Home / server / Questions / 103454
Accepted
Kyle
Asked: 2010-01-17 20:04:39 +0800 CST

Encrypting MSMQ

  • 772

So I want to do asynchronous, disconnected, across-the-Internet messaging with WCF. Probably due to my background in Apache ActiveMQ, I'm looking at MSMQ for this.

In ActiveMQ, it was a simple thing to encrypt a queue connection; you simply chose an SSL based connection to the broker, and you had a basic SSL layer to protect your communication between the broker and the clients. (Should I consider using WCF clients with an ActiveMQ broker?)

When I hit Google for MSMQ encryption and MSMQ SSL I'm not finding anything similar. Here's hoping I'm just missing something?

I have found some semi-convoluted looking stuff about encrypting messages, things that seem off the mark about using HTTPS, and things that require an Active Directory - but I'm looking to protect all of the communication, not just the messages, and we prefer not to use HTTPS as a binding as we require disconnected operation, and we will have no Active Directory to work with.

What's the best way to do this?

firewall encryption wcf msmq activemq

2 Answers

  1. Does http://blogs.msdn.com/motleyqueue/archive/2007/10/06/complementing-msmq-security-with-wcf.aspx have any relevance? It seems to hint at a setting which appears to be transport level, and suggests message encryption as well.

    • 2
  2. Best Answer

    OK, finally found a reference to doing non-Active Directory MSMQ encryption. Here's the link. It's not hard once you find the documentation!

    This is how you use message encryption with MSMQ but not use Active Directory.

    http://msdn.microsoft.com/en-us/library/aa395200.aspx

    From TFA:

    Demonstrates

    The client encrypts the message using the public key of the service and signs the message using its own certificate. The service reading the message from the queue authenticates the client certificate with the certificate in its trusted people store. It then decrypts the message and dispatches the message to the service operation.

    Because the Windows Communication Foundation (WCF) message is carried as a payload in the body of the MSMQ message, the body remains encrypted in the MSMQ store. This secures the message from unwanted disclosure of the message. Note that MSMQ itself is not aware whether the message it is carrying is encrypted.

    The sample demonstrates how mutual authentication at the message level can be used with MSMQ. The certificates are exchanged out-of-band. This is always the case with queued application because the service and the client do not have to be up and running at the same time.

    Description The sample client and service code are the same as the Transacted MSMQ Binding sample with one difference. The operation contract is annotated with protection level, which suggests that the message must be signed and encrypted.

    • 0