Detailed description

Operations destined for Pix of the SPI (Instant Payments System).

See the HSM technical documentation.

Good practices

General

Reuse sessions (benefit from session caching). Use the HSM session cache and gain performance by reusing HSM and HTTP sessions. In this case, it is recommended that you open a session, perform the operations you want and then close it, allowing the session to be reused quickly, thus reducing downtime.
Ensuring that sessions are closed. Closing sessions guarantees the release of the resource, both in the HSM and on the client. Make sure that sessions are closed even for operations with a return code other than success.
Use concurrent sessions. Using concurrent/parallel sessions with the HSM helps to extract maximum performance. Attention should be paid to using too many sessions with HSMs, so as not to cause unnecessary use of resources. The throughput curve tends to rise and find a plateau.

HTTP requests Pix

Define a connection object reload interval. You can optimize the number of times HSM keys and objects are loaded by setting a reload interval for HSM objects. As the institution's key/certificate/chain update is done infrequently and on a scheduled basis, it is advantageous to define a reload interval for these objects. Pay attention to network asset timeouts that are shorter than this value to avoid premature disconnections and unnecessary errors. See more details and how to configure here.

Important settings

General

Set the HSM connection timeouts. When the HSM timeout is not set, the default is that of the operating system. In the event of a connection failure, the application may wait too long. It is important to ALWAYS set the HSM's send and receive timeouts. Other connection parameters can be found here.

HTTP requests Pix

Define the HTTP operation timeouts. When not defined, the default HTTP operation timeout is unlimited. In the event of an HTTP connection failure, the application may be put on hold indefinitely. It is important to ALWAYS set the timeout in HTTP request calls.

Functions
byte[]	signPIX (String strKeyId, String strCertId, int nFlags, byte[] baUnsignedPIXEnvelope) throws TacException
	Digitally signs an XML in ISO 20.022 format following the PIX standard defined in the SPI (Instant Payment System).

byte[]	signPIX (String strKeyId, String strCertId, byte[] baUnsignedPIXEnvelope) throws TacException
	Digitally signs an XML in ISO 20.022 format following the PIX standard defined in the SPI (Instant Payment System).

byte[]	signPIXDict (String strKeyId, String strCertId, int nFlags, byte[] baUnsignedDictEnvelope) throws TacException
	Digitally signs an XML in XMLDSig format following the DICT standard defined in the SPI (Instant Payment System).

byte[]	signPIXDict (String strKeyId, String strCertId, byte[] baUnsignedDictEnvelope) throws TacException
	Digitally signs an XML in XMLDSig format following the DICT standard defined in the SPI (Instant Payment System).

boolean	verifyPIX (String strChainId, String strCRLId, int nFlags, byte[] baSignedPIXEnvelope) throws TacException
	Checks the signature of a digitally signed XML document in ISO 20.022 format following the PIX standard defined in the SPI (Instant Payment System).

boolean	verifyPIX (String strChainId, String strCRLId, byte[] baSignedPIXEnvelope) throws TacException
	Checks the signature of a digitally signed XML document in ISO 20.022 format following the PIX standard defined in the SPI (Instant Payment System).

boolean	verifyPIXDict (String strChainId, String strCRLId, int nFlags, byte[] baSignedDictEnvelope) throws TacException
	Checks the signature of a digitally signed XML document in XMLDSig format following the DICT standard defined in the SPI (Instant Payment System).

boolean	verifyPIXDict (String strChainId, String strCRLId, byte[] baSignedDictEnvelope) throws TacException
	Checks the signature of a digitally signed XML document in XMLDSig format following the DICT standard defined in the SPI (Instant Payment System).

byte[]	signPIXJWS (String strKeyId, byte[] baHeader, byte[] baPayload) throws TacException
	Makes a JWS RFC 7515 signature following the PIX standard defined in the SPI (Instant Payment System).

String	signPIXJWS (String strKeyId, String strHeader, String strPayload) throws TacException
	Makes a JWS RFC 7515 signature following the PIX standard defined in the SPI (Instant Payment System).

JwsComponents	checkPIXJWS (String strChainId, String strCRLId, byte[] baJWS, int nFlags) throws TacException
	Validates an RFC 7515 signed JWS following the PIX standard defined in the SPI (Instant Payment System).

JwsComponents	checkPIXJWS (String strChainId, String strCRLId, String strJWS, int nFlags) throws TacException
	Validates an RFC 7515 signed JWS following the PIX standard defined in the SPI (Instant Payment System).

boolean	checkPIXJWS (String strChainId, String strCRLId, byte[] baJWS) throws TacException
	Validates an RFC 7515 signed JWS following the PIX standard defined in the SPI (Instant Payment System).

boolean	checkPIXJWS (String strChainId, String strCRLId, String strJWS) throws TacException
	Validates an RFC 7515 signed JWS following the PIX standard defined in the SPI (Instant Payment System).

