WCF-NetMsmq Transport Properties Dialog Box, Send, Security Tab
Use the Security tab to define the security capabilities of the WCF-NetMsmq send adapter.
| Use this | To do this |
|---|---|
| Security mode | Specify the type of security that is used. Valid values include the following: - None: Messages are not secured during transfer. - Transport: Protection and authentication are offered by the transport. This applies to communication between the two queue managers. There is no security offered between the application and queue manager. Existing MSMQ applications are functionally equivalent with this type of security mode. - Message: Specify the end-to-end application security. There is no security offered at the transport layer. This is similar to the security offered by other standard bindings. To use this security mode, the send port needs to be provisioned with the service certificate. The service credential can be provided through the Service certificate - Thumbprint property. - Both: Offer security at both the transport and SOAP messaging layer. To use this security mode, the send port needs to be provisioned with the service certificate. The service credential can be provided through the Service certificate - Thumbprint property. - The default is Transport. |
| MSMQ authentication mode | Specify how the message must be authenticated by the MSMQ transport. Valid values include the following: - None: No authentication. If this authentication mode is used, the MSMQ protection level property must be set to None. - WindowsDomain: The authentication mechanism uses Active Directory to retrieve the X.509 certificate for the security identifier associated with the message. This is then used to check the ACL of the queue to ensure the user has write permission for the queue. If this authentication mode is used, the MSMQ protection level property cannot be set to None. To use this authentication mode, you must enable Active Directory Integration for MSMQ. - Certificate: This send port retrieves the certificate from the certificate store to authenticate this send port to services. If this authentication mode is used, the MSMQ protection level property cannot be set to None, and the Client certificate - Thumbprint property must be set. - The default is WindowsDomain. |
| MSMQ protection level | Specify the way messages are secured at the level of the MSMQ transport. Encryption ensures message integrity, while sign and encrypt ensures both message integrity and non-repudiation. Valid values include the following: - None: No protection. - Sign: Messages are signed. - EncryptAndSign: Messages are encrypted and signed. To use this protection level, you must enable Active Directory Integration for MSMQ. The default is Sign. |
| Secure hash algorithm | Specify the hash algorithm to be used for computing the message digest. This property is not available if the MSMQ protection level property is set to None. Valid values include the following: - MD5 - SHA1 - SHA256 - SHA512 The default is SHA1. |
| Encryption algorithm | Specify the algorithm to be used for message encryption on the wire when transferring messages between message queue managers. This property is available only if the MSMQ protection level property is set to EncryptAndSign. Valid values include the following: - RC4Stream - AES The default value is RC4Stream. |
| Message client credential type | Specify the type of credential to be used when performing client authentication using the message-based security. Valid values include the following: - None: Allow the service to interact with anonymous clients. This indicates that this send port does not provide any client credential. - Windows: Allow the SOAP exchanges to be under the authenticated context of a Windows credential. This always performs Kerberos-based authentication. - UserName: Allow the service to require that this send port be authenticated using a UserName credential. This credential needs to be specified through the Client credentials property. WCF does not support sending a password digest or deriving keys using password and using such keys for message security. Therefore, WCF enforces that the exchange is secured when using UserName credentials. - Certificate: Allow the service to require that the client be authenticated using a certificate. The client credential in this case needs to be specified using the Client certificate - Thumbprint property. The default value is Windows. |
| Algorithm suite | Specify the message encryption and key-wrap algorithms. These algorithms map to those specified in the Security Policy Language (WS-SecurityPolicy) specification. Possible values are: - Basic128: Use Aes128 encryption, Sha1 for message digest, and Rsa-oaep-mgf1p for key wrap. - Basic128Rsa15: Use Aes128 for message encryption, Sha1 for message digest, and Rsa15 for key wrap. - Basic128Sha256: Use Aes256 for message encryption, Sha256 for message digest, and Rsa-oaep-mgf1p for key wrap. - Basic128Sha256Rsa15: Use Aes128 for message encryption, Sha256 for message digest, and Rsa15 for key wrap. - Basic192: Use Aes192 encryption, Sha1 for message digest, and Rsa-oaep-mgf1p for key wrap. - Basic192Rsa15: Use Aes192 for message encryption, Sha1 for message digest, and Rsa15 for key wrap. - Basic192Sha256: Use Aes192 for message encryption, Sha256 for message digest, and Rsa-oaep-mgf1p for key wrap. - Basic192Sha256Rsa15: Use Aes192 for message encryption, Sha256 for message digest, and Rsa15 for key wrap. - Basic256: Use Aes256 encryption, Sha1 for message digest, and Rsa-oaep-mgf1p for key wrap. - Basic256Rsa15: Use Aes256 for message encryption, Sha1 for message digest, and Rsa15 for key wrap. - Basic256Sha256: Use Aes256 for message encryption, Sha256 for message digest, and Rsa-oaep-mgf1p for key wrap. - Basic256Sha256Rsa15: Use Aes256 for message encryption, Sha256 for message digest, and Rsa15 for key wrap. - TripleDes: Use TripleDes encryption, Sha1 for message digest, Rsa-oaep-mgf1p for key wrap. - TripleDesRsa15: Use TripleDes encryption, Sha1 for message digest, and Rsa15 for key wrap. - TripleDesSha256: Use TripleDes for message encryption, Sha256 for message digest, and Rsa-oaep-mgf1p for key wrap. - TripleDesSha256Rsa15: Use TripleDes for message encryption, Sha256 for message digest, and Rsa15 for key wrap. The default value is Basic256. |
| Client certificate - Thumbprint | Specify the thumbprint of the X.509 certificate for authenticating this send port to a service. You can select the thumbprint by navigating to the My store in the Current User location with the Browse button. Note: You must install the client certificate into the Current User location of the user account for the send handler hosting this send port. Minimum length: 0 Maximum length: 40 The default is an empty string. |
| Service certificate - Thumbprint | Specify the thumbprint of the X.509 certificate for authenticating the service to which this send port sends messages. You can select the thumbprint by navigating to the Other People store in the Local Computer location with the Browse button. In addition, the CA certificate chain for the service X.509 certificate must be installed in the Trusted Root Certification Authorities certificate store of this computer so that the service can be authenticated to the send port. Minimum length: 0 Maximum length: 40 The default is an empty string. |
| Client credentials | Specify the credentials for sending messages when using UserName for the Message client credential type property. You can specify this property by clicking the Edit Credentials button. The default value is Do not use Single Sign-On. |
See Also
How to Configure a WCF-NetMsmq Send Port Installing Certificates for the WCF Adapters Managing BizTalk Hosts and Host Instances How to Change Service Accounts and Passwords Message Queuing and Active Directory
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for