This topic describes how to obtain signatures and verify the signatures in the console when you use the signature authentication mode provided by ApsaraMQ for MQTT.
Obtain signatures
If you use the signature authentication mode, the Username and Password parameters in the connect message that an ApsaraMQ for MQTT client sends to an ApsaraMQ for MQTT broker must be set based on the specifications described in this topic. For more information, see Authentication overview. The following information shows how the Username and Password parameters are set:
Username
The Username parameter consists of the authentication mode, AccessKey ID, and instance ID. The three parts are separated by vertical bars (|). The authentication mode is set to Signature in signature authentication mode.
For example, an ApsaraMQ for MQTT client whose client ID is GID_Test@@@0001 uses the instance ID mqtt-xxxxx and the AccessKey ID YYYYY. In this case, the Username parameter must be set to Signature|YYYYY|mqtt-xxxxx.
For more information about client IDs, see Terms.
Password
The Password parameter indicates the signature calculation result for the client ID. The following section describes how the signature is calculated:
For example, an ApsaraMQ for MQTT client whose client ID is GID_Test@@@0001 uses the AccessKey secret XXXXX.
XXXXX is used as the signing key, GID_Test@@@0001 is used as the string to sign, and the HMAC SHA-1 algorithm is used to calculate the signature. A binary array is obtained. Then, the binary array is encoded in Base64. At last, the signed string for the Password parameter is obtained.
NoteThe methods for setting the Username and Password parameters have been encapsulated into ApsaraMQ for MQTT SDK for clients. You do not need to separately set them. For more information about SDK download URLs, see Download the SDK.
For information about how to use the HMAC SHA-1 algorithm to calculate the signature by using the SDK for Java, see the sample code for the ConnectionOptionWrapper and Tools classes in the Demo. Function libraries are available for the implementation of the HMAC algorithm in different programming languages. You can search for one based on your business requirements.
Verify signatures in the console
The console ApsaraMQ for MQTT provides the signature verification feature that allows you to check whether the signature calculation is valid.
Log on to the console ApsaraMQ for MQTT.
In the left-side navigation pane, click Instances.
In the top navigation bar, select the region in which your instance resides.
In the instance list, find your instance and click the name of the instance or click Details in the Actions column.
In the left-side navigation pane, click Signature Verification.
On the Signature Verification page, set the Client ID to Be Signed, Access Key, and Secret Key parameters, and click Calculate Signature to obtain the values of the Username and Password parameters that are needed in the program.
This feature uses only the frontend JavaScript code in the web browser to calculate a signature and does not transmit the AccessKey secret to the backend of ApsaraMQ for RocketMQ. This protects the AccessKey secret from leakage. In the actual situation, this feature in the console is used only to troubleshoot errors and compare data.
A signature can be calculated on an ApsaraMQ for MQTT client. The signature can also be calculated on the ApsaraMQ for MQTT broker, and the result is then sent to the ApsaraMQ for MQTT client. The latter method is more secure.