PIXResponse	postPIX (String strKeyId, String strCertId, String strPIXCertChainId, String strURL, String[] straRequestHeaderList, byte[] baRequestData, int nTimeOut, boolean bUseGzip, boolean bVerifyHostName) throws TacException
	It makes a secure HTTP POST request following the PIX standard defined in SPI (Instant Payment System).

PIXResponse	postPIX (String strKeyId, String strCertId, String strPIXCertChainId, String strURL, String[] straRequestHeaderList, byte[] baRequestData, int nTimeOut, int nParam) throws TacException
	It makes a secure HTTP POST request following the PIX standard defined in SPI (Instant Payment System).

PIXResponse	putPIX (String strKeyId, String strCertId, String strPIXCertChainId, String strURL, String[] straRequestHeaderList, byte[] baRequestData, int nTimeOut, boolean bUseGzip, boolean bVerifyHostName) throws TacException
	It makes a secure HTTP PUT request following the PIX standard defined in the SPI (Instant Payment System).

PIXResponse	putPIX (String strKeyId, String strCertId, String strPIXCertChainId, String strURL, String[] straRequestHeaderList, byte[] baRequestData, int nTimeOut, int nParam) throws TacException
	It makes a secure HTTP PUT request following the PIX standard defined in the SPI (Instant Payment System).

PIXResponse	getPIX (String strKeyId, String strCertId, String strPIXCertChainId, String strURL, String[] straRequestHeaderList, int nTimeOut, boolean bUseGzip, boolean bVerifyHostName) throws TacException
	It makes a secure HTTP GET request following the PIX standard defined in the SPI (Instant Payment System).

PIXResponse	getPIX (String strKeyId, String strCertId, String strPIXCertChainId, String strURL, String[] straRequestHeaderList, int nTimeOut, int nParam) throws TacException
	It makes a secure HTTP GET request following the PIX standard defined in the SPI (Instant Payment System).

PIXResponse	deletePIX (String strKeyId, String strCertId, String strPIXCertChainId, String strURL, String[] straRequestHeaderList, int nTimeOut, boolean bUseGzip, boolean bVerifyHostName) throws TacException
	It makes a secure HTTP DELETE request following the PIX standard defined in SPI (Instant Payment System).

PIXResponse	deletePIX (String strKeyId, String strCertId, String strPIXCertChainId, String strURL, String[] straRequestHeaderList, int nTimeOut, int nParam) throws TacException
	It makes a secure HTTP DELETE request following the PIX standard defined in SPI (Instant Payment System).

PIXHTTPReqDetails	getPIXHTTPReqDetails () throws TacException
	Retrieves the details of the last PIX HTTP request (POST, GET...) made in this session.

long	getPIXHTTPReqCode () throws TacException
	Retrieves the return code of the last PIX HTTP request (POST, GET...) made in this session.

Functions

◆ signPIX() [1/2]

byte[] signPIX	(	String	strKeyId,
		String	strCertId,
		int	nFlags,
		byte[]	baUnsignedPIXEnvelope ) throws TacException

Digitally signs an XML in ISO 20.022 format following the PIX standard defined in the SPI (Instant Payment System).

Parameters

strKeyId Name of the private key used for signing. Corresponding to a CPIA certificate.

strCertId Name of the digital certificate used for signing. Digital certificate of the PSP registered with SPI for signing, also known as CPIA or CERTPIA.

nFlags

Subscription options. Pass 0. If you need any additional options, the following values are accepted.

Value	Meaning
TacNDJavaLib.PIX_SIGN_RNS	Enables the use of relative namespaces.

baUnsignedPIXEnvelope XML to be signed.

Return

Exceptions

TacException Throws exception in case of signature errors

Notes: We recommend using the signature tag using the full closure, as seen below, for performance reasons.
<Sgntr></Sgntr>

The tag with a simple closing is also accepted, see below.
<Sgntr/>

◆ signPIX() [2/2]

byte[] signPIX	(	String	strKeyId,
		String	strCertId,
		byte[]	baUnsignedPIXEnvelope ) throws TacException

Digitally signs an XML in ISO 20.022 format following the PIX standard defined in the SPI (Instant Payment System).

Parameters

strKeyId	Name of the private key used for signing. Corresponding to a CPIA certificate.
strCertId	Name of the digital certificate used for signing. Digital certificate of the PSP registered with SPI for signing, also known as CPIA or CERTPIA.
baUnsignedPIXEnvelope	XML to be signed.

Return

Exceptions

TacException Throws exception in case of signature errors

Notes: We recommend using the signature tag using the full closure, as seen below, for performance reasons.
<Sgntr></Sgntr>

The tag with a simple closing is also accepted, see below.
<Sgntr/>

◆ signPIXDict() [1/2]

byte[] signPIXDict	(	String	strKeyId,
		String	strCertId,
		int	nFlags,
		byte[]	baUnsignedDictEnvelope ) throws TacException

Digitally signs an XML in XMLDSig format following the DICT standard defined in the SPI (Instant Payment System).

