Securing Controller Server Communications

When you secure controller server communications, all communication from MQIS servers to MSMQ clients (both independent and dependent) and MSMQ routing servers is secured. This ensures that unauthorized persons cannot install software that provides false information in the place of a real MSIQ server. By default, MSMQ does not use secure communications.

For more information on securing controller server communication, see "Securing Communication with Controller Servers" in Chapter 5, "Securing Your MSMQ Enterprise."


To secure controller server communications

  1. Install IIS version 2.0 or later on each controller server.
  2. Obtain one or more certificates from a certification authority.
    3. You must have one certificate for each controller server that will support secured MQIS access.
  3. Use the IIS Key Manager utility to install and configure the certificates on the controller servers.
  4. In Control Panel on each MSMQ client that will support secure MQIS access, double-click MS Message Queue.
  5. On the Security tab, click Use only secured connections when communicating with MSMQ controller server.

    6. To install and configure a certificate for authenticating MQIS access
    1. Click Start, point to Programs, point to Microsoft Internet Information Server (Common), and click Key Manager.
    2. Click MSMQ, and then on the Key menu, click Create New Key.
    3. In Password, specify a password to encrypt the key.
    4. Type the information required in Distinguishing Information.
    5. In Common Name, specify the name of the computer running Windows NT Server.
    6. In Request File, specify the path to the certificate request file that Key Manager will create, and then click OK.
      7. Or, accept the default path by clicking OK.
    7. Retype the password specified in Step 3, and click OK.
    8. Provide your e-mail address and phone number, and then click OK.
    9. Send the certificate request file to a certification authority.
    10. When you receive your key from the certification authority, select the corresponding key in Key Manager, and then click Install Key Certificate on the Key menu.

Although you can install multiple certificates for use with IIS, you can install only one certificate for use with MSMQ (for the purpose of securing MQIS communication). If one or more certificates are already installed for use with IIS and if the common name of one of the certificates matches the name of the computer running Windows NT Workstation or Windows NT Server, you can run Key Manager and copy and paste (or you can cut and paste) one certificate from the WWW node to the MSMQ node. If you copy and past the certificate, it will be used by IIS and MSMQ. However, if the certificate's common name matches the server's domain name system (DNS) name instead of its Windows NT computer name, the certificate cannot be used with MSMQ.


To enable or disable secure controller server communications on a client

  1. In Control Panel, double-click MS Message Queue.
  2. On the Security tab, select or click to clear the Use only secured connections when communicating with MSMQ controller server check box.

To view or change the IE certification authority configuration

  1. On the IE View menu, click Options.
  2. On the Security tab, click Sites.

To view or change the MSMQ certification authority configuration on MSMQ clients and MSMQ routing servers

  1. In Control Panel, double-click MS Message Queue.
  2. On the Security tab, click Certification Authorities.

To add a certification authority to the IE and MSMQ certification authority configuration

  1. Click Start, and then click Run.
  2. Type the path to the .crt file provided by the certification authority, and then click OK.
    3. Or, click Browse and specify the .crt file; click Open; and then click OK.
  3. Click Accept and enable this site certificate if you want IE to trust the certificate authority.
    4. Or, click Accept this certificate but do not enable it.
  4. In Control Panel, double-click MS Message Queue.
  5. On the Security tab, click Certification Authorities.
  6. Select or click to clear the check box next to the name of the certification authority, depending on whether you want MSMQ to trust the certification authority.

© 1997 by Microsoft Corporation. All rights reserved.