Amazon Web Service Secure Request

by Viper 15. June 2009 13:41

Some time back I wrote a post on C# API for Amazon Product Advertising Web Service. If you are one of amazon associates who is using their web service to advertise their products to earn some money, then you must be getting emails with following message from Amazon.com.

We wanted to remind you that all Product Advertising API developers will be required to authenticate all calls to the Product Advertising API by August 15, 2009. We noticed that requests with your AWS Access Key ID are not being signed and, while you have more than 60 days until the date on which authentication is required, we are, as a courtesy, sending you this email to remind you of the new authentication requirement. Please remember that calls to the Product Advertising API that are not signed will not be processed after August 15, 2009.

There is nothing to worry about this. It is a very simple change that you will need to make on your end. Amazon has given two options to digitally sign the requests. Either encrypt all requests with HMAC-SHA encryption or use X509Certificate. If you don't have X509Certificate, don't worry about it. Amazon.com is creating one for you if you ask it to. I found this option to use X509Certificate to be the easiest to comply with Amazon.com policy. Here are the steps you will need to use.

Login into your AWS account.
Click on Access Identifiers link on Your Account page.
At the end of the page you will find section for X509.Certificate. Click on Create New option to create your certificate.
Make sure that you follow the instructions and save the private key and certificate file as the process asks you to.

Now time to make code change. It is simple. Just add one line to your implementation and you are all set.


m_obAmazonService.ClientCertificates.Add(X509Certificate.CreateFromCertFile(X509CertFile));

X509CertFile is full path to where this file is stored. If you are using the API in web application, make sure you specify fully qualified path and your application has read permissions on this file as well. You can this in action here - Winazon.Net

Give your advice to big bosses and make money

57eefc1f-85b9-48ce-a4a0-71c37492c95f|0|.0

Tags: aws, advertising

.Net

6/16/2009 3:11:24 PM #

Is this line of code for the Winazon.net program because it didn't seam to fit with your C# Api for Amazon nor your using WCF for Amazon samples. I'm trying to use your WCF example and add the security that Amazon is going ot require but having problems. Any help would be most appreciated.

Thanks,

JefferyS

Jeffery

6/16/2009 3:39:01 PM #

You just need to add the certificate instance to "service" object that you create to call into Amazon. There is no WCF specific code required for Amazon web service calls because their service is based on older protocol. That would mean that when you add reference to their WSDL to create web service proxy, you will have to choose the option to add the reference as Web Service and not as WCF service.

Viper

6/16/2009 6:22:46 PM #

Does this require that you install the client certificate on the server?

Kevin Pang

6/16/2009 6:55:55 PM #

This nothing like installing SSL certificate or thing like that. When you will create X509 certificate from Amazon site, you simply need to download the file and put it somewhere on the server or under your web site folder. And you just need to specify full physical path to this file when creating instance of X509Certificate object. Lets say that you copy the file at root folder of your web application, then the code is as simple as

X509Certificate cert = X509Certificate.Create(Server.MapPath("~/MyX509File.pem"));

Pretty simple straight forward process to get your X509 certificate going.

6/17/2009 10:21:00 AM #

Thanks a lot for your help Viper, I think I have it working now.

Thanks,

JefferyS

7/2/2009 1:17:49 AM #

Very good info on how to avoid those mails from Amazon

Online Poker

7/2/2009 1:23:50 PM #

Is WSE 3 not necessary? In the sample code that Amazon posts they are using WSE 3: developer.amazonwebservices.com/.../entry.jspa

Nathan

7/6/2009 7:44:29 AM #

No, you will need to use WSE3 at all. The sample that is posted on amazon help site uses second option of using HMAC to encrypt request. This is what ticked me off as well that just to use that option, I do not want to install WSE3. It is easier to simply use X509 certificate option and just use .Net framework to accomplish it.

viper

7/6/2009 8:05:16 AM #

thanks for that info - saved me a ton of work and hassle

7/6/2009 8:58:09 AM #

Since you've been so helpful...two more concerns I had is a) The key file - not necessary? b) How do I know that my implementation was correct? I added the cert file as you described, and my Amazon calls were successful...is that it? (I'm trying to ascertain that I won't run into trouble come August 15, when the security changes will be required)

7/6/2009 1:13:11 PM #

Amazon has been very good about keeping people informed if they are compliant or not. They were sending me regular reminders about compliance issue and now they have stopped. Other thing is that if your calls are working with X509 file, you can sleep easy
With X509 certificate file implementation, you will not require any other key file for HMAC encryption or things like that. I am assuming thats what you were referring to as key file.

