Skip to main content

When configuring Webhooks in SaaS console, you can set “Authentication” to “Secret HMAC”, which results in x-cv-signature-256 header being added to the payload with the digest of the message in it.

I would like to be able to validate the message by calculating the same digest at the receiving end and comparing to the value in the header. Trouble is, I cannot work out how Commvault generates the digest. For example, working with another API, the digest is calculated based on the HTTP method + current epoch + body + API endpoint. 

I need to do this in Powershell but any guidance or code examples in other languages would be appreciated. 

Hello @Adamski 

 

I have flagged this question internally with a Dev expert and i will keep you posted on their update. 


Kind regards
Albert Williams

Hello @Adamski 

 

My dev has responding with the following: 

 

We use HMAC-SHA256 to calculate digest - 

echo -n '<PAYLOAD>' | openssl dgst -sha256 -hmac '<SECRET_KEY>'

 

I hope this answers your questions?

Kind regards

Albert Williams

Hi @Albert Williams ,

thank you for the confirmation, I now see where my problem is. Commvault appends a trailing space to the PAYLOAD before the signature is calculated.

I have set my alert template for the webhook as follows, all info is static, no tokens, no trailing spaces or new lines:

{"alertCategoryAlertType": "testtype","alertEventId": "123","clientDisplayName": "testclient","utcTime": "Mon Sep 23 13:53:27 2024"}

When I test the webhook, I see the digest in the header coming in as:

"x-cv-signature-256": "9dc53ebcdd55a34ae4e6b8b732305ab7c1f2ef4e79303f1fbf2457bcb1c2f7ec",

With the payload shown in the log as 

"body": "{\"alertCategoryAlertType\": \"testtype\",\"alertEventId\": \"123\",\"clientDisplayName\": \"testclient\",\"utcTime\": \"Mon Sep 23 13:53:27 2024\"} ",

Here are my digest calculations

# PAYLOAD copied from the alert template
echo -n '{"alertCategoryAlertType": "testtype","alertEventId": "123","clientDisplayName": "testclient","utcTime": "Mon Sep 23 13:53:27 2024"}' | openssl dgst -sha256 -hmac 'TestSecret'

SHA2-256(stdin)= f74dec8dc8c5ea22bc8e56c42a01ff500205c185c77249709adcc9a9bb3ab094


# PAYLOAD copied from the alert template and a trailing space added
# this one corresponds to the digest calculated by Commvault
echo -n '{"alertCategoryAlertType": "testtype","alertEventId": "123","clientDisplayName": "testclient","utcTime": "Mon Sep 23 13:53:27 2024"} ' | openssl dgst -sha256 -hmac 'TestSecret'

SHA2-256(stdin)= 9dc53ebcdd55a34ae4e6b8b732305ab7c1f2ef4e79303f1fbf2457bcb1c2f7ec

 

I will raise a support ticket for this.

Reply


Terms & ConditionsCookie settings