Request Authentication
The following is an insecure request to run instances:
<RunInstances xmlns="http://ec2.amazonaws.com/doc/2006-06-26">
<instancesSet>
<item>
<imageId>ami-60a54009</imageId>
<minCount>1</minCount>
<maxCount>3</maxCount>
</item>
</instancesSet>
<groupSet/>
</RunInstances>
In order to secure the request, we must add the BinarySecurityToken element mentioned above. The
Java libraries we supply rely on the Apache Axis project for XML security, canonicalization and SOAP
support. (The Sun Java Web Service Developer's Pack supplies libraries of equivalent functionality.)
The secure version of the request begins with the following:
<SOAP-ENV:Envelope xm-
lns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Header>
<wsse:Security xm-
lns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-
secext-1.0.xsd">
<wsse:BinarySecurityToken
xm-
lns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-u
tility-1.0.xsd"
Encoding-
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-se
curity-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token
-profile-1.0#X509v3"
wsu:Id="CertId-1064304">....many, many lines of base64 encoded
X.509 certificate...</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Al-
gorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod
>
<ds:SignatureMethod Al-
gorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
<ds:Reference URI="#id-17984263">
<ds:Transforms>
<ds:Transform Al-
gorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Al-
gorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>0pjZ1+TvgPf6uG7o+Yp3l2YdGZ4=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-15778003">
<ds:Transforms>
<ds:Transform Al-
gorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Al-
gorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>HhRbxBBmc2OO348f8nLNZyo4AOM=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>bmVx24Qom4kd9QQtclxWIlgLk4QsQBPaKESi79x479xgbO9PEStXMiHZuB
Amazon EC2
Developer Guide
48
Ai9luuKdNTcfQ8UE/d
jjHKZKEQR-
COlLVy0Dn5ZL1RlMHsv+OzJzzvIJFTq3LQKNrzJzsNe</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-17007273">
<wsse:SecurityTokenReference
xm-
lns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-u
tility-1.0.xsd" wsu:Id="STRId-22438818">
<wsse:Reference URI="#CertId-1064304"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token
-profile-1.0#X509v3">
</wsse:Reference>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsu:Timestamp
xm-
lns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-u
tility-1.0.xsd" wsu:Id="id-17984263">
<wsu:Created>2006-06-09T10:57:35Z</wsu:Created>
<wsu:Expires>2006-06-09T11:02:35Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</SOAP-ENV:Header>
Let's take a quick look at the most important elements in case you are matching this against requests
generated by Amazon EC2 supplied libraries, or those of another vendor.
BinarySecurityToken - contains the X.509 certificate in base64 encoded PEM format.
Signature - contains XML digital signature created using the canonicalization, signature algorithm,
and digest method described within.
Timestamp - Any request is only valid to Amazon EC2 within 5 minutes of this value. Used to
prevent replay attacks.
Amazon EC2
Developer Guide
49
Previous Page Next Page