7/10/2009 2:59:09 PM #

Thanks for the info, I was trying to mess with WSE3 but adding one line of code - didn't think that it was that easy

Peter

8/3/2009 8:13:00 PM #

I've been trying this during the scheduled outage today, and it doesn't seem to work. Is any one having any luck with this approach?

Concerned Developer

8/5/2009 4:48:08 AM #

Good information about the Amazon Web Service....thanks

online earning

8/10/2009 1:29:47 PM #

This looks great...but this call here:

m_obAmazonService.ClientCertificates.Add(X509Certificate.CreateFromCertFile(X509CertFile));

I dont see ClientCertificates in the object generated by my WSDL. Maybe I am barking up the wrong tree....is your m

New to the AWS Dev

8/10/2009 1:51:16 PM #

Nevermind - I now see it in System.Web.Services.Protocols.SoapHttpClientProtocol.
Did anyone try this solution during the outage today, and what was the result? Did it work?

8/17/2009 3:32:14 PM #

I'm using the method: m_obAmazonService.ClientCertificates.Add(X509Certificate.CreateFromCertFile(X509CertFile)); to send amazon the certificate and I am now getting a message:

System.Web.Services.Protocols.SoapException: The request must contain the parameter Signature. at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall) at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters) at WishList.com.amazonaws.ecs.AWSECommerceService.ItemSearch(ItemSearch ItemSearch1) in c:\my programming\visual studio projects\projects\wishlist\wishlist\web references\com.amazonaws.ecs\reference.cs:line 222 at WishList.AddItemAmazon.SearchAmazon(String searchIndex, String keyword, String browseNode, String sort) in C:\My Programming\Visual Studio Projects\Projects\WishList\WishList\AddItemAmazon.aspx.cs:line 124

Anyone getting this or have any Ideas on why i'm getting this error. I thought the Signature wasn't required when using a certificate.

Thanks,

Jeffery

8/18/2009 9:01:21 AM #

Hi,
I'm getting the same error message "The request must contain the parameter Signature", how and where do I have to sign the request?

8/19/2009 4:56:42 AM #

Hi,

I got the same exception message too.
Any Amazon guy can help us?
Very urgent here.

cupid48

8/26/2009 5:38:39 AM #

Very interesting topic will bookmark your site to check if you write more about in the future.

Baume Mercier Classima

8/26/2009 7:48:56 AM #

Check out

http://flyingpies.wordpress.com/2009/08/01/17/

9/3/2009 8:21:37 AM #

Hi,

It doesn't work for me. I created a new certificate and added the line to my code but it didn't work. Here's a brief sample of the code:

--------
Dim service As amazon.AWSECommerceService = New amazon.AWSECommerceService
Dim itemSearch As amazon.ItemSearch = New amazon.ItemSearch
Dim request As amazon.ItemSearchRequest = New amazon.ItemSearchRequest
Dim response As amazon.ItemSearchResponse

itemSearch.AWSAccessKeyId = "XXXXXXXXXXXXXXXXXXXX"
itemSearch.Validate = "False"
request.ResponseGroup = New String() {"Images", "OfferSummary", "Reviews", "Small", "EditorialReview"}
request.SearchIndex = "VideoGames"
request.Condition = amazon.Condition.All
request.Keywords = keyword
service.ClientCertificates.Add(X509Certificate.CreateFromCertFile(Server.MapPath("~/cert-XXXXXXXXXXXXXXXXXXXXXXXXX.pem")))
itemSearch.Request = New amazon.ItemSearchRequest() {request}
response = service.ItemSearch(itemSearch)
--------

Now, with the AWSAccessKeyId set, the soap error is "The request must contain the parameter Signature".
Without it, the error is "403: Forbidden".

Can anyone see what I'm doing wrong? I'm stomped

Thanks in advance.

Oh and I should say the code is in a ASP.NET 2.0 website.

- Michael

Michael Olsen

9/7/2009 11:58:56 AM #

Any update to this? It doesn't work for me - I still get "The request must contain the parameter Signature"

10/19/2009 11:45:58 AM #

Searching for this for some time now - i guess luck is more advanced than search engines

cash loans

Amazon Web Service Secure Request

From The Trenches

Must See

Popular Posts

Recent

By Categories

Month List

Amazon Web Service Secure Request

From The Trenches

Must See

Popular Posts

Recent

By Categories

Month List

Tag cloud