1.3 Overview
Message Queuing is a communications service that provides asynchronous and reliable message passing between client applications, including between client applications running on different hosts. In Message Queuing, clients send messages to queues and consume messages from queues. Queues provide message persistence, enabling the sending and receiving of client applications to operate asynchronously from each other.
Because Message Queuing involves message passing between nodes, a directory service can be useful to Message Queuing services in several ways. First, a directory service can provide network topology information that the Message Queuing services can use to route messages between nodes. Second, a directory service can be used as a key distribution mechanism for security services that are used by Message Queuing to secure messages and authenticate clients. Third, a directory service can provide clients with discovery capabilities, allowing clients to discover the queues available within the network.
The Message Queuing (MSMQ): Directory Service Protocol provides a set of procedure calls that can be made between a client and an MSMQ Directory Server. The client can use these calls to access the Directory Service remotely. For example, a client can use this protocol to create queue objects in a directory. This protocol is intended for use by the Message Queuing system.
The directory defined by the Message Queuing (MSMQ): Directory Service Protocol is composed of eight types of directory objects representing enterprises, sites, routing links, machines, users, queues, connected networks, and deleted objects.
Each directory object is composed of a collection of properties. Each property has an integer property identifier and a variant property value. Properties are specific to the directory object type. Most directory object types include a GUID property to identify a particular object instance, a directory service pathname property specifying where in the directory the object is stored, and security properties. Some MSMQ object properties are assigned by the directory service while other MSMQ object properties are specified by the client. Some properties are immutable; some properties are mutable by the directory server but not by the client while other properties are mutable by both.
The directory objects either are maintained by the MSMQ Directory Service servers or are stored in a directory that supports [MS-ADTS]. In the latter case, the Message Queuing (MSMQ): Directory Service Protocol server interprets the client RPC calls and uses the [MS-MQDSSM] algorithm to access the [MS-ADTS]-based directory to satisfy client requests.
The Message Queuing (MSMQ): Directory Service Protocol provides methods to create, update, retrieve, and delete objects from the directory service by using either the object name or the unique object GUID as a key to identify the object. Separate interface methods are implemented to manipulate object security properties.
The Message Queuing (MSMQ): Directory Service Protocol also provides a simple query mechanism that allows the enumeration of directory objects through comparison with client-supplied values. The client can specify the matching criteria, the properties to be returned, and the sort order for the results. The server computes the result set. Thereafter, the client retrieves the results in order, in an iterative manner through repeated calls to the server, each call returning the next portion of the result set.
The Message Queuing (MSMQ): Directory Service Protocol includes a method for RPC endpoint port negotiation. Through this, the client can determine the RPC endpoint port to use for this protocol.
Generally, for methods that create, update, or delete information in the directory service, the Message Queuing (MSMQ): Directory Service Protocol relies on security mechanisms of the underlying RPC transport to provide client authentication information to the server. There are two exceptions to this. When setting properties on a machine object, and when retrieving the security properties of a machine object, the server invokes a challenge/response callback to the client to authenticate the client. This client signs the challenge by using a private key, and the server validates the signature by using a corresponding public key stored with the machine object in the directory.
Because the directory service provides network topology information and security key distribution, clients can trust the source of this data. Therefore, this protocol includes methods for a security handshake to allow mutual authentication and to establish cryptographic keys that are used to compute digital signatures. These handshake methods tunnel Generic Security Service API (GSS-API), as specified in [RFC2743], operations to establish a security context. See [RFC2743] section 2.2.
All methods that return data to the client include signed hashes over returned data, allowing the client to authenticate the source of the data and verify that the data has not been tampered with en route. The signed hashes are computed by using the established security context.
This is an RPC-based protocol consisting of simple request-response exchanges. For every method request that the server receives, it executes the method and returns a completion. The client simply returns the completion status to the caller.