Parameters

strKeyId	Name of the private key used for signing. Corresponding to a CPIA certificate.
strCertId	Name of the digital certificate used for signing. Digital certificate of the PSP registered with SPI for signing, also known as CPIA or CERTPIA.
nFlags	Reserved for future use (must be 0).
baUnsignedDictEnvelope	XML to be signed.

Return

Exceptions

TacException Throws exception in case of signature errors

Notes: Do not include the signature tag, it will be added automatically.

◆ signPIXDict() [2/2]

byte[] signPIXDict	(	String	strKeyId,
		String	strCertId,
		byte[]	baUnsignedDictEnvelope ) throws TacException

Digitally signs an XML in XMLDSig format following the DICT standard defined in the SPI (Instant Payment System).

Parameters

strKeyId	Name of the private key used for signing. Corresponding to a CPIA certificate.
strCertId	Name of the digital certificate used for signing. Digital certificate of the PSP registered with SPI for signing, also known as CPIA or CERTPIA.
baUnsignedDictEnvelope	XML to be signed.

Return

Exceptions

TacException Throws exception in case of signature errors

Notes: Do not include the signature tag, it will be added automatically.

◆ verifyPIX() [1/2]

boolean verifyPIX	(	String	strChainId,
		String	strCRLId,
		int	nFlags,
		byte[]	baSignedPIXEnvelope ) throws TacException

Checks the signature of a digitally signed XML document in ISO 20.022 format following the PIX standard defined in the SPI (Instant Payment System).

Parameters

strChainId	Name of the PKCS#7 chain (stored internally in the HSM) of the certificate used in the signature. The chain must be complete, from the root CA to the certificate used in the signature. This formatting is necessary because the XML message from Pix does not contain the certificate used in the signature. Optionally, only the X.509 certificate used to sign can be passed instead of the complete chain. As of version 5.0.23 of the HSM firmware, it is possible to use a PKCS#7 object that contains several chains. It is important to note that in the case of an HSM PKCS#7 object containing multiple chains, the presence of an expired certificate in any of the chains will generate a valid signature return code with an expired certificate (non-zero code) in the verification, even if the signature was made with a certificate from a non-expired chain; it is up to the application to handle this correctly according to local policy.
strCRLId	Name of the Certificate Revocation List (CRL) - stored internally in the HSM - where the digital certificate will be verified. It is possible to pass NULL indicating that there is no CRL to check.
nFlags	Reserved for future use (must be 0).
baSignedPIXEnvelope	Signed XML.

Return: true if the signature is valid and false if it is invalid.

Exceptions

TacException

◆ verifyPIX() [2/2]

boolean verifyPIX	(	String	strChainId,
		String	strCRLId,
		byte[]	baSignedPIXEnvelope ) throws TacException

Checks the signature of a digitally signed XML document in ISO 20.022 format following the PIX standard defined in the SPI (Instant Payment System).

Parameters

strChainId	Name of the PKCS#7 chain (stored internally in the HSM) of the certificate used in the signature. The chain must be complete, from the root CA to the certificate used in the signature. This formatting is necessary because the XML message from Pix does not contain the certificate used in the signature. Optionally, only the X.509 certificate used to sign can be passed instead of the complete chain. As of version 5.0.23 of the HSM firmware, it is possible to use a PKCS#7 object that contains several chains. It is important to note that in the case of an HSM PKCS#7 object containing multiple chains, the presence of an expired certificate in any of the chains will generate a valid signature return code with an expired certificate (non-zero code) in the verification, even if the signature was made with a certificate from a non-expired chain; it is up to the application to handle this correctly according to local policy.
strCRLId	Name of the Certificate Revocation List (CRL) - stored internally in the HSM - where the digital certificate will be verified. It is possible to pass NULL indicating that there is no CRL to check.
baSignedPIXEnvelope	Signed XML.

Return: true if the signature is valid and false if it is invalid.

Exceptions

TacException

◆ verifyPIXDict() [1/2]

boolean verifyPIXDict	(	String	strChainId,
		String	strCRLId,
		int	nFlags,
		byte[]	baSignedDictEnvelope ) throws TacException

Checks the signature of a digitally signed XML document in XMLDSig format following the DICT standard defined in the SPI (Instant Payment System).

