Showing posts with label configuration. Show all posts
Showing posts with label configuration. Show all posts

Monday, March 19, 2012

Dialog security with different instances of a service

I am in the process of evaluating the use of Service broker for messaging in a load balanced configuration, and am not having any success. My configuration is as follows.

1) Master database on Box #1 which is the initiator of all dialogs

2) Target database on Box #2

3) Target database on Box #3

One of my goals is that the databases on Box #2 and #3 are as close to identical as possible.

My routing table on Box #1 looks something like the following

Name remote_service_name broker_instance address TargetOne TargetService

E96DC67E-F696-4D93-8545-C2E92157E32D

tcp://server1:4022/ TargetTwo TargetService

56607120-26AA-4AAA-B9E4-F14689C40E41

tcp://server2:4022/

My messaging process begins with a dialog initiated from the master database (Box #1) to each of the target services. At this time, only the first server "tcp://server1:4022/" is receiving messages. The sys.transmission_queue shows a message outbound to "tcp://server2:4022/" with a blank status.

I believe that my delivery problem has something to do with the resolution of the dialog certificate need for the conversation. The MSDN documentation states that:

"Service Broker uses a remote service binding to locate the certificate to use for a new conversation...The certificate for user_name must correspond to the certificate for a user in the database that hosts the remote service."

I am confused as to how I would configure remote service binding if one can not create more than one binding for the same remote_service_name.

The following throws an exception on the last creation of the binding.

CODE SNIP

CREATE CERTIFICATE UFEDlgCertTargetPublic
AUTHORIZATION UFEDialogUser
FROM FILE='C:\certs\UFEDlgCertTarget.cer';

CREATE CERTIFICATE UFEDlgCertTarget2Public
AUTHORIZATION UFEDialogUser2
FROM FILE='C:\certs\UFEDlgCertTarget_2.cer';

CREATE REMOTE SERVICE BINDING [targetRSB]
TO SERVICE 'TargetService'
WITH USER = UFEDialogUser, ANONYMOUS=OFF ;
GO

CREATE REMOTE SERVICE BINDING [targetRSB2]
TO SERVICE 'TargetService'
WITH USER = UFEDialogUser2, ANONYMOUS=OFF ;
GO
/CODE SNIP

Msg 9619, Level 16, State 1, Line 1
Failed to create remote service binding 'targetRSB2'. A remote service binding for service 'TargetService' already exists.

I am obviously missing a clear understanding of dialog security, and would greatly appreciate an explanation of how certificates get resolved when more than one route exists for different instances of a service.

Any help would be appreciated
-Joel Neubeck

As you said in your BOL quote. You have to use the same certificate for both targets. That means you only have one remote service binding which specifies one user which own one certificate. The two target databases must have the same certificate. If you want to make the targets identical, the easiest way to get the same certificate on both boxes is to copy the database to the second box so everything - including the certificates - is truely identical.|||Thank you for your help.
-Joel
Posted by mars at 8:41 AM 0 comments
Labels: , , , , , , , , , , , , , , , ,
Subscribe to: Posts (Atom)