While working on one of my projects, I had to make WCF run over a farm of load-balanced message queues. After several days of web search, asking questions and coding I have come up with the following "Step-by step guide for setting up certificate security for WCF over MSMQ communication".

The goal is to implement a secured WCF communication based on MSMQ under the following requirements/assumptions/recommendations.

  • All MSMQ traffic must be encrypted and signed.
  • No involvement of Windows Domain security and Active Directory.
  • No code changes required on the client or on the server side.
  • MSMQ version 4.0 (W2K8) is used, but it would be nice to have a solution that works on MSMQ 3.0 (W2K3) as well.
  • There must be a well-established and straightforward routine for setting up secured communication that can be followed during test/staging/production deployment.

The weapon of choice is message-based certificate security. To put it simple, it means two things:

 

  • all security-related activities happen on WCF level, MSMQ engine works only as a transport;
  • certificate keys are stored on client and server machines.

 

Read on...