Skip to Content
Author's profile photo Sudheer Anugu
Sudheer Anugu
September 27, 2017 3 minute read

Rest/Json HMAC Authentication using Secret Key

Recently I worked on a requirement where Rest service will send a Signature field with HMAC-key value in a Json message and this Signature field HMAC-Key value is populated by concatenation of few other fields of same Json message and using Hmac SHA-256 Digest

I have to check if HMAC (Hash Message Authentication Code) sent by rest service is valid and then Process the message, if not throw back 401 “Invalid Authentication” Error

Initially I developed a java map for this requirement but later changed it to simple UDF to have more control on mapping

 

JSON Request Message:-

 

The Above signature is the result of concatenation of four fields values “UserName”+”Password”+”Company”+”Location” and SHA-256 digest

To generate the signature manually for testing purpose use the below link and as shown in screen shot

https://www.liavaag.org/English/SHA-Generator/HMAC/

 

 

We need to generate the same HMAC SHA-256 Digest in PI using same fields and compare the strings, if comparison is true then mapping is successful if the comparison is false “Invalid Authentication” exception is thrown for monitoring purpose

 

 

Download Apache Commons Codec from below Url and import in PI as Imported Archive

https://commons.apache.org/proper/commons-codec/download_codec.cgi

 

 

 

 

Our requirement is to compare BASE 64 Signature value, so I have converted the HEX string to BASE 64 using below UDF

 

 

 

 

Display Queue of ThrowMapException should throw “true” or “false”

 

If “False” below message will be thrown for your monitoring purpose

 

 

REST Sender channel “Error Handling” should be maintained with any text of your choice

 

NOTE : There should be NO other authentication used like Basic (user id & password) or any other way

Make Rest service open to all clients or restrict to few clients  and make sure no (user id & password) authentication is used

ONLY Authentication which should be used is HMAC Signature value

 

 

 

TESTING:-

 

Scenario 1:- JSON Request Message Signature should match exactly what PI UDF generates

 

 

 

Scenario 2:-  If JSON Request Message Signature does notmatch exactly what PI UDF generates then status 401 with “Invalid Authentication Signature” Message should be sent back

 

 

Assigned Tags

      3 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo vijayprasad talari
      vijayprasad talari

      Hi Sudher,

      I am working one scenario SAP to Rest adapter using HMAC Signature. I need for how to configure in ESR and ID. Could you please guide me.

       

      Regards,

       

      Vijay

      Author's profile photo Sandeep Acharya
      Sandeep Acharya

      Hi Sudeer,

      I need help i have a similar requirement where the HMAC-SHA1 signature will be sent in the Json custom header field and the vendor provided a secret key to decode the message please let me know how to achieve this. They are using webhooks to send the events.

      Author's profile photo Saud Shaikh
      Saud Shaikh

      Thanks! Your blog was useful in my recent implementation. I have few points to note down:

      1. Apache Commons Codec is not a must for Base64 encoding and may be replaced with Java Native Libraries (java.util.Base64) for Java version 8 and above and (javax.xml.bind.DatatypeConverter) for earlier versions.
      2. If comparison/validation is on Base64 then converting to Hex is not required. After receiving input data bytes from doFinal function, it can be converted to Base64 directly using Base64.Encoder.encodeToString(bytes).