HMAC-SHA1 hash verification on API Management
MAC (Hash message authentication code) is a specific type of message authentication code involving a cryptographic hash function and a secret cryptographic key. Which can be used to simultaneously verify both the data integrity and the authenticity of a message. This blog post provides a mechanism on how to integrate such type of interfaces or webhooks into SAP Cloud system using SAP Cloud API Management.
Limitation: CPI inbound http adapter does not allow for a “no authorisation” policy nor does it have capability for other authorisation methods beside certificates/user-based authorisation but this can be resolved through API Management, which offers a great number of possibilities around policies.
This blog post will illustrate the use case of API Management functioning as an intermediary between a source system, that triggers webhook notification secured with HMAC, and CPI, and getting in charge of the security between the systems. We use API management to authenticate the message and forward it to CPI then CPI does complex orchestration that is required to integrate into SAP Gigya and Marketing Cloud systems.
The objective of this blog post is to show how to verify HMAC-SHA1 Hash signature of sender system and generate and outbound call to CPI with user authentication.
API Policy Flow
The following diagram depicts the policy flow template that you need to create in SAP API Management to authenticate the message using HMAC-SHA1 and forward the message to SAP CPI Layer for complex orchestration.
Step 01 – vmBasic Policy
Retrieve Target system user/passwords from secure value mapping and save it into a parameter that can then be used on Policy Flow.
Step 02 – extJson
Allows to extract Json payload or a particular node and save it into a variable.
Step 03 – vmPartner
Retrieve partner key from secure value mapping and save it into a parameter
Step 04 – checkHash
Indicate the script name that will do the hash verification. In this case we used a Phyton script.
Check the received hash string with our partner key. If they do not match it will raise an error, finalising the flow process.
Step 05 – basicAuthentication
Set the basic authentication for the target system call, with the secured parameters defined on first step:
Test example on API Management
We can try the application directly on API Management by specifying the Webhook JSON payload and the security header hash.
API returns a successful response with the message set on CPI flow.
We can see on response headers SAP_MessageProcessingLogID of the message processed on SAP CPI.
In second test case we had altered the message data modifying the event id on the payload which invalidates HMAC signature.
API Management returns an error 500 to source system with the exception programmed on script validation step.
API Managements offers a broad number of possibilities around security policies for API creation, which can also be used to set a bridge to more complex orchestration between systems and SAP Cloud Platform Integration, thus allowing to overcome CPI limitations regarding authorisation methods.
In this blog post we had explored one of such cases, using API Management to verify HMAC-SHA1 hash and act as a security handler between a source system and CPI.
Thanks Raquel Pereda for bringing one of my usecases to live in this blog. This kind of security at APIM level makes sense to have for sensitive data in API strategy.
Hi Raquel, amazing content. Thank you!
Considering “Step 04 – checkHash” is using String Comparison, it might be vulnerable to Timing Attack:
Trying to use “hmac.compare_digest” I had no success:
So, I’ve changed the code to use Double HMAC comparison with Random Key as explained here in another Programming Language:
My final code was: