This topic describes how to obtain signatures and verify the signatures in the console when you use the signature authentication mode provided by Message Queue for MQTT.

Obtain signatures

If you use the signature authentication mode, the Username and Password parameters in the connect message that a Message Queue for MQTT client sends to a Message Queue for MQTT broker must be set based on the specifications described in this topic. For more information, see Authentication overview. The following information shows how the Username and Password parameters are set:

  • Username

    The Username parameter consists of the authentication mode, AccessKey ID, and instance ID. The three parts are separated by vertical bars (|). The authentication mode is set to Signature in signature authentication mode.

    For example, a Message Queue for MQTT client whose client ID is GID_Test@@@0001 uses the instance ID mqtt-xxxxx and the AccessKey ID YYYYY. In this case, the Username parameter must be set to Signature|YYYYY|mqtt-xxxxx.

    For more information about client IDs, see Terms.

  • Password

    The Password parameter indicates the signature calculation result for the client ID. The following section describes how the signature is calculated:

    For example, a Message Queue for MQTT client whose client ID is GID_Test@@@0001 uses the AccessKey secret XXXXX.

    XXXXX is used as the signing key, GID_Test@@@0001 is used as the string to sign, and the HMAC SHA-1 algorithm is used to calculate the signature. A binary array is obtained. Then, the binary array is encoded in Base64. At last, the signed string for the Password parameter is obtained.

    Note
    • The methods for setting the Username and Password parameters have been encapsulated into Message Queue for MQTT SDK for clients. You do not need to separately set them. For more information about SDK download URLs, see Download the SDK.
    • For more information about how to use the HMAC SHA-1 algorithm to calculate the signature by using Message Queue for MQTT SDK for Java, see the sample code for the ConnectionOptionWrapper and Tools classes in the Demo. Function libraries are available for the implementation of the HMAC algorithm in different programming languages. You can search for one as required.

Verify signatures in the console

The Message Queue for MQTT console provides the signature verification feature that allows you to check whether the signature calculation is valid.

  1. Log on to the Message Queue for MQTT console.
  2. In the left-side navigation pane, click Instances.
  3. In the top navigation bar, select the region in which your instance resides.
  4. In the instance list, find your instance and click the name of the instance or click Details in the Actions column.
  5. In the left-side navigation pane, click Signature Verification.
  6. On the Signature Verification page, set the Client ID to Be Signed, Access Key, and Secret Key parameters, and click Calculate Signature to obtain the values of the Username and Password parameters that are needed in the program. Signature verification
Note

This feature uses only the frontend JavaScript code in the web browser to calculate a signature and does not transmit the AccessKey secret to the backend of Message Queue for Apache RocketMQ. This protects the AccessKey secret from leakage. In the actual situation, this feature in the console is used only to troubleshoot errors and compare data.

A signature can be calculated on a Message Queue for MQTT client. The signature can also be calculated on the Message Queue for MQTT broker, and the result is then sent to the Message Queue for MQTT client. The latter method is more secure.