This is a copy/paste form my own document about transport security. This description only configures transport security between the two instances. You still need to set up dialog security which also involves creating certificates, exchange of public keys, creating users based on the certificates, granting SEND on services for the users etc. Let me know if you need info about this too.
Each instance of SQL Server creates a service broker endpoint. Only one service broker endpoint can exist per instance. The endpoint specifies which certificate it will use for authentication on the far side. The certificate must be created in the master database. The far endpoint has a certificate with the public key, and a login created from this certificate. The login must be granted connect permission on the endpoint.
The same is done at the far side. A certificate is created in the master database, a endpoint is created with authentication based on the certificate, the public key is copied to the remote server, and certificate is created with the public key, a login is created based on this certificate and granted connect permission on the endpoint.
Create a certificate in the master database, create an endpoint using the certificate for authentication, and backup the public key of the certificate to file.
On SERV1:
use mastergo
create certificate ServiceBrokerEndpointCertificate
with subject='SERV1 service Broker Endpoint Certificate',
expiry_date='12/31/2999'
active for begin_dialog=on;
go
create endpoint ServiceBrokerEndpoint
state=started
as tcp(listener_port=4022)
for service_broker(
authentication=certificate ServiceBrokerEndpointCertificate,
encryption=supported
)
go
backup certificate ServiceBrokerEndpointCertificate
TO FILE = 'c:\program files\microsoft sql server\mssql.1\mssql\backup\SERV1ServerCert.cer'
Execute the same statement on SERV2:
use mastergo
create certificate ServiceBrokerEndpointCertificate
with subject='SERV2 service Broker Endpoint Certificate',
expiry_date='12/31/2999'
active for begin_dialog=on;
go
create endpoint ServiceBrokerEndpoint
state=started
as tcp(listener_port=4022)
for service_broker(
authentication=certificate ServiceBrokerEndpointCertificate,
encryption=supported
)
go
backup certificate ServiceBrokerEndpointCertificate
TO FILE = 'c:\program files\microsoft sql server\mssql.1\mssql\backup\SERV2ServerCert.cer'
Copy the certificate file from SERV1 to SERV2 and vice versa. Create a certificate based on the public key, create a login based on the certificate and grant the login connect permissions:
On SERV1:
create certificate SERV2ServerSBCert from file='c:\program files\microsoft sql server\mssql.1\mssql\backup\SERV2ServerCert.cer'go
create login sbSERV2 from certificate SERV2ServerSBCert
go
grant connect on endpoint::ServiceBrokerEndpoint to sbSERV2
On SERV2:
create certificate SERV1ServerSBCert from file='c:\program files\microsoft sql server\mssql.1\mssql\backup\SERV1ServerCert.cer'go
create login sbSERV1 from certificate SERV1ServerSBCert
go
grant connect on endpoint::ServiceBrokerEndpoint to sbSERV1
Only one task remains, and that is to set up a route on SERV1 to SERV2, and on SERV2 to SERV1.
The broker_instance values are found in sys.databases on each server.
On SERV1:
create route SERV1ToSERV2Routewith service_name='DateAndTimeResponseService',
broker_instance='B8E0239E-25A3-4511-B8F5-806FA87C1547',
address='TCP://SERV2:4022'
On SERV2:
create route SERV2ToSERV1Routewith service_name='DateAndTimeRequestService',
broker_instance='144A7BFD-8204-4086-8D90-CAC116F0CC48',
address='TCP://SERV1:4022'