Set Up HTTP Signature Message

Setting up your HTTP signature message requires you to follow these steps.

Figure:

Set Up HTTP Signature Message Workflow
  1. Sign up and register a
    Cybersource
    Business Center
     sandbox account. See Sign Up for a Sandbox Account.
  2. Create a shared secret key. See Create a Shared Secret Key Pair.
  3. Construct a message using HTTP signature security. See Construct Messages Using HTTP Signature Security.
  4. (Optional) Enable the optional message-level encryption feature. See Enable Message-Level Encryption.
  5. Go live by signing up and registering a
    Cybersource
    Business Center
     production account. Going Live.

Sign Up for a Sandbox Account

The first step to set up your account is to sign up for a sandbox account. From this account you can obtain your security keys and test your implementation.
Follow these steps to sign up for a sandbox account:
  1. Go to the
    Cybersource
    Developer Center sandbox account sign up page:
    sandbox.html
  2. Enter your information into the sandbox account form and click
    Create Account
    .
  3. Go to your email and find a message titled:
    Merchant Registration Details
    . Click the
    Set up your username and password now
    link.
    Your browser opens the New User Sign Up wizard.
  4. Enter the Organization ID and Contact email you supplied previously. Follow the wizard pages to add your name, a username, and a password.
  5. Log in to the
    Business Center
    .
    When you log in for the first time, you will be asked to verify your identity through a system-generated email to your email account.
  6. Check your email for a message titled:
    Cybersource
    Identification Code
    . A passcode is included in the message.
  7. Enter the passcode on the
    Verify your Identity
    page.
    You should be directed to the
    Business Center
    home page.
    You have successfully signed up for a sandbox account.

Create a Shared Secret Key Pair

Key pairs are used with HTTP Signature message security.

Construct Messages Using HTTP Signature Security

HTTP signatures use a digital signature to enable the receiver to validate the sender's authenticity and ensure that the message was not tampered with during transit. For more information about HTTP signatures, see the IETF Draft that is maintained by the IETF HTTP Working Group (https://httpwg.org).
Follow these steps to implement HTTP signatures:
  1. Create the shared secret key pair. See Create a Shared Secret Key Pair.
  2. Generate a hash of the message body. See Generate a Hash of the Message Body.
  3. Generate a signature hash. See Generate the Signature Hash.
  4. Populate the
    signature
    header field. See Update Header Fields.

Enable Message-Level Encryption

IMPORTANT
This feature is in the pilot phase. To use message-level encryption, contact your sales representative.
There are additional tasks you must complete before you can enable message-level encryption. For more information, see Prerequisites for Message-Level Encryption.
Message-Level Encryption (MLE) enables you to store information or communicate with other parties while helping to prevent uninvolved parties from understanding the stored information. MLE is optional and supported only for payments services.
MLE provides enhanced security for message payload by using an asymmetric encryption technique (public-key cryptography). The message encryption is implemented with symmetric encryption using Advanced Encryption Standard (AES), Galois Counter Mode (GCM) with 256-bit key size. The encryption of keys is supported using RSA Optimal Asymmetric Encryption Padding (OAEP) with 2048-bit key size. The encryption service is based on JSON Web Encryption (JWE), works on top of SSL and requires separate key-pairs for request and response legs of the transaction.
MLE is required for APIs that primarily deal with sensitive transaction data, both financial and non-financial. These are the types of sensitive transaction data:
  • Personal identification information (PII)
  • Personal account number (PAN)
  • Personal account information (PAI)
Each of these authentication schemes uses an encrypted payload, called the
JWE
. A JWE token has these five components, with each component separated by a period (.):
  • JOSE header containing four elements: 
            
    "alg": "RSA-OAEP-256", //The algorithm used to encrypt the CEK
"enc": "A256GCM",  //The algorithm used to encrypt the message
"iat": "1702493653" //The current timestamp in milliseconds
"kid": "keyId" //The serial number of shared public cert for encryption of CEK
  • JWE encrypted key
  • JWE initialization vector
  • JWE additional authentication data (AAD)
  • JWE ciphertext and authentication tag

Going Live

When you are ready to process payments in a live environment, you must transition your account to a live status with a valid configuration for your chosen payment processor. When live, your transaction data flows through the production
Cybersource
gateway, to your processor, and on to the appropriate payment network.
To transition your account:
  1. Sign up for a merchant account.
  2. to establish a contract with
    Cybersource
    that enables you to process real transactions and receive support.
  3. Submit a merchant ID (MID) activation request.
It may take up to three business days to complete a MID activation request.