Showing posts with label security. Show all posts
Showing posts with label security. Show all posts

Saturday, February 25, 2012

Certificates expiration Date

Hi There

This may seem like a stupid question but i am trying to get the hang of the new security model.

I have not really heard anything mentioned about certficate expiration date when it comes to creating certificates for keys or service broker endpoints etc.

We have created certificates for keys and service broker endpoints, now what exactly happens when the expiration date, by default 1 year i think is reached, will we no longer be able to decrypt encrypted data and will the service broker endpoints stop working etc ?

Or is this expiration date when the certificate can no longer be used to create security objects ? And all security objects already created with this certificate will always work ?

In other words is there ever danger that keys and endpoints or basically any object referrencing this certificate will just suddenly stop working one day, or will all objects work indefinately regardless of an certificate/objects expiration date ?

Thanx

The certificate expiration date is not enforced by SQL Server directly. These certificates can still be used for data encrypting, decrypting, signing, verifying signatures or object creation/usage in SQL Server.

Service Broker will honor the expiration date and after a certificate has expired it cannot be used (See “Certificates for Dialog Security” http://msdn2.microsoft.com/en-us/library/ms166117.aspx ).For more information on Service broker usage of certificates I would recommend to visit Service Broker Conversations webpage at http://blogs.msdn.com/remusrusanu/.

While SQL Server itself will not prevent you from using an expired certificate, it is up to the application developers to enforce or suggest the expiration, and use the available usage of expired certificates as a disaster recovery tool rather than as a rule. I strongly recommend generating new certificates to substitute expired ones.

Thanks,

-Raul Garcia

SDE/T

SQL Server Engine

Posted by Wallace at 10:01 PM 0 comments
Labels: , , , , , , , , , , , , , , ,

Certificate security and Dynamic Routing

I've been reseaching on SSB and have read quite a number of posts on this forum that closely relate to what im trying to achieve. I have a solution im designing that ideally consists of a central server (SQLENTERPRISE) that will receive messages asynchronously from remote clients (SQLEXPRESS) spanning a wide geographical region over a GPRS virtual private network on a TCP/IP transport. This ideally is a star and spoke architecture and requirements dictate high level security, no loss of messages whatsover as well as high reliability and scalability.

To meet the security requirement in the context of the above scenario, i was thinking implementing both dialog and endpoint security using certificates would be ideal. I've downloaded some samples and have encountered problems simulating the above scenario on 3 machines (I Server & 2 Clients). Client1 sends messags successfully, the 2nd client doesnt possibly because the certificate on the server matches that to client1 since i ran that script first. How do i make it that the Server shares one certificate with all remote clients? Or is there a better way to configure SSB to work in this scenario?

Secondly i have hard coded the Server's IP Address in the Routes created on the Clients. Considering this is over a GPRS Virtual network, how can i make the clients dyamically "discover" the Server? The idea here is to make adding and setting up of new remote clients easy so that you can just plug them in to the existing network

Any help or pointers would be greatly appreciated.

PapaLee

this is exactly what you need:

http://www.sqlteam.com/article/centralized-asynchronous-auditing-across-instances-and-servers-with-service-broker

Posted by Wallace at 10:01 PM 0 comments
Labels: , , , , , , , , , , , , , , ,

Certificate security and Dynamic Routing

I've been reseaching on SSB and have read quite a number of posts on this forum that closely relate to what im trying to achieve. I have a solution im designing that ideally consists of a central server (SQLENTERPRISE) that will receive messages asynchronously from remote clients (SQLEXPRESS) spanning a wide geographical region over a GPRS virtual private network on a TCP/IP transport. This ideally is a star and spoke architecture and requirements dictate high level security, no loss of messages whatsover as well as high reliability and scalability.

To meet the security requirement in the context of the above scenario, i was thinking implementing both dialog and endpoint security using certificates would be ideal. I've downloaded some samples and have encountered problems simulating the above scenario on 3 machines (I Server & 2 Clients). Client1 sends messags successfully, the 2nd client doesnt possibly because the certificate on the server matches that to client1 since i ran that script first. How do i make it that the Server shares one certificate with all remote clients? Or is there a better way to configure SSB to work in this scenario?

Secondly i have hard coded the Server's IP Address in the Routes created on the Clients. Considering this is over a GPRS Virtual network, how can i make the clients dyamically "discover" the Server? The idea here is to make adding and setting up of new remote clients easy so that you can just plug them in to the existing network

Any help or pointers would be greatly appreciated.

PapaLee

this is exactly what you need:

http://www.sqlteam.com/article/centralized-asynchronous-auditing-across-instances-and-servers-with-service-broker

Posted by Wallace at 10:01 PM 0 comments
Labels: , , , , , , , , , , , , , , ,

CERTIFICATE PROBLEM WHILE ENABLING SSL ON SQL SERVER 2005

Hi ,

How do we install a certificate for enabling security on MS -SQL Server 2005?
I tried to install through MMC but it says no " certificate authority found " . Any
help will be highly appreciated , Thanks to you all in advance :-)

Best Regards,

Sudhansu Tiwari

You should look at this article but are you sure your problem is missing certificate authority. Can you detail the steps you are using one by one.

http://support.microsoft.com/kb/318605

|||

Sudhansu,

Please also have a look at the following blog postings:

http://blogs.msdn.com/sql_protocols/archive/2005/12/30/508311.aspx

http://blogs.msdn.com/sql_protocols/archive/2005/10/04/476705.aspx

for additional information about what type of SSL certificate SQL Server supports and how to configure SQL Server to use the SSL certificate.

HTH,

Jimmy

Posted by Wallace at 10:01 PM 0 comments
Labels: , , , , , , , , , , , , ,

Friday, February 24, 2012

Cell Security : Help

SECURITY USING CELL-SECURITY:

From what i've read cell security s enforced on the client. If someone is able to gain access to a machine running the client (for example an application server or a web server) he is able to get cell values independently of the fact that those values will be defined as #N/A in the secured cell value property. The real value is travelling between theAnalysis Server and the application server. Is this true ? How can we effectively garantee true security ?Did you look in BOL?

Cell Security
In a cube role, you can implement cell security to limit the cube cells that end users in the role can view as they browse cubes. You can also grant read/write access to a write-enabled cube and limit the cells that end users in the role can update. You do this by selecting a policy and by selecting a rule or defining a custom rule for each permission.

Cell security is optional. If you do not specify cell security, end users see all cell values in cubes they are authorized to access. (However, if dimension security is specified, cells for some members might not be viewable.) If a cube is write-enabled, end users cannot update cell values. If one or more of a virtual cube's component cubes are write-enabled, end users cannot update the cell values of virtual cubes.

If a policy or rule permits updates to a cell, it can be updated if it is an atomic cell. If the cell is not atomic, it can be updated only if the client application provides a way of dispersing the update over the subordinate atomic cells. For example, in a client application a write-enabled cube is displayed with the lowest level of every dimension except Time. On the axis for the Time dimension, the nonatomic cells for months are displayed, but the subordinate atomic cells for days are not. (Days is the lowest level in the Time dimension.) A cell for June can be updated by adding $90 if the client application provides a way of dividing the +$90 update into thirty +$3 updates, one to each of the cells for the 30 days in June. Dispersion methods other than simple division can also be used. The UPDATE CUBE statement provides several methods. For more information, see UPDATE CUBE Statement.
Posted by Wallace at 1:55 AM 0 comments
Labels: , , , , , , , , , , , , , ,

Cell Data Security question

I have a cube that needs to filter out data for a group of users based on the company they work for.

I thought about using the following MDX expression in the Cell Data section in the Edit Roles window for this particular cube:

Ancestor([Dim OPCO].CurrentMember,[OPCO]) IS [COMPANY NAME]

The issue is that the users have to select there particular OPCO COMPANY Name in which ever tool they are using otherwise they will only see NA as the value for all measures.

I would like to filter the data somehow so they do not need to select the particular company they are working for. I would then setup different role groups based on the users company.

Is there some other way of accomplishing this type of task using a filter or scope command?

Thanks ahead of time

Steve Fibich

Hi Steve,

Once you have your roles in place, how about using member security to only permit the company users to see the member for their company? (And make this the default member for that particular role - I assume this is possible, but have yet to do it myself!).

An alternative is to have separate cubes for each company, which I can appreciate is a considerable amount of overhead.

Regards,

Will.

|||

Will,

This sounds like a good solution, how do you set the default propertie in the role. I tried the the following MDX but I get an error when I try to open the Cube.

Under default Member for that particular dimension

[Dim OPCO].[Opco Desc].MemberValue =[Company Name]

I am pretty new to MDX so if this statement is incorrect please let me know. Also is there a good place to get actual examples of MDX vs. the description provided through most of the MS MSDN help sites.

Thanks,

Steve

|||

Never mind I just found the MDX GUI Tool ....I am a little slow today.

Thanks for your help.

Posted by Wallace at 1:54 AM 0 comments
Labels: , , , , , , , , , , , , , , ,
Subscribe to: Posts (Atom)