Extending Applications Securely Using Service Broker. Ed Leighton-Dick, Founder, Kingfisher Technologies Moderated By: Lance Harra

Transcription

1 Extending Applications Securely Using Service Broker Ed Leighton-Dick, Founder, Kingfisher Technologies Moderated By: Lance Harra

2 Technical Assistance If you require assistance during the session, type your inquiry into the question pane on the right side. Maximize your screen with the zoom button on the top of the presentation window. Please fill in the short evaluation following the session. It will appear in your web browser.

3 Thank You to Our Sponsors Empower users with new insights through familiar tools while balancing the need for IT to monitor and manage user created content. Deliver access to all data types across structured and unstructured sources. Redgate Software makes ingeniously simple software used by 650,000 IT professionals who work with SQL Server,.NET, and Oracle. More than 100,000 companies use Redgate products, including 91% of the Fortune 100. Redgate s philosophy is to design highly usable, reliable tools which elegantly solve the problems that developers and DBAs face every day.

4 Join PASS PASS is a not-for-profit organization which offers year-round learning opportunities to data professionals. Access to online training and content Join Local Groups and Virtual Groups Get advance notice of member exclusives Enjoy discounted event rates MEMBERSHIP IS FREE, JOIN TODAY

5 Ed Leighton-Dick MICROSOFT MVP, DATA PLATFORM FOUNDER, KINGFISHER TECHNOLOGIES ed.leightondick eleightondick PASS CHAPTER LEADER AND REGIONAL MENTOR in/eleightondick

6 Extending Applications Securely Using Service Broker Ed Leighton-Dick, Founder, Kingfisher Technologies

7 EXTENDING APPLICATIONS SECURELY USING SERVICE BROKER ED LEIGHTON-DICK, FOUNDER, KINGFISHER TECHNOLOGIES

8 Ed Leighton-Dick MICROSOFT MVP, DATA PLATFORM FOUNDER, KINGFISHER TECHNOLOGIES ed.leightondick eleightondick PASS CHAPTER LEADER AND REGIONAL MENTOR in/eleightondick

9 Our goals SERVICE BROKER ARCHITECTURES: BASIC AND EXTENDED EXTENDING: ROUTING AND EXTERNAL ACTIVATION ADDING SECURITY

10 ARCHITECTURES

11 MESSAGE TYPE CONTRACT CONTRACT SERVICE ENDPOINT ENDPOINT SERVICE QUEUE QUEUE MESSAGE TYPE Review: Basic Service Broker architecture ACTIVATION PROCEDURE ACTIVATION PROCEDURE ROUTE

12 Traditional methods vs Service Broker TRADITIONAL PROCEDURE Analogy: Communicating by phone Synchronous Real-time One-to-one More requests -> More processes Limit to number of requests that can be handled SERVICE BROKER Analogy: Communicating by letter Asynchronous Not quite real-time One-to-many Structured way of handling increases in demand Scales out easily

13 DEMO: THE SCENARIO

14 Our scenario SQLTALK : A NEW TEXT MESSAGING APPLICATION Currently a prototype Very limited SEVERAL IMPROVEMENTS HAVE BEEN REQUESTED Scale out Add end-to-end encryption, Twitter, and SMS

15 Methodology Develop Extend Secure

16 ROUTING

17 Endpoints ALLOWS CONNECTION TO AN INSTANCE OF SQL SERVER ONE PER INSTANCE OF SQL SERVER CREATE ENDPOINT

18 Routes: Basic SPECIFIES THE ADDRESS OF THE DESTINATION ALWAYS CREATE IN PAIRS A B B A CREATE ROUTE

19 Routes: Multiple steps (Forwarding) ENABLE FORWARDING ON ENDPOINT ADD APPROPRIATE ROUTES ON ALL SERVERS A F, F B B F, F A FORWARDER DOES NOT HAVE COPY OF SERVICE

20 Multicast ADDED IN SQL 2012 ALLOWS A MESSAGE TO BE SENT TO MULTIPLE DESTINATIONS SIMULTANEOUSLY VARIATION ON SEND COMMAND One OPEN DIALOG per destination List all destinations in SEND

21 DEMO: ADDING ROUTING

22 EXTERNAL ACTIVATION

23 What is External Activation? WINDOWS SERVICE USES Invoke lengthy processes Invoke processes that wouldn t run safely or predictably within SQL Server SB External Activation Queue Event Notification External Activation Service.Net program Initiates Action Relays Action Receives Action Executes Action

24 Installation OPTION 1: DOWNLOAD EXECUTABLE Part of SQL Server Feature Pack (version-specific) OPTION 2: WRITE A CUSTOM EXTERNAL ACTIVATOR INSTALL SERVICE ON SEPARATE MACHINE FOR BEST PERFORMANCE Limited to one instance per machine

25 Configuration: Service Broker CONFIGURE SERVICE BROKER INSTANCES Initiator Target CREATE EVENT NOTIFICATION FOR QUEUE_ACTIVATION Consumes target queue Directed to external activator

26 Configuration: Application WHILE LOOP Event notification only sends one message ( There s something to do! ) Application must loop through messages until queue empty PARSE MESSAGES Structure similar to what is used in stored procedure COMMIT TRANSACTIONS Ensures messages are removed from queue

27 Configuration: External Activator <NotificationServiceList> Points to the queue that stores the event notifications <ApplicationServiceList> < ApplicationService>: Points to the queue that stores the messages to parse <ImagePath>: Defines the application to launch <LogSettings> Multiple levels of logging available

28 DEMO: EXTERNAL ACTIVATION

29 SECURITY

30 Certificates TYPES Self-signed certificates Third-party certificates ROTATE REGULARLY TO MAINTAIN SECURITY USE ENCRYPTION KEY MANAGEMENT (EKM), IF AVAILABLE Hardware Security Modules (HSM) Azure Key Vault

31 Transport security SECURES THE CONNECTION BETWEEN ENDPOINTS Enabled by default TRANSPORT SECURITY Authentication between pairs of endpoints TRANSPORT ENCRYPTION Encryption between endpoints Applies to all messages passing through connection

32 Dialog security SECURES THE MESSAGES THEMSELVES DIALOG SECURITY Authentication between initiator and target services DIALOG ENCRYPTION Encrypts message at initiator, decrypts at target Not decrypted by forwarders Relies on dialog security for certificates

33 Securing the connection SQL SERVER CONNECTIONS SHOULD BE ENCRYPTED Prevents man-in-the-middle attacks SSL/TLS Natively supported Negotiated each time connection is opened VPN (IPSEC) Persistent connection

34 Securing the endpoints CHANGE THE PORT Default: 4022 ALWAYS USE AES ENCRYPTION RC4 compromised; deprecated in SQL 2016 LIMIT USERS VIA PERMISSIONS

35 Access control ACTIVATION PROCEDURE EXECUTION EXECUTE AS PERMISSIONS FOR PRINCIPALS PERMISSIONS FOR EXTERNAL ACTIVATION

36 DEMO: ADDING SECURITY

37 WRAP-UP

38 What we covered SERVICE BROKER ARCHITECTURES: BASIC AND EXTENDED EXTENDING: ROUTING AND EXTERNAL ACTIVATION ADDING SECURITY

39 QUESTIONS?

40 Coming up next! SQL Server and Application Security For Developers Mladen Prajdić

41 THANK YOU FOR ATTENDING

42