How to Update Authorize.Net Direct Post from MD5 to SHA-512 in Magento

How to Update Authorize.Net Direct Post from MD5 to SHA-512 in Magento

Are you Magento store owner using any of the below versions and using Authorize.Net Direct Post payment method with MD5 based hash?

  • Magento Commerce 1.X.X
  • Magento Open Source 1.X.X
  • Magento Commerce 2.X.X
  • Magento Open Source 2.X.X
  • Magento Commerce (Cloud) 2.X.X

If yes, continue reading this important post!

However, if you installed Magento SUPEE 11155 patch, you don’t need to worry as this solution is already resolved in the security patch!

Uptill now, Magento used the MD5 based hash to implement the Authorize.Net Direct Post payment method. But not anymore after Authorize.net announced MD5 Hash End of Life & Signature Key Replacement!

After this announcement, the store owners will not be able to process secure payments using the Authorize.net Direct Post.

Authorize.Net is phasing out the MD5 based hash use for transaction response verification in favor of the SHA-512 based hash utilizing a Signature Key. It will stop supporting the MD5 based hash key use from June 28, 2019.

Not to worry, as Magento provides the patch that merchants need to apply and replace the existing MD5 hash with a Signature Key (SHA-512) in the Magento Admin configuration settings.

 

Follow the below steps to continue using the Authorize.Net Direct Post in the Magento stores!

Steps to Update Authorize.Net Direct Post from MD5 to SHA – 512 in Magento:

  1. Apply the patch
  2. Get a new signature key
  3. Update admin configuration

Implement each of the above steps as below:

  1. Apply the patch
    Download the zip file for your Magento Version for the patch installation. You can also download these Pre Patched files from GitHubUnzip the downloaded files and add them to your root Magento folder.

    Magento VersionPatch Files
    Magento 2.3.0Magento CE-2.3.0
    Magento 2.2.6 to Magento 2.2.7Magento CE-2.2.6-CE-2.2.7
    Magento 2.2.0 to Magento 2.2.5Magento CE-2.2.0-CE-2.2.5
    Magento 2.1.0 to Magento 2.1.9Magento CE-2.1.0-CE-2.1.9
    Magento 1.5.0 to Magento 1.9.4.0Magento CE-1.5.0.1-CE-1.9.4.0

    Note: If you use Magento Commerce Cloud, apply the patch and deploy. For more information, visit Apply custom patches.

  2. Get a new signature key
    Follow the below steps to get a new signature key. To know more about the signature key, visit here.

    1. Log into the Merchant Interface at https://account.authorize.net.
    2. Click Account from the main toolbar.
    3. Go to Settings in the main left-side menu.
    4. Click API Credentials & Keys.
    5. Select New Signature Key. Review the options available.
    6. Click Submit and continue.
    7. Request and enter the PIN for verification.
    8. Your new Signature Key will be displayed that is to be copied to add to your Magento Admin configuration.
  3. Update Magento admin configuration
    1. Log in to the admin panel.
    2. Go to Stores > Configuration.
    3. Click Sales > Payment Methods.
    4. Expand the Authorize.net Direct Post section.
    5. In the Signature Key enter the SHA-512 Signature Key.
    6. Click Save Config.

For Magento 1:

Magento Admin Configuration

For Magento 2:

Magento 2 Admin Configuration

After the successful signature key update, you can enjoy capturing secure online payments using the Authorize.NetDirect Post!

Note: With the upcoming Magento 2.3.1 release, Magento will include the new Authorize.Net extension to replace the Direct Post. If you are not going to update to Magento 2.3.1 anytime soon, follow the above method to update Authorize.Net Direct Post from MD5 to SHA – 512 in Magento stores.

You may post any issues in this method in the Comments below and I’d be happy to help. Or, you may contact us for professional help with Authorize.net Direct Post transaction key update.

Don’t forget to flash 5 stars!

Thank you!

4.7
(based on 20 Reviews)

Sanjay is a co-founder at Meetanshi. He is a certified Magento developer who loves creating Magento E-commerce solutions. When he is not engrossed with anything related to Magento, he loves to play cricket.

27 comments On How to Update Authorize.Net Direct Post from MD5 to SHA-512 in Magento

  • Applied Patch and successfully add a signature key, but an order is still using MD-5 Key and in Magento admin still say update your authorization module. Any reason behind this?

  • Why do your patched files differ from the patch itself?

    • We have provided Pre-patched files which are easy to install which you can do using FTP as well which is helpful. The Patch files provided by Magento needs to be added using SSH.

  • Meetanshi, MD5 will affect the stores that are built with a Magento versions below 2.3. Hence,

    Magento Commerce 1.X.X
    Magento Open Source 1.X.X
    Magento Commerce 2.X.X
    Magento Open Source 2.X.X
    Magento Commerce (Cloud) 2.X.X

    is kind of miss-leading.

    Magento versions that will be affected are

    Magento Open Source versions below 2.3.
    Magento Commerce versions below 2.3
    Magento Commerce (Cloud) versions below 2.3

  • I am getting php error message after installing and trying to place order. I am running on 5.3 php, could that be an issue with this patch?

