Skip to Content

Recently I worked on a requirement where Rest service will send a Signature field with HMAC-key value in a Json message and this Signature field HMAC-Key value is populated by concatenation of few other fields of same Json message and using Hmac SHA-256 Digest

I have to check if HMAC (Hash Message Authentication Code) sent by rest service is valid and then Process the message, if not throw back 401 “Invalid Authentication” Error

Initially I developed a java map for this requirement but later changed it to simple UDF to have more control on mapping

 

JSON Request Message:-

 

The Above signature is the result of concatenation of four fields values “UserName”+”Password”+”Company”+”Location” and SHA-256 digest

To generate the signature manually for testing purpose use the below link and as shown in screen shot

https://www.liavaag.org/English/SHA-Generator/HMAC/

 

 

We need to generate the same HMAC SHA-256 Digest in PI using same fields and compare the strings, if comparison is true then mapping is successful if the comparison is false “Invalid Authentication” exception is thrown for monitoring purpose

 

 

Download Apache Commons Codec from below Url and import in PI as Imported Archive

https://commons.apache.org/proper/commons-codec/download_codec.cgi

 

 

 

 

Our requirement is to compare BASE 64 Signature value, so I have converted the HEX string to BASE 64 using below UDF

 

 

 

 

Display Queue of ThrowMapException should throw “true” or “false”

 

If “False” below message will be thrown for your monitoring purpose

 

 

REST Sender channel “Error Handling” should be maintained with any text of your choice

 

NOTE : There should be NO other authentication used like Basic (user id & password) or any other way

Make Rest service open to all clients or restrict to few clients  and make sure no (user id & password) authentication is used

ONLY Authentication which should be used is HMAC Signature value

 

 

 

TESTING:-

 

Scenario 1:- JSON Request Message Signature should match exactly what PI UDF generates

 

 

 

Scenario 2:-  If JSON Request Message Signature does notmatch exactly what PI UDF generates then status 401 with “Invalid Authentication Signature” Message should be sent back

 

 

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply