ApsaraMQ for MQTT:Signature-based authentication

Signature calculation method

As described in Authentication overview, if you use signature-based authentication, set the Username and Password parameters in the connect message as follows when an ApsaraMQ for MQTT client connects to the MQTT server:

• Username

  The Username consists of three parts: the authentication mode, AccessKey ID, and instance ID. These parts are separated by vertical bars (|). For signature-based authentication, the authentication mode is set to Signature.

  For example, if a client has the client ID GID_Test@@@0001, uses the instance ID mqtt-xxxxx, and uses the AccessKey ID YYYYY, the Username for signature-based authentication must be set to Signature|YYYYY|mqtt-xxxxx.

  For more information about client IDs, see Terms.

• Password

  The signature of the Client ID. The calculation method is as follows:

  For example, a client has the client ID GID_Test@@@0001 and uses the AccessKey secret XXXXX.

  Use XXXXX as the key and the HMAC-SHA1 algorithm to sign the string GID_Test@@@0001. This generates a binary array. Then, Base64-encode the binary array to obtain the final Password string.

  Function libraries for the HMAC-SHA1 algorithm are available for various programming languages. You can search for them online or view the code for setting the Username and Password in the examples in Use signature-based authentication for an ApsaraMQ for MQTT client.

Verify a signature using the console

The ApsaraMQ for MQTT console provides a signature calculation tool that you can use to verify that your signature calculation is correct.

1. Log on to the ApsaraMQ for MQTT console. In the top menu bar, select a region.

2. In the navigation pane on the left, click Signature Verification.

3. On the Signature Verification page, enter the AccessKey ID, AccessKey secret, and client ID that your program uses. Click Calculate Signature to obtain the Username and Password parameters that you need to set in your program.