Re: 401 Incorrect credentials with mutual ssl helloworld endpoint test

asrini
New Contributor

401 Incorrect credentials with mutual ssl helloworld endpoint test

Hi I am trying to test mutual ssl connection with hello world example in the sandbox provision and I am getting a 401 with incorrect credentials. I used the auto-generate csr option and followed the example exactly as stated so I am not sure what is going on here. I know the username and password found in the credentials tab is correct. I tried with SoapUI and Postman as well. I am also not able to upload my manually generated csr.  Visa returns an error and doesn't say why.  Please help. Relevant info below. 

 

HTTP/1.1 401
Server: nginx
Date: Thu, 26 Sep 2024 02:24:20 GMT
Content-Type: application/json
Content-Length: 119
Connection: keep-alive
X-SERVED-BY: -576878785
X-CORRELATION-ID: 1727317460_228_1931013393_-576878785_VDP_WS
x-vdp-normalized-url: /vdp/helloworld
X-APP-STATUS: 401
x-vdp-authn-api-visa-id: HELLOWORLD
X-ERROR-ORIGIN: 9100

{"responseStatus":{"status":401,"code":"9124","severity":"ERROR","message":"Incorrect credentials supplied","info":""}}

5 REPLIES 5
SyedSa
Community Moderator

Re: 401 Incorrect credentials with mutual ssl helloworld endpoint test

Hi @asriniThank you for reaching out. An agent will get back to you as soon as possible. Until then, if any community member has information that may be helpful, please feel free to reply.

asrini
New Contributor

Re: 401 Incorrect credentials with mutual ssl helloworld endpoint test

Update, I was able to generate my own csr and upload it to visa. The problem was the common name not being a "domain name i.e. example.com". However after obtaining the new set of credentials and trying my luck again with Postman and SoapUI, I am still getting a 401 error but the message is different. Now in SoapUI it says authentication failed instead of incorrect credentials. Please advise.  The new request details are below: 

HTTP/1.1 401
Server: nginx
Date: Sat, 28 Sep 2024 18:36:13 GMT
Content-Type: application/json
Content-Length: 110
Connection: keep-alive
X-SERVED-BY: -6979957788d9c
X-CORRELATION-ID: 1727548573_330_497203810_-6979957788d9c_VDP_WS
x-vdp-normalized-url: /vdp/helloworld
X-APP-STATUS: 401
x-vdp-authn-api-visa-id: HELLOWORLD
X-ERROR-ORIGIN: 9100
X-Frame-Options: SAMEORIGIN

{"responseStatus":{"status":401,"code":"9125","severity":"ERROR","message":"Authentication failed","info":""}}

Is it still because of the common name? Does visa actually check this?

API_Products
Visa Developer Support Specialist

Re: 401 Incorrect credentials with mutual ssl helloworld endpoint test

Hey @asrini,

 

It seems you are encountering issues with mutual SSL (mTLS) authentication and receiving a 401 error while testing the Hello World example in Visa's sandbox environment. Here are some troubleshooting steps and considerations that might help you resolve the issue:

 

Troubleshooting Steps

1. Check Common Name (CN) in CSR:
- Ensure the Common Name (CN) in your CSR is a valid domain name (e.g., `example.com`). Visa does check the CN, and it must match the expected format.

2. Correct Credentials:
- Double-check the username and password from the credentials tab. Ensure there are no extra spaces or incorrect characters.

3. Certificate Chain:
- Make sure the certificate chain is correctly configured. You might need to include intermediate certificates along with the client certificate.

4. Client Certificate in Postman/SoapUI:
- Ensure that the client certificate is correctly configured in Postman or SoapUI:
- Postman: Go to Settings > Certificates and add the client certificate.
- SoapUI: Go to Preferences > SSL Settings and add the client certificate.

