使用数据库镜像端点证书 (Transact-SQL)Use Certificates for a Database Mirroring Endpoint (Transact-SQL)

适用对象:是SQL Server 否Azure SQL 数据库 否Azure Synapse Analytics (SQL DW) 否并行数据仓库 APPLIES TO: yesSQL Server noAzure SQL Database noAzure Synapse Analytics (SQL DW) noParallel Data Warehouse

若要在给定的服务器实例上启用数据库镜像的证书验证,系统管理员必须配置每个服务器实例,以在出站连接和进站连接中使用证书。To enable certificate authentication for database mirroring on a given server instance, the system administrator must configure each server instance to use certificates on both outbound and inbound connections. 必须先配置出站连接。Outbound connections must be configured first.

备注

服务器实例上的所有镜像连接都使用单个数据库镜像端点,必须在创建端点时指定服务器实例的身份验证方法。All mirroring connections on a server instance use a single database mirroring endpoint, and you must specify the authentication method of the server instance when you create the endpoint. 因此,可以对数据库镜像的每个服务器实例只使用一种验证方式。Therefore, you can use only one form of authentication per server instance for database mirroring.

配置出站连接Configuring Outbound Connections

在为数据库镜像配置的每个服务器实例上执行下列步骤:Follow these steps on each server instance that you are configuring for database mirroring:

  1. master 数据库中,创建数据库主密钥。In the master database, create a database master key.

  2. master 数据库中,为服务器实例创建加密证书。In the master database, create an encrypted certificate on the server instance.

  3. 使用服务器实例的证书为该服务器实例创建端点。Create an endpoint for the server instance using its certificate.

  4. 将证书备份到文件,并将其安全地复制到其他系统。Back up the certificate to a file and securely copy it to the other system or systems.

必须对每一个伙伴和见证服务器(如果存在)完成以上步骤。You must complete these steps for each partner and the witness, if there is one.

有关详细信息,请参阅 允许数据库镜像终结点使用证书进行出站连接 (Transact-SQL)For more information, see Allow a Database Mirroring Endpoint to Use Certificates for Outbound Connections (Transact-SQL).

配置入站连接Configuring Inbound Connections

然后,对为数据库镜像配置的每个伙伴执行这些步骤。Next, follow these steps for each partner that you are configuring for database mirroring. master 数据库中:In the master database:

  1. 为其他系统创建登录名。Create a login for the other system.

  2. 创建一个使用该登录名的用户。Create a user for that login.

  3. 获取其他服务器实例的镜像端点的证书。Obtain the certificate for the mirroring endpoint of the other server instance.

  4. 将该证书与在步骤 2 中创建的用户相关联。Associate the certificate with the user created in step 2.

  5. 授予对该镜像端点的登录名的 CONNECT 权限。Grant CONNECT permission on the login for that mirroring endpoint.

如果存在见证服务器,还必须为见证服务器设置进站连接。If there is a witness, you must also set up inbound connections for it. 这需要在两个伙伴上为见证服务器设置登录名、用户和证书,反之亦然。This requires setting up logins, users, and certificates for the witness on both of the partners, and vice versa.

有关详细信息,请参阅 允许数据库镜像终结点将证书用于入站连接 (Transact-SQL)For more information, see Allow a Database Mirroring Endpoint to Use Certificates for Inbound Connections (Transact-SQL).

安全性Security

建议您对数据库镜像连接进行加密,除非您能够保证网络的安全。Unless you can guarantee that your network is secure, we recommend that you use encryption for database mirroring connections. 有关详细信息,请参阅 数据库镜像终结点 (SQL Server)For more information, see The Database Mirroring Endpoint (SQL Server).

将证书复制到其他系统时,请使用安全的复制方法。When copying a certificate to another system, use a secure copy method. 必须格外小心地保证所有证书的安全。Be extremely careful to keep all of your certificates secure.

另请参阅See Also

创建数据库主密钥 Create a Database Master Key:
CREATE MASTER KEY (Transact-SQL) CREATE MASTER KEY (Transact-SQL)
针对数据库镜像和 AlwaysOn 可用性组的传输安全性 (SQL Server) Transport Security for Database Mirroring and Always On Availability Groups (SQL Server)
SQL Server 数据库引擎和 Azure SQL 数据库的安全中心 Security Center for SQL Server Database Engine and Azure SQL Database
数据库镜像终结点 (SQL Server) The Database Mirroring Endpoint (SQL Server)