This section lists the credentials that are valid for verifying SymXchange.
These credentials are valid verifications for performing transactions, for PowerOn services, and for the create, read, update, delete (CRUD) services:
- Account number
- Administrator name and password
- Home banking information
- Card number
- MICR information
- Lookup information
- User number and password
- When you set the Allow User Authentication? prompt to Yes in the SymXchange client-specific parameters, SymXchange verifies that the user number and password are valid credentials before allowing access to Symitar.
- You cannot use user number 0 as a credential because it is reserved for Symitar use only.
- Symitar user token
With the user number and password credential, you can send a logon request, in which you provide a Symitar user number and password, and receive a token after successful authentication. This token ID can be used for authentication in any other SymXchange call where Symitar user number credentials are acceptable. A log off request invalidates the token so that it cannot be used in further requests. The token automatically expires after 15 minutes of inactivity.
The Symitar user token can improve the response time for SymXchange messages authenticated with Symitar user credentials. If you have password hashing activated for Symitar users, authentication is relatively slow because the password hashing algorithm is designed for high-resource usage to make brute-force attacks more difficult. If you use token-based authentication, the hashing only has to happen on the first call while all other calls can use the token, making authentication much more efficient.
To limit impact on resources, Symitar allows a maximum of 100,000 tokens to be active at the same time. When that limit is reached, Symitar does not issue a new token and the SymXchange logon service returns an error. In this case, you try again when a token expires, or is invalidated through a log off call.
There is no separate credential parameter for the token. The SymXchange credential parameter User Number also applies to token usage.
The following logon message requests a token for a user:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:user="http://www.symxchange.generated.symitar.com/v1/usermanagement" xmlns:com="http://www.symxchange.generated.symitar.com/v1/common/dto/common"> <soapenv:Header/> <soapenv:Body> <user:logon> <Request MessageId="logon"> <Credentials> <UserNumberCredentials> <UserNumber>1</UserNumber> <Password>learn</Password> </UserNumberCredentials> </Credentials> <DeviceInformation DeviceType="CUHERE" DeviceNumber="20000"/> </Request> </user:logon> </soapenv:Body> </soapenv:Envelope>
Subsequent messages can then be credentialed using the token returned by the logon request:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:acc="http://www.symxchange.generated.symitar.com/v2/account" xmlns:com="http://www.symxchange.generated.symitar.com/v1/common/dto/common"> <soapenv:Header/> <soapenv:Body> <acc:getAccount> <!--Optional:--> <Request MessageId="getaccount"> <AccountNumber>12660</AccountNumber> <Credentials> <TokenCredentials> <TokenId>VTSrF4t6EioLFKJYnCsjc1nIOUgvGBjWBwgXsJbTQsQpWA+Tr8LelV4N0iGMwS9YVuL0AZroe98uuerB4xNMzg==</TokenId> </TokenCredentials> </Credentials> <DeviceInformation DeviceType="CUHERE" DeviceNumber="20000"/> </Request> </acc:getAccount> </soapenv:Body> </soapenv:Envelope>
You can use the account number when you make a SymXchange request that returns account information. Alternatively, you can authenticate your access to the system using the account number credential or the home banking credential set (a combination of the credential and its password, such as the HBUsername and HBPassword fields in the Preference record). SymXchange determines the account number based on the credentials provided.
You can use the Home Administrator ID and user number as valid credentials for the following findByXXX methods: