Re: Troubleshooting Visa API Connection: Request f...

FintechStiory

I have been attempting to connect to Visa APIs using two-way SSL authentication. The .p12 file was manually created by integrating individual certificates and a private key downloaded from the Visa Developer Console. However, the connection fails with the error 401: Token validation failed. This post summarizes the steps I have taken and seeks guidance on proper implementation to resolve this issue.

The following certificates and private key were downloaded from Visa Developer Console:

SBX-2024-Prod-Inter.pem (Intermediate Certificate)
SBX-2024-Prod-Root.pem (Root Certificate)
DigiCertGlobalRootCA.pem (Root Certificate) ←openssl x509 -inform der -in DigiCertGlobalRootCA.crt -outform pem -out DigiCertGlobalRootCA.pem
Client Certificate (cert.pem)
Private Key (key_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.pem)

The full_chain.pem file was created by concatenating the certificates in the following order:

Intermediate Certificate (SBX-2024-Prod-Inter.pem)
Root Certificate (SBX-2024-Prod-Root.pem)
Additional Root Certificate (DigiCertGlobalRootCA.pem)

------------------------------------------------------------------------------------------------------------------------------------------

Get-Content SBX-2024-Prod-Inter.pem | Out-File -FilePath full_chain.pem -Encoding ascii
Get-Content SBX-2024-Prod-Root.pem | Out-File -FilePath full_chain.pem -Append -Encoding ascii
Get-Content DigiCertGlobalRootCA.pem | Out-File -FilePath full_chain.pem -Append -Encoding ascii

-------------------------------------------------------------------------------------------------------------------------------------------

Using full_chain.pem, the private key, and the client certificate, the .p12 file was created as follows:

-------------------------------------------------------------------------------------------------------------------------------------------

openssl pkcs12 -export \
-inkey key_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.pem \
-in cert.pem \
-certfile full_chain.pem \
-out visa_certificate.p12

-------------------------------------------------------------------------------------------------------------------------------------------

he following request consistently fails with 401: Token validation failed.

-------------------------------------------------------------------------------------------------------------------------------------------

const https = require('https');
const axios = require('axios');
const fs = require('fs');

const cert = fs.readFileSync('cert.pem');
const key = fs.readFileSync('key.pem');
const ca = fs.readFileSync('ca.pem');

async function testVisaAPI() {
try {
const response = await axios.post(
'https://sandbox.api.visa.com/pop/v1/notification/generate',
{ messageId: 'test123', notificationType: 'payment_success' },
{
httpsAgent: agent,
headers: {
'Authorization': `Basic ${credentials}`,
'Content-Type': 'application/json',
},
}
);
console.log('API Response:', response.data);
} catch (error) {
console.error('API Error:', error.response ? error.response.data : error.message);
}
}

testVisaAPI();

----------------------------------------------------------------------------------------------------------------------------------------

Questions

1. Correct Usage of .p12

Was the .p12 file, which includes the certificate chain, created correctly?
Are there any missing steps or errors in the OpenSSL procedure?

2. Authentication Flow

Are there additional configurations or authentication flows required beyond Basic Authentication (Authorization: Basic <Base64>)?

3. Endpoint Validation

Is the current endpoint (https://sandbox.api.visa.com/pop/v1/notification/generate) correct?

Request for Guidance

I would greatly appreciate your insights and suggestions. If you have experience resolving similar issues or successfully connecting to Visa APIs, your guidance would be invaluable. Thank you!

SyedSa

Hi @FintechStiory, Thank you for reaching out. An agent will get back to you as soon as possible. Until then, if any community member has information that may be helpful, feel free to reply in this thread.

FintechStiory

Thank you for your response. I created the setup based on the official documentation, but I keep encountering errors. I would greatly appreciate any guidance or information that could help resolve this issue. Looking forward to hearing from the community or an agent soon.

API_Products

Hey @FintechStiory,

To address your questions and provide guidance on connecting to Visa APIs using two-way SSL authentication, I'll refer to the information available on the developer.visa.com platform.

1. Correct Usage of .p12

The process you've described for creating the .p12 file appears to be correct. However, it's important to ensure that the order of certificates in the chain is correct. According to Visa's documentation, the certificate chain should be in the following order:

1. Your client certificate
2. Intermediate certificate
3. Root certificate

Your approach of concatenating the certificates into a full_chain.pem file and then using it to create the .p12 file is generally correct. However, make sure that the client certificate (cert.pem) is included in the chain as well.

2. Authentication Flow

For Visa API authentication, you need to implement both mutual authentication (two-way SSL) and API key authentication. The steps are as follows:

a. Establish a TLS connection using your client certificate and private key.
b. Include the API key and shared secret in the Authorization header using Basic Authentication.

The Authorization header should be constructed as follows:

```
Authorization: Basic <Base64 encoded API_KEY:SHARED_SECRET>
```

Make sure you're using the correct API key and shared secret for the sandbox environment.

3. Endpoint Validation

The endpoint you're using (https://sandbox.api.visa.com/pop/v1/notification/generate) appears to be correct for the sandbox environment. However, always double-check the specific API documentation for the most up-to-date endpoint information.

Additional Recommendations:

1. Verify Certificate Expiration: Ensure that your client certificate and the certificates in the chain are not expired.

2. Check Certificate Common Name: Verify that the Common Name (CN) or Subject Alternative Name (SAN) in your client certificate matches the one registered with Visa.

3. Validate TLS Version: Ensure you're using TLS 1.2 or higher, as required by Visa.

4. Review API Specifications: Carefully review the specific API documentation for any additional headers or parameters required for the API you're calling.

5. Use Visa's Test Certificate: For testing purposes, you can use Visa's test client certificate available in the Visa Developer Center. This can help isolate whether the issue is with your certificate or something else in your implementation.

6. Check Request Body: Ensure that the request body (if required) is correctly formatted according to the API specifications.

7. Verify Project and Product Configuration: In the Visa Developer Center, make sure your project is correctly configured and has access to the API you're trying to use.

If you continue to experience issues, you may want to use a tool like OpenSSL to test the SSL connection independently of your application code. This can help isolate whether the problem is with the SSL configuration or with other aspects of your API call.

Remember to always refer to the most recent documentation on the Visa Developer Platform for the most accurate and up-to-date information on API integration and authentication processes.