This notification is to inform you that the test window planned to occur in July has been postponed. The test window would have prohibited the use of the HMAC SHA-1 signature method for Token-based Authentication (TBA) integrations.  We will notify you when the new test window schedule has been determined. However, you should take this opportunity to update the signature method used by your TBA integrations.

What is Changing?

Some TBA integrations in your NetSuite account are using the HMAC-SHA1 algorithm. The HMAC-SHA1 algorithm is no longer considered secure. Review integrations that use the TBA feature in your account. Update all TBA integrations to use the HMAC-SHA256 algorithm as the signature method. This request for review applies to all integrations in your account, including integrations from third-party solution providers. If your TBA integrations are not using the HMAC-SHA256 signature method, you must take the following Required Actions. If you do not make the necessary updates, your TBA integrations that still use the HMAC-SHA1 signature method will stop working.

Required Actions

As soon as possible, update your TBA integrations to use the HMAC-SHA256 signature method. If you use any integrations provided by a third party, you must inform the third party that HMAC-SHA1 will soon no longer be supported as a signature method for TBA in NetSuite. The third party must provide you with an updated solution as soon as possible.  You must update the authorization header to use HMAC-SHA256. • Change the value of the oauth_signature_method parameter from HMAC-SHA1 to HMAC-SHA256. • Change the value of the oauth_signature parameter to HMAC-SHA256. The valid value for these parameters must be entered exactly as shown: HMAC-SHA256. For more information about TBA and signature methods, see the following help topics: • Example OAuth Header, SuiteAnswers ID 50996. • The Signature for Web Services and RESTlets, SuiteAnswers ID 77576 • The Authorization Headers, SuiteAnswers ID 77577 If you are using a library for signing, you must verify that the library supports HMAC-SHA256. If the library you are using does not support HMAC-SHA256, you must either update the library to use HMAC-SHA256 or begin using another library that supports HMAC-SHA256.  If you have more questions, please contact NetSuite Customer Support.  Thank you,  The Oracle NetSuite Team