Source IP filtering

For systems where all hits come direct from a known customer server access control for the Data and Search APIs can be supported by white/black listing of source IP addresses as provided by the customer.

Please contact technical support if you wish to enable source IP filtering for your MVS service.

Request signing

Pre-shared key authentication is provided on both your Search API and Data API. Please contact technical support if you wish to disable this authentication.

Where this is enabled the customer will be provided with a customer identity and matching secret key which they then use to sign all requests to the API. Requests are signed by the addition of appropriate HTTP Authorization and Date headers as per RFC 2616. The “credentials” portion of the former consists of a concatenation of “MAAPIv1 “, the customer identity, “ “, and the signature.

The signature is a Base64 encoded HMAC-SHA1 hash, using the secret key, of the result of

  1. the customer identity
  2. the HTTP method – i.e. GET, POST or DELETE
  3. the resource – i.e. the bare URL without query string
  4. the value of the Date header
  5. the concatenation of all URL param/value pairs in the query string, lexicographically
  6. sorted first by param and then by value, and values not URL encoded
  7. the number of bytes in the body or 0 if there isn’t one

As well as the signature itself requests must contain the correct identity for the resource being accessed, and the date must be correct within a small (typically 15 minute) tolerance.

In the command line examples below the customer identity is assumed to be bound to
${IDENTITY} and the key to ${SECRET}. They assume access to recent versions of “base64”, “openssl”, and the GNU Coreutils version of “date”. On Mac systems the latter needs to be explicitly installed, e.g. via HomeBrew –, since the standard date command does not support the required options.

In this example we list the images in dataset “test” belonging to client “ma”:

$ DATE=`date -R`
$ echo $DATE
Tue, 12 Feb 2013 13:27:11 +0000
$ echo -n ${STS} | openssl sha1 -hmac ${SECRET} -binary | base64
$ curl -H "Authorization: MAAPIv1 ${IDENTITY} SbiMZxkXNqEMNjvAD6+jIDXkisI=" -H "Date: Tue, 12 Feb 2013 13:27:11 +0000"

In this next example we add a second image “Skyfall.jpg” (of size 134354 bytes) to the same dataset with the value “Skyfall”

$ DATE=`date -R`
$ echo $DATE
Tue, 12 Feb 2013 14:18:48 +0000
$ echo -n ${STS} | openssl sha1 -hmac ${SECRET} -binary | base64
$ curl -H "Authorization: MAAPIv1 ${IDENTITY} Ppiq6t9nZZB2L/O/HuTvVF80QZg=" -H "Date: Tue, 12 Feb 2013 14:18:48 +0000" -H "Content-Type: image/jpeg" --data-binary

Finally here is an example of an authenticated search API hit against the same dataset using a 35293 byte JPG image in “query-brave.jpg”:

$ DATE=`date -R`
$ echo $DATE
Wed, 13 Feb 2013 14:32:53 GMT
$ echo -n ${STS} | openssl sha1 -hmac ${SECRET} -binary | base64
$ curl -H "Authorization: MAAPIv1 ${IDENTITY} XEMlHIlPiQXaUxueZ8c9V9Tw5rI=" -H "Date: Wed, 13 Feb 2013 14:32:53 GMT" -H "Content-Type: image/jpeg" --data-binary @querybrave.jpg