This topic describes how to obtain signatures and verify the signatures in the console when you use the signature authentication mode provided by Message Queue for MQTT.

Obtain signatures

If you use the signature authentication mode, the Username and Password parameters in the connect message that a Message Queue for MQTT client sends to a Message Queue for MQTT broker must be set based on the specifications described in this topic. For more information, see Authentication overview. The following information shows how the Username and Password parameters are set:

  • Username

    The Username parameter consists of the authentication mode, AccessKey ID, and instance ID. The three parts are separated with vertical bars (|). The authentication mode is set to Signature in signature authentication mode.

    For example, if a Message Queue for MQTT client whose client ID is GID_Test@@@0001 uses the instance ID mqtt-xxxxx and the AccessKey ID YYYYY, the Username parameter must be set to Signature|YYYYY|mqtt-xxxxx.

    For more information about client IDs, see Terms.

  • Password

    The Password parameter indicates the signature calculation result for the client ID. The following information describes how the signature is calculated:

    For example, a Message Queue for MQTT client whose client ID is GID_Test@@@0001 uses the AccessKey secret XXXXX.

    XXXXX is used as the signing key, GID_Test@@@0001 is used as the string to sign, and the HMAC SHA-1 algorithm is used to calculate the signature. A binary array is obtained. Then, the binary array is encoded in Base64. At last, the signed string for the Password parameter is obtained.

    Function libraries in different programming languages are available for the implementation of the HMAC SHA-1 algorithm. You can search for functions for the algorithm. For more information, see Username and Password settings in sample code in Send and receive messages.

Verify signatures in the console

The Message Queue for MQTT console provides the signature verification feature that allows you to check whether the signature calculation is correct.

  1. Log on to the Message Queue for MQTT console.
  2. In the left-side navigation pane, click Instances.
  3. In the top navigation bar, select the region where your instance is located.
  4. In the instance list, find your instance and click the name of the instance or click Details in the Actions column.
  5. In the left-side navigation pane, click Signature Verification .
  6. On the Signature Verification page, set Client ID to Be Signed, Access Key, and Secret Key, and click Calculate Signature to obtain the values of the Username and Password parameters that are needed in the program. Signature verification
Note

This feature uses only the frontend JavaScript code in the web browser to calculate a signature and does not transmit the AccessKey secret to the backend of Message Queue for Apache RocketMQ. This method protects the AccessKey secret from leakage. In the actual situation, this feature in the console is used only to troubleshoot problems and compare data.

A signature can be calculated on a Message Queue for MQTT client. The signature can also be calculated on the Message Queue for MQTT broker, and the result is then sent to the Message Queue for MQTT client. The latter method is more secure.