5. TLS Version:
- Ensure that you are using the correct TLS version (usually TLS 1.2 or higher).

6. Visa Developer Portal Configuration:
- Verify that the uploaded CSR and the generated client certificate are correctly associated with your project in the Visa Developer Portal.

 

Example: Configuring Mutual SSL in Postman

1. Add Client Certificate:
- Go to Settings > Certificates.
- Click on "Add Certificate".
- Enter the `Host` (e.g., `sandbox.api.visa.com`).
- Browse to select your client certificate file (usually a `.pem` or `.p12` file).
- If using a `.p12` file, provide the passphrase.

2. Add Authorization:
- In your request, go to the Authorization tab.
- Select "Basic Auth".
- Enter your username and password from the Visa Developer Portal.

3. Send Request:
- Ensure the URL is correct, and send the request. Check the response headers and body for any additional information.

 

Configuration Example in Postman

```plaintext
Host: sandbox.api.visa.com
Client Certificate File: path/to/your/certificate.pem
Passphrase: your_passphrase (if applicable)
```

 

By ensuring that your CSR has the correct Common Name, checking your credentials, configuring the client certificate properly in your testing tools, and verifying TLS settings, you should be able to resolve the 401 error. If issues persist, Visa Support can provide more specific guidance.

 




Thanks,

Diana



Was your question answered? Don't forget to click on "Accept as Solution" to help other devs find the answer to the same question.

asrini
New Contributor

Re: 401 Incorrect credentials with mutual ssl helloworld endpoint test

Hi,

I double checked the username/password and the hashes of the csr file, the client certificate and the private key and they all match so the set is compatible. I get code 9124 with Postman and 9125 with SoapUI. Can you please tell me what these codes mean? Maybe that can provide a clue? 

API_Products
Visa Developer Support Specialist

Re: 401 Incorrect credentials with mutual ssl helloworld endpoint test

Hey @asrini,

 

A 401 error with the message "Authentication failed" indicates that the authentication process is not being completed successfully. Here are some steps to troubleshoot this issue:

1. Check Error Codes:
- 9124: Typically means "Invalid or missing client certificate".
- 9125: Indicates "Authentication failed".

2. Verify Common Name (CN):
- Ensure that the Common Name (CN) in the certificate is a valid domain name (e.g., `example.com`). Visa does check this, and it must match what is expected by Visa.

3. Verify Credentials:
- Double-check that the API Key, Shared Secret, and any other credentials are correct and match the ones provided by Visa.

4. Ensure Correct Environment:
- Make sure you are using the correct environment (sandbox or production) and the corresponding credentials.

5. Validate Certificate and Key:
- Ensure the client certificate and private key are correctly paired and both are being used in the request.

6. Check Request Headers:
- Ensure all required headers are included in your request, such as `Authorization` and `Content-Type`.

7. Use Correct Authentication Method:
- Visa APIs might require specific authentication methods (e.g., Mutual SSL, API Key, OAuth). Confirm you are using the correct method.

8. Test with Minimal Request:
- Simplify your request to the most basic form, removing optional headers and data, to isolate the issue.

 

Here's an example of how you might configure a request in Postman with Mutual SSL:

Postman Configuration
1. Add Certificate:
- Go to Settings > Certificates.
- Add a new certificate with the `Host` (e.g., `sandbox.api.visa.com`), `CRT file`, and `Key file`.

2. Configure Request:
- Set the URL to the Visa API endpoint (e.g., `https://sandbox.api.visa.com/vdp/helloworld`).
- Include necessary headers:
- `Authorization`: `Bearer YOUR_ACCESS_TOKEN`
- `Content-Type`: `application/json`

3. Send Request:
- Validate the response and adjust as necessary.

 

If issues persist, consider reaching out to Visa Developer support for detailed assistance. They can provide specific guidance based on the error codes and your implementation details.

 




Thanks,

Diana



Was your question answered? Don't forget to click on "Accept as Solution" to help other devs find the answer to the same question.