edit-icon download-icon

Signature method

Last Updated: Apr 16, 2018

ApsaraDB for MongoDB performs identity authentication on each access request. Therefore, both the HTTP request and HTTPS request must contain signature information. ApsaraDB for MongoDB performs symmetric encryption to verify the request sender by using Access Key ID and Access Key Secret. The Access Key ID and Access Key Secret are officially issued to visitors by Alibaba Cloud (visitors can apply for and manage them at Alibaba Cloud’s official website). The Access Key ID indicates the identity of the visitor. The Access Key Secret is the secret key used to encrypt and verify the signature string on the server. It must be kept confidential and only be available to Alibaba Cloud and the user. The following method is used to sign the access request:

  1. Use request parameters to construct a canonicalized query string.

    1. The request parameters are ordered alphabetically by the parameter names (this includes the “public request parameters” and custom parameters for the given request interfaces described in this document, but not the Signature parameter mentioned in “public request parameters”).

      Note: When a request is submitted using the GET method, the request parameters are the same as those included in the parameter section of the request URI. That is, the section of the URI following the question mark (?) and connected by the and sign (&).

    2. The name and value of each request parameter are encoded. URL encoding using the UTF-8 character set is required. URL encoding rules are as follows:

      a. Upper case letters from A to Z, lowercase letters from a to z, integers from 0 to 9, and other characters including the en dashes (-), underlines (_), periods (.), and tildes (~) are not encoded.

      b. Other characters are encoded in %XY format, with XY representing the characters’ ASCII code in hexadecimal notation. For example, double quotation marks (“) are encoded as %22.

      c. Extended UTF-8 characters are encoded in %XY%ZA… format.iv. It must be noted that an English space ( ) is encoded as %20, rather than the plus sign (+).

      NOTE: Generally, libraries that support URL encoding (for example, java.net.URLEncoder of Java) are all encoded according to the rules for the “application/x-www-form-urlencoded” MIME-type. You can use this encoding method directly by replacing the plus sign (+) with %20 and the asterisk (*) with %2A in the encoded string, and change %7E back to the tilde (~) to conform to the preceding encoding rules.

    3. Connect the encoded parameter names and values with the equal sign (=).

    4. Then, sort the parameter name and value pairs connected by equal signs in alphabetical order, and connect them with the & symbol to produce the Canonicalized Query String.

  2. Use the canonicalized query string to construct the string for signature calculation according to the following rules:

    1. StringToSign=
    2. HTTPMethod + “&” +
    3. percentEncode(“/”) + ”&” +
    4. percentEncode(CanonicalizedQueryString)

    Here, HTTPMethod is the HTTP method used for request submission. For example, GET. percentEncode(“/“) is the coded value for the character / according to the URL encoding rules described in 1.b, namely, %2F. The percentEncode(CanonicalizedQueryString) is the Canonicalized Query String (constructed in Step 1) that is encoded according to the URL encoding rules described in 1.b.

  3. According to RFC2104 definitions, use the preceding signature string to calculate the signature’s HMAC value.

    NOTE: When calculating the signature, the Key is your Access Key Secret appended with the and sign (&) (ASCII:38). The SHA1 hashing algorithm is used.

  4. According to Base64 encoding rules, encode the preceding HMAC value into a string to obtain the signature value.

  5. Add the obtained signature value as the Signature parameter to the request parameters to complete the request signing process.

    Note: When the obtained signature value is submitted to the ApsaraDB for RDS server as the final request parameter value, the value is URL encoded like other parameters according to RFC3986 rules. DescribeDBInstances is used as an example. The request URL prior to signing is as follows:

    1. http://mongodb.aliyuncs.com/?Timestamp=2016-01-01T10:33:56Z&Format=XML&AccessKeyId=testid&Action=DescribeInstances&SignatureMethod=HMAC-SHA1&RegionId=region1&SignatureNonce=NwDAxvLU6tFE0DVb&Version=2015-12-01&SignatureVersion=1.0

    The StringToSign is:

    1. GET&%2F&AccessKeyId%3Dtestid&Action%3DDescribeInstances&Format%3DXML&RegionId%3Dregion1&SignatureMethod%3DHMAC-SHA1&SignatureNonce%3DNwDAxvLU6tFE0DVb&SignatureVersion%3D1.0&TimeStamp%3D2016-01-01T10%253A33%253A56Z&Version%3D2015-01-01

    Assume that the Access Key ID parameter value is testid, the Access Key Secret parameter value is testsecret, the key used for HMAC calculation is testsecret& and the calculated signature value is:

    1. BIPOMlu8LXBeZtLQkJTw6iFvw1E=

    The signed request URL is (with the Signature parameter added):

    1. http://mongodb.aliyuncs.com/?Timestamp=2016-01-01T10%3A33%3A56Z&Format=XML&AccessKeyId=testid&Action=DescribeInstances&SignatureMethod=HMAC-SHA1&RegionId=region1&SignatureNonce=NwDAxvLU6tFE0DVb&SignatureVersion=1.0&Version=2015-12-01&Signature=BIPOMlu8LXBeZtLQkJTw6iFvw1E%3D
Thank you! We've received your feedback.