Configuring Controller Servers for Secure MQIS Access

To configure controller servers for secure MSMQ access, you must:

Install IIS version 2.0 or later
Obtain a certificate from a certification authority.
Use the IIS Key Manager utility to install and configure certificates for authenticating MQIS access.

If you do not want to use IIS on the MSMQ server, you can save disk space and memory usage by selecting only the Internet Service Manager check box when installing IIS. This installs approximately 2 MB of IIS utilities, none of which run as a service.

You can obtain a certificate from any certificate authority supported by IE version 3.0 or later. If the certificate authority is not supported by IE by default, you must add the certificate authority to the IE configuration. If you add the certificate authority to the IE configuration after you install MSMQ, you must then use the MS Message Queue icon in Control Panel to update the MSMQ certificate authority configuration. In either case, this change must be made on each MSMQ client or MSMQ routing server that will be configured to use secure MQIS access.

The key to successfully installing a certificate for securing MQIS access is to give the certificate the same name as the MSMQ routing server's Windows NT computer name. If these names do not match, MSMQ clients cannot establish secured connection with the server.. For complete instructions on installing and configuring a certificate for authenticating MQIS access, see "Securing Controller Server Communications" in Chapter 3, "Managing MSMQ."

Although you can install multiple certificates for use with IIS, you can install only one certificate for use with MSMQ (for the purpose of securing MQIS communication). If one or more certificates is already installed for use with IIS, and the common name of one of the certificates matches the name of the computer running Windows NT, you can run Key Manager and copy and paste, or you can cut and paste one certificate from the WWW node to the MSMQ node. If you copy and past the certificate, it will be used by IIS and MSMQ.

However, if the certificate's common name matches the server's domain name system (DNS) name instead of it's Windows NT computer name, the certificate cannot be used with MSMQ.

Each MSMQ client and MSMQ routing server that you configure to use secured MQIS access must be configured to trust the Certificate Authority that provided the certificates installed on the controller servers. This is covered in the following section.