Quercus Message Link Developer’s Guide<>

Quercus Message Link security

Authorisation keys

You can configure Message Link to require an authorisation key for each service call. This option should be used if you wish to prevent unauthorised individuals gaining access to exposed data.

Authorisation requires the following steps:

1Set the QML.REST.AUTH_KEY_TYPE parameter to require authorisation and to set the authorisation type required

2Set the QML.REST.AUTH_KEY_SECRET – this is a case sensitive shared secret or password used to generate the authorisation key. It must be used in conjunction with the QML.REST.AUTH_KEY_TYPE parameter.

3Ensure that the external systems using the Quercus Message Link Web service can generate the correct hash and retrieve the appropriate authorisation key.

4Ensure that the Quercus Message Link service calls contain an auth parameter set to the appropriate value, e.g. a hash or authorisation key.

Requiring authorisation

Authorisation is required when the parameter QML.REST.AUTH_KEY_TYPE is set to either MD5 or SHA1. The parameter value can be changed through the Control Centre Set-Up |Parameters option:

When authorisation is required but the authorisation key is missing in the web service call or if it is incorrect then HTTP 403 Not Authorised is returned.

Setting the authorisation key if the QML.REST.AUTH_KEY_TYPE is set to MD5 or SHA1

If the QLL.AUTH_KEY_TYPE is set to MD5 or SHA1 you must append the appropriate hash as the authorization parameter.

The hash is created from a string concatenated from all parameters separated by ampersands and terminated by the QLL.AUTH_KEY_SECRET value.

You must include an ampersand for each possible parameter, even if the parameter is not present.

The following are the Authorisation Key Calculation for the relevant web services:

Message Link Web service

Authorisation Key Calculation

ReceiveMessage

SHA/MD5(ACCESS_ID&EXPIRES&KEY_SECRET)

DeleteMessage

SHA/MD5(P_RECEIPT_QUEUE&ACCESS_ID&EXPIRES&RECEIPT&KEY_SECRET)

SendMessage

SHA/MD5(ACCESS_ID&EXPIRES&PAYLOAD&KEY_SECRET)

GetMessageStatus

SHA/MD5(ACCESS_ID&EXPIRES&RECEIPT&MESSAGE_TYPE&KEY_SECRET

The expires parameter is XML Date and Timestamp in the format: YYYY-MM-DDTHH:MI:SS

The hash value should be appended to the web service call using the parameter auth, for example:

https://labs.campusit.net/qdev/qml_rest.ReceiveMessage?accessid=GIVE_ME_ACCESS&receiptTimeout=90&expires=2099-01-01T00:00:01&auth=2A49A6CC5796962AAD8E05FAD4438BEE