You must have a fully functional 1099 Pro Corporate Suite installation working before setting up the API.
Note: If you already have IIS set up, you can skip to step 9 (Add Web Site) in the Instructions below.
Requirements:
Instructions:
<add name="CSDb" connectionString="server=testserver\instance;Persist Security Info=True;user id=dbowner;password=dbownerpw;initial catalog=sqldbname;" providerName="System.Data.SqlClient" />
Note: the \instance is not always required, this is dependent on the database structure.
The 1099ProApiKey, 1099ProPrivateKey, and symmetricKey must be setup. SymmetricVector can be left empty.
<add key="symmetricKey" value="A base64 encoded 256-bit key" />
<add key="1099ProPrivateKey" value="A random 40 character string" />
<add key="1099ProApiKey" value="A random 40 character string" />
PowerShell Script: Generate 256-bit AES key | PowerShell Script: Generate 40-character string |
---|---|
PS C:\temp> $256AESKey = New-Object Byte[] 32 | PS C:\temp> -join (((48..57)+(65..90)+(97..122)) * 80 |Get-Random -Count 40 |%{[char]$_}) ZzVQEny0WlNARKb5DJ1CGJY59c4aDCxCrADfmRBh |
Examples:
<add key="symmetricKey" value="FJ1WZ3FnsP9pUIPRgTJ2Kw1E2Th4/9mGubZmobUuWoo=" />
<add key="1099ProPrivateKey" value="ZzVQEny0WlNARKb5DJ1CGJY59c4aDCxCrADfmRBh" />
<add key="1099ProApiKey" value="bQbHRGmhD/rlgVm8GGwrMc88d9ahDmHWZ9F7j6qM" />
With the API, you can enforce Payer Code security by API key. This means that an API key can be limited to only have access to one or more specified Payer Codes. You can configure this by adding a key equal to the value of the ApiKey, followed by a comma delimited list of allowed Payer Codes. Starting with the default "1099ProApiKey", you can configure up to 10 additional API keys, each with their own Payer Code limitations. The following example gives the "WEX1OeV6tqa0SDO9i5dV0n9hrEZj6pXs5c46crRZ" API key access to PCODE1: <add key="1099ProApiKey" value="WEX1OeV6tqa0SDO9i5dV0n9hrEZj6pXs5c46crRZ" /> The following example gives the "bQbHRGmhD/rlgVm8GGwrMc88d9ahDmHWZ9F7j6qM" API key access to PCODE1 and PCODE2: <add key="1099ProApiKey1" value="bQbHRGmhD/rlgVm8GGwrMc88d9ahDmHWZ9F7j6qM" /> |
With the API, you can require a valid HMAC-SHA256 signature of the API call parameters. To do this, set a base64 encoded 512-bit HMAC secret key value in the "1099ProHmacKey" key of the web.config. This is the secret HMAC key that will be used to validate the HMAC "Signature" value in the XML request. Example: If the request's timestamp is "10/28/2019 12:00:00 PM", and the 1099ProHmacExpiration is set to "60", the HMAC signature would be valid until 10/28/2019 12:01:00 PM.
Example: <add key="1099ProHmacKey" value="2bauSp2YvnzBQ7YIz3V/3s7Ggiiz8FboGpftAayRi/r+zYs5ILm/np2u142HSlzXjsJLOn9VfJ7KJrg7q0bEuw==" /> <add key="1099ProHmacExpiration" value="60" /> <add key="1099ProHmacReplay" value="Deny" />
|