How to: Allow Service Broker network access by using certificates (Transact-SQL)

Applies to: SQL Server Azure SQL Managed Instance

To allow another instance to send messages using certificate-based Service Broker transport security, you create a user for the other instance and install the certificate for the other instance.

Permit access from another instance using certificates

1. Obtain the certificate for the other instance from a trusted source. Typically, this involves sending the certificate using encrypted email or transferring the certificate on physical media such as a floppy disk.

   Note

   Only install certificates from trusted sources.

2. Create a login.

3. Create a user for the login in the master database.

4. Install the certificate for the other instance in the master database. The user created in step 3 owns the certificate.

5. Grant the login CONNECT access to the Service Broker endpoint.

6. Dump the certificate that's used for Service Broker transport security in the local instance.

   Note

   Only dump the certificate used for transport security. Don't dump or distribute the private key associated with the certificate.

7. Provide the certificate to the administrator of the other database. The administrator of the remote database installs this certificate using the previous steps 1 - 4.

Once access is configured in each instance, then communications between the two instances use Service Broker transport security when the endpoints for both instances are configured to allow transport security.

Examples

USE master;
GO

-- Create a login for the remote instance.
CREATE LOGIN RemoteInstanceLogin WITH PASSWORD = '<password>';
GO

-- Create a user for the login in the master database.
CREATE USER RemoteInstanceUser FOR LOGIN RemoteInstanceLogin;
GO

-- Load the certificate from the file system. Notice that
-- the login owns the certificate.
CREATE CERTIFICATE RemoteInstanceCertificate
    AUTHORIZATION RemoteInstanceUser
    FROM FILE = 'C:\Certificates\AceBikeComponentsCertificate.cer';
GO

GRANT CONNECT ON ENDPOINT::ThisInstanceEndpoint TO RemoteInstanceLogin;
GO

-- Write the certificate from this instance
-- to the file system. This command assumes
-- that the certificate used by the Service Broker
-- endpoint is named TransportSecurity.
BACKUP CERTIFICATE TransportSecurity
    TO FILE = 'C:\Certificates\ThisInstanceCertificate.cer';
GO

Related content

• How to: Create certificates for Service Broker transport security (Transact-SQL)
• CREATE CERTIFICATE (Transact-SQL)
• CREATE LOGIN (Transact-SQL)
• CREATE USER (Transact-SQL)
• BACKUP CERTIFICATE (Transact-SQL)