such configuration, starting with a couple of preliminary steps including the generation of master keys in databases hosting the initiator and target as well as creation of a designated user representing each of these services through the AUTHORIZATION clause. In this article, we will conclude this subject by describing the remaining prerequisites and a method to invoke a secure dialog.

Each of the newly created users associated with local Service Broker services and their queues also need to be linked to asymmetric key pairs that will identify both parties involved in a conversation and provide a mechanism to exchange symmetric keys used to encrypt messages between them. This association is formed by granting certificate ownership during their creation to both users. The public key of each pair is then backed up to an arbitrary file system location by running the BACKUP CERTIFICATE T-SQL statement: 

-- on srvEnt01
USE dbSBEnt01
GO
CREATE CERTIFICATE cert_dbSBEnt01
 AUTHORIZATION udbSBEnt01
 WITH SUBJECT = 'dbSBEnt01 Certificate'
GO
BACKUP CERTIFICATE cert_dbSBEnt01
 TO FILE = 'C:\Temp\cert_dbSBEnt01.cer'
GO
-- on srvExp01
USE dbSBEnt01
GO
CREATE CERTIFICATE cert_dbSBExp01
 AUTHORIZATION udbSBExp01
 WITH SUBJECT = 'dbSBExp01 Certificate'
GO
BACKUP CERTIFICATE cert_dbSBExp01
 TO FILE = 'C:\Temp\cert_dbSBExp01.cer'
GO

After the public keys (in the form of certificate files) are exchanged between the Service Broker communication partners, you import them into their respective databases (those containing initiator and target Service Broker services). Once again, in order to provide a security context for them, you need to designate accounts that will become their owners (via authorization mechanism). We will create a new user for this purpose (as before, defined without a corresponding SQL Server login) in each database and named identically to the owner of the corresponding private key (this is not required, but helps keep track of all principals involved in Service Broker conversations). Note that the resulting mutual ability of each service to identify its communication partner constitutes the primary difference between the full and anonymous dialog security. Furthermore, this unique functionality facilitates authorization, allowing you to assign specific credentials (instead of resorting to Public role, as we did previously) that will be used to carry out all tasks involved in message exchange. In particular, REMOTE SERVICE BINDING defined on the initiator references (via WITH USER clause) local owner of the public key, whose corresponding private key is in possession of the target database user with authorization to the target service (appearing in the TO SERVICE clause). At the same time, SEND permission on the target service needs to be granted to its database user (udbSBExp01) associated with the public key, whose corresponding private key is owned by the user in the initiator database (also named udbSBExp01) linked to the initiator service via AUTHORIZATION clause. 

-- on srvEnt01
USE dbSBEnt01
GO
CREATE USER udbSBExp01 WITHOUT LOGIN
GO
CREATE CERTIFICATE cert_dbSBExp01
 AUTHORIZATION udbSBExp01
 FROM FILE = 'C:\Temp\cert_dbSBExp01.cer'
GO
GRANT SEND ON SERVICE::[//databaseJournal.com/SQL2005EX/ServiceBroker/svcRecv]
 TO udbSBExp01
GO
-- on srvExp01
USE dbSBExp01
GO
CREATE USER udbSBEnt01 WITHOUT LOGIN
GO
CREATE CERTIFICATE cert_dbSBEnt01
 AUTHORIZATION udbSBEnt01
 FROM FILE = 'C:\Temp\cert_dbSBEnt01.cer'
GO
CREATE REMOTE SERVICE BINDING rsbSBEnt01
 TO SERVICE '//databaseJournal.com/SQL2005EX/ServiceBroker/svcRecv'
 WITH USER = udbSBEnt01
GO

By default, all Service Broker conversations operate with dialog security enabled. However, as you might recall, we explicitly disabled this feature by assigning an OFF value to the ENCRYPTION parameter when invoking the BEGIN DIALOG CONVERSATION statement. By changing its value to ON (or simply removing this clause from the BEGIN DIALOG CONVERSATION statement), all messages sent to the other SQL Server 2005 instance in our distributed scenario will be encrypted (as before, you can verify this by examining captures of network traffic between the communication partners). You should also keep in mind that defining remote service binding will actually force encryption of a dialog regardless of the value of ENCRYPTION parameter. 