    The PHP-FPM error log is showing:
    [09-Mar-2019 01:55:58 UTC] PHP Fatal error: Can’t use method return value in write context in /chroot/home/jimcolem/jimcolemanstore.com/html/app/code/core/Mage/Authorizenet/Model/Directpost.php on line 392
    [09-Mar-2019 01:56:04 UTC] PHP Fatal error: Can’t use method return value in write context in /chroot/home/jimcolem/jimcolemanstore.com/html/app/code/core/Mage/Authorizenet/Model/Directpost.php on line 392
    [09-Mar-2019 01:56:13 UTC] PHP Fatal error: Can’t use method return value in write context in /chroot/home/jimcolem/jimcolemanstore.com/html/app/code/core/Mage/Authorizenet/Model/Directpost.php on line 392

  • Hi,
    thanks for the documentation.

    I used a bitnami installation of Magento Commerce 2.2.7. has one of you access to the Magento Commerce 2.x patch?
    or can I apply the CE patch?

    Thanks and kind regards

  • I downloaded the patch files for M2.1.7 and had compilation errors :

    I had to revert.

    • Hi Robert,
      Please share the compilation errors with me.

      • Hi Sanjay,

        Here is my compilation error :
        Compilation was started.
        Repositories code generation… 1/7 [====>———————–] 14% 1 sec 76.8 MiBPHP
        Parse error: syntax error, unexpected ‘:’, expecting ‘;’ or ‘{‘ in /home/steel17/domains/steelcitymachines.ca/private_html/steel/vendor/magento/module-authorizenet/Model/Directpost/Request.php on line 195

        • You might be using the wrong version of PHP while running the compilation command. The return type declaration it is failing on requires PHP7+.

  • So we have to have API Login ID, Transaction Key and Signature key in admin panel settings in Magento only ? We have to leave Merchant MD5 value blank?

    • Hi Anil,
      You need to get a new Signature Key and add it to your Magento Admin configuration.

      To get the Signature key:

      1. Log into the Merchant Interface at https://account.authorize.net.
      2. Click Account from the main toolbar.
      3. Click Settings in the main left-side menu.
      4. Click API Credentials & Keys.
      5. Select New Signature Key. Review the options available.
      6. Click Submit to continue.
      7. Request and enter PIN for verification.
      8. Your new Signature Key is displayed. Copy this key to add to your Magento Admin configuration.

      To Update Magento Admin Configuration:

      1. Log into the Magento Admin.
      2. On the Admin sidebar, click Stores. Then under Settings, click Configuration.
      3. In the panel, click Sales then Payment Methods.
      4. Expand the Authorize.net Direct Post section.
      5. In the Signature Key enter the SHA-512 Signature Key.
      6. Click Save Config.

      You have to keep the MD5 value blank as it has no more concern after the patch installation.

  • Hi

    I have successfully downloaded and applied the patch. But when i execute php magento setup:di:compile following error occurs

    [RuntimeException]
    Class Magento\Sales\Api\PaymentFailuresInterface does not exist in [Magento\Authorizenet\Model\Directpost\Interceptor]

    I have confirmed it multiple times by reverting back the Authorize net module in vendor. Any fixes?

  • Yes, your patch not working with magento 2.1.x version can you explain why ?

  • Hi again, I have another site which I have to put the Signature Key. This site is with Magento 1.9

    I tried to download the zip file from : https://meetanshi.com/blog/wp-content/uploads/2019/03/CE-1.5.0.1-CE-1.9.4.zip
    but I got an error page.

    If you can get back to me it would be appreciated.

    Regards,

    Robert

  • Hi,
    I have downloaded the file : CE-2.0.0-CE-2.3.0.zip
    I did the extraction.
    I lost the site and the admin panel.
    I opened Putty to re-index with SSH CLI-commands
    The first mistake was on line 1108 of directpost.php : private function getOrderFromResponse(): \Magento\Sales\Model\Order
    Putty suggested to use ; or {
    I put ; instead of :
    When I re-indexed the mistake now is : namespace Magento\Authorizenet\Model;
    It say’s that it must be the first instance. But it is !!!

    I put the old directpost.php so I could see the website and the admin panel. Now I freeze when I try to checkout, witch is normal.

    Can you help ?

    Regards,

    Robert

    I am using Magento 2.1.7

    • Hi Robert,
      You need to compile current Magento store using bin/magento setup:di:compile command.

      • I initiated the compile command and got this error :
        PHP Parse error: syntax error, unexpected ‘:’, expecting ‘;’ or ‘{‘ in /home/steel17/domains/steelcitymachines.ca/private_html/steel/vendor/magento/module-authorizenet/Model/Directpost.php on line 1018

  • Hi – what about if you use the M1 authorize.net method? Is that affected at all? It is ambiguous in the Magento instructions as it is mentioned as AIM – https://support.magento.com/hc/en-us/articles/360024368392 – under Issue

    Magento implements the Authorize.Net Direct Post payment method, using Authorize.Net’s AIM (Advanced Integration Method) and DPM (Direct Post method) APIs, which use MD5 based hash.

    Authorize.net will stop supporting MD5 based hash usage on March 14, 2019. Starting from this date, Magento Open Source, Magento Commerce and Magento Cloud merchants will not be able to process payments using Authorize.Net Direct Post payment method. To be able to continue successfully process payments using these methods, merchants need to apply the patch provided by Magento and replace the existing MD5 hash with a Signature Key in the Magento Admin configuration settings.

Leave a Reply