To ensure security, all API requests must be signed. Alibaba Cloud uses the request signature to verify the identity of the API caller. Therefore, all API requests must contain signature information, regardless of whether they are sent by using HTTP or HTTPS.

Overview

You must add the signature to the Message Queue for Apache RocketMQ API request in the following format:

https://Endpoint/?SignatureVersion=1.0&SignatureMethod=HMAC-SHA1&Signature=CT9X0VtwR86fNWSnsc6v8YGOju****&SignatureNonce=3ee8c1b8-83d3-44af-a94f-4e0ad82f****
Note For your convenience, we recommend that you use Alibaba Cloud SDKs to automatically sign API requests. For more information, see Obtain an SDK.
  • Endpoint: the endpoint of the Message Queue for Apache RocketMQ API. For more information, see Endpoints.
  • SignatureMethod: the encryption method of the signature string. Set the value to HMAC-SHA1.
  • SignatureVersion: the version of the signature encryption algorithm. Set the value to 1.0.
  • SignatureNonce: a unique, random number used to prevent replay attacks. You must use different random numbers for different requests. We recommend that you use universally unique identifiers (UUIDs).
  • Signature: the signature generated after the request has been symmetrically encrypted by using the AccessKey secret.
The signature algorithm complies with RFC 2104 HMAC-SHA1 specifications. The AccessKey secret is used to calculate the hash-based message authentication code (HMAC) value of the encoded and sorted query string, and the HMAC value is used as the signature string. Request signatures include operation-specific parameters. Therefore, the signature of a request varies depending on the request parameters. To calculate the signature string, you can follow the steps in this topic.
Signature = Base64( HMAC-SHA1( AccessSecret, UTF-8-Encoding-Of(
StringToSign)) )

Step 1: Compose and encode a string-to-sign

  1. Create a canonicalized query string by using the request parameters.
    1. Arrange the request parameters (including all common and operation-specific parameters except Signature) in alphabetical order.
      Note When you use the GET method to submit requests, these parameters constitute the parameter field of the request URL. They are placed after the question mark (?) in the request URL and connected by ampersands (&).
    2. Encode the name and value of each request parameter. The names and values must be URL encoded by using the UTF-8 character set. For more information about encoding rules, see the following table.
      Character Encoding rule
      A to Z, a to z, 0 to 9, hyphens (-), underscores (_), periods (.), and tildes (~). These characters do not need to be encoded.
      Other characters These characters must be percent encoded in the %XY format. XY represents the ASCII code of the characters in hexadecimal notation. For example, double quotation marks (") are encoded as %22.
      Extended UTF-8 characters These characters are encoded in the %XY%ZA…format.
      Spaces Spaces must be encoded as %20. Do not encode spaces as plus signs (+).
      This encoding method is different from the application/x-www-form-urlencoded MIME encoding algorithm (such as the java.net.URLEncoder class provided by the Java standard library). You can encode spaces based on the encoding rule for the standard library, and then replace the plus sign (+) in the encoded string with %20, the asterisk (*) with %2A, and the tilde (~) with %7E. To do this, you can use the following percentEncode method:
      private static final String ENCODING = "UTF-8";
      private static String percentEncode(String value) throws UnsupportedEncodingException 
      {
      return value != null ? URLEncoder.encode(value, ENCODING).replace("+", "%20").replace("*", "%2A").replace("%7E", "~") : null;
      }
    3. Connect the encoded parameter names and values by using equal signs (=).
    4. Sort the parameter name and value pairs in the order specified in Step 1.1.1 and connect the pairs by using ampersands (&) to produce the canonicalized query string.
  2. Create a string-to-sign from the encoded canonicalized query string based on the following rules:
    StringToSign=
          HTTPMethod + “&” +
          percentEncode(“/”) + ”&” +
           percentEncode(CanonicalizedQueryString)

    where:

    • HTTPMethod: the HTTP method used to send the request, such as GET.
    • percentEncode("/"): the encoded value (%2F) of a forward slash (/). The encoding follows the URL encoding rules.
    • percentEncode(CanonicalizedQueryString): the canonicalized query string encoded based on the URL encoding rules described in Step 1.1.2 from the string created in Step 1.1.1.

Step 2: Calculate the signature string

  1. Calculate the HMAC value of the string-to-sign as defined in RFC 2104.
    Note The key used for calculating the signature is your AccessKey secret followed by an ampersand (&) (ASCII:38). The SHA1 algorithm is used for the calculation.
  2. Encode the HMAC value in Base64 to obtain the signature string.
  3. Add the signature string to the request as the Signature parameter.
    Note When you add the signature string to the request as the Signature parameter, the parameter must be URL encoded like other parameters based on rules defined in RFC 3986.

Example

This example shows how to sign an API request for calling the DescribeRegions operation. Assume that the value of the AccessKeyId parameter is testid and that of the AccessKeySecret parameter is testsecret. The following example shows the request URL to be signed:

http://ecs.aliyuncs.com/?Timestamp=2016-02-23T12%3A46:24Z&Format=XML&AccessKeyId=testid&Action=DescribeRegions&SignatureMethod=HMAC-SHA1&SignatureNonce=3ee8c1b8-83d3-44af-a94f-4e0ad82f****&Version=2014-05-26&SignatureVersion=1.0

The following signature string calculated by using testsecret& is returned:

OLeaidS1JvxuMvnyHOwuJ+u****

After the signature string is added to the request as the Signature parameter, the following URL is returned:

http://ecs.aliyuncs.com/?SignatureVersion=1.0&Action=DescribeRegions&Format=XML&SignatureNonce=3ee8c1b8-83d3-44af-a94f-4e0ad82f****&Version=2014-05-26&AccessKeyId=testid&Signature=OLeaidS1JvxuMvnyHOwuJ+u****=&SignatureMethod=HMAC-SHA1&Timestamp=2016-02-23T12%3A46%3A24Z