-- on srvExp01
USE dbSBExp01
DECLARE @convHandle uniqueidentifier
BEGIN DIALOG CONVERSATION @convHandle
 FROM SERVICE [//databaseJournal.com/SQL2005EX/ServiceBroker/svcSend]
 TO SERVICE '//databaseJournal.com/SQL2005EX/ServiceBroker/svcRecv'
 ON CONTRACT [//databaseJournal.com/SQL2005EX/ServiceBroker/contAnymsgNV]
 WITH ENCRYPTION = ON
GO

In the next article of our series, we will examine the concept and implementation details of anonymous dialog-level security in a distributed Service Broker environment, including SQL Server 2005 Express Edition.

» See All Articles by Columnist Marcin Policht








The Network for Technology Professionals

Search:

About Internet.com

Legal Notices, Licensing, Permissions, Privacy Policy.
Advertise | Newsletters | E-mail Offers

Solutions

Whitepapers and eBooks

Microsoft Whitepaper: Top 10 Reasons to Upgrade to Windows Server 2008 R2
Articles: Build a More Agile Business with IBM
IBM Articles: Virtualization Delivers a Dynamic Infrastructure
Articles: IBM Offers Enhanced Measurement and Management for Energy Usage
Articles: IBM Helps Transformation to an Information-Based Enterprise
Microsoft Articles: Visual Studio 2010
Adobe Article: Adobe Helps PHP Developers Create Rich Internet Applications
Adobe Article: Java Developers Finding a Home at Adobe Flex
IBM Articles: A Smarter Business Needs Smarter Technology
Intel Xeon Processor Increases Server Efficiency and Capabilities
Intel Tech Brief: Automated Energy Efficiency for the Intelligent Enterprise
Oracle Whitepapers - Innovation for IT Leaders
Avaya Article: Communication-Enabled Mashups--Empowering Both Business Owners and IT
Internet.com eBook: IT Manager's Guide to Social Networking
Internet.com eBook: Get Ready for Windows 7
Microsoft Article: Expression Web 3--New Features for PHP Developers
Whitepapers: Manage Your Business Infrastracture with IBM
Whitepaper: Maximize Your Storage Investment with HP
Internet.com eBook: Becoming a Better Project Manager
Microsoft Article: Stress Free and Efficient Designer/Developer Collaboration
MORE WHITEPAPERS, EBOOKS, AND ARTICLES

Webcasts

SAP Webcast: Crystal Reports Server--Do More. Spend Less.
Webcast: Connecting PHP to Microsoft Technologies
Video: Microsoft Partner Program Benefits
Video: Windows Azure Debugging Tips
 SAP BusinessObjects Webcast: Unlock the Power of Reporting with Crystal Reports
IBM Webcast: Speed Business Innovation with Reduced Cost and Risk
Video: Deploy Applications on Windows Azure
MORE WEBCASTS, PODCASTS, AND VIDEOS

Downloads and eKits

Download: Microsoft Visual Studio 2010 Beta 2
Downloads & Free Trials: Microsoft's New Efficiency Resource Center
Get the Windows 7 SDK
 Free Trial: Red Gate SQL Backup Pro 6
Iron Speed Designer Application Generator
MORE DOWNLOADS, EKITS, AND FREE TRIALS

Tutorials and Demos

Microsoft Demo: Lower Costs with the SQL Server 2008 Value Calculator
Internet.com Hot List: Get the Inside Scoop on the Hottest IT and Developer Products
 All About Botnets
MORE TUTORIALS, DEMOS AND STEP-BY-STEP GUIDES