Parameters

strChainId	Name of the PKCS#7 chain (stored internally in the HSM) of the certificate used in the signature. The chain must be complete, from the root CA to the certificate used in the signature. This formatting is necessary because the XML message from Pix does not contain the certificate used in the signature. Optionally, only the X.509 certificate used to sign can be passed instead of the complete chain. As of version 5.0.23 of the HSM firmware, it is possible to use a PKCS#7 object that contains several chains. It is important to note that in the case of an HSM PKCS#7 object containing multiple chains, the presence of an expired certificate in any of the chains will generate a valid signature return code with an expired certificate (non-zero code) in the verification, even if the signature was made with a certificate from a non-expired chain; it is up to the application to handle this correctly according to local policy.
strCRLId	Name of the Certificate Revocation List (CRL) - stored internally in the HSM - where the digital certificate will be verified. It is possible to pass NULL indicating that there is no CRL to check.
nFlags	Reserved for future use (must be 0).
baSignedDictEnvelope	Signed XML.

Return: true if the signature is valid and false if it is invalid.

Exceptions

TacException

◆ verifyPIXDict() [2/2]

boolean verifyPIXDict	(	String	strChainId,
		String	strCRLId,
		byte[]	baSignedDictEnvelope ) throws TacException

Checks the signature of a digitally signed XML document in XMLDSig format following the DICT standard defined in the SPI (Instant Payment System).

Parameters

strChainId	Name of the PKCS#7 chain (stored internally in the HSM) of the certificate used in the signature. The chain must be complete, from the root CA to the certificate used in the signature. This formatting is necessary because the XML message from Pix does not contain the certificate used in the signature. Optionally, only the X.509 certificate used to sign can be passed instead of the complete chain. As of version 5.0.23 of the HSM firmware, it is possible to use a PKCS#7 object that contains several chains. It is important to note that in the case of an HSM PKCS#7 object containing multiple chains, the presence of an expired certificate in any of the chains will generate a valid signature return code with an expired certificate (non-zero code) in the verification, even if the signature was made with a certificate from a non-expired chain; it is up to the application to handle this correctly according to local policy.
strCRLId	Name of the Certificate Revocation List (CRL) - stored internally in the HSM - where the digital certificate will be verified. It is possible to pass NULL indicating that there is no CRL to check.
baSignedDictEnvelope	Signed XML.

Return: true if the signature is valid and false if it is invalid.

Exceptions

TacException

◆ signPIXJWS() [1/2]

byte[] signPIXJWS	(	String	strKeyId,
		byte[]	baHeader,
		byte[]	baPayload ) throws TacException

Makes a JWS RFC 7515 signature following the PIX standard defined in the SPI (Instant Payment System).

Parameters

strKeyId Name of the private key used for signing. As defined in the PIX

baHeader

JWS header for signature. At least the header parameter alg must be informed. Accepted values for alg.

Value	Meaning
RS256	RSA 2048 PKCS#1v5
RS384	RSA 3072 PKCS#1v5
RS512	RSA 4096 PKCS#1v5
PS256	RSA 2048 PSS
PS384	RSA 3072 PSS
PS512	RSA 4096 PSS
ES256	ECC SECP256R1
ES384	ECC SECP384R1
ES512	ECC SECP521R1

baPayload JWS payload for subscription.

Return: JWS signed.

Exceptions

TacException Throws exception in case of signature errors

Notes: It uses the Compact Serialization format described in Section-3.1 of RFC 7515.

◆ signPIXJWS() [2/2]

String signPIXJWS	(	String	strKeyId,
		String	strHeader,
		String	strPayload ) throws TacException

Makes a JWS RFC 7515 signature following the PIX standard defined in the SPI (Instant Payment System).

Parameters

strKeyId Name of the private key used for signing. As defined in the PIX

strHeader

JWS header for signature. At least the header parameter alg must be informed. Accepted values for alg.

Value	Meaning
RS256	RSA 2048 PKCS#1v5
RS384	RSA 3072 PKCS#1v5
RS512	RSA 4096 PKCS#1v5
PS256	RSA 2048 PSS
PS384	RSA 3072 PSS
PS512	RSA 4096 PSS
ES256	ECC SECP256R1
ES384	ECC SECP384R1
ES512	ECC SECP521R1

strPayload JWS payload for subscription.

Return: JWS signed.

Exceptions

TacException Throws exception in case of signature errors

Notes: It uses the Compact Serialization format described in Section-3.1 of RFC 7515.

◆ checkPIXJWS() [1/4]

JwsComponents checkPIXJWS	(	String	strChainId,
		String	strCRLId,
		byte[]	baJWS,
		int	nFlags ) throws TacException

Validates an RFC 7515 signed JWS following the PIX standard defined in the SPI (Instant Payment System).

Parameters

strChainId	Name of the PKCS#7 chain (stored internally in the HSM) of the certificate used in the signature. The chain must be complete, from the root CA to the certificate used in the signature. This formatting is necessary because the XML message from Pix does not contain the certificate used in the signature. Optionally, only the X.509 certificate used to sign can be passed instead of the complete chain. As of version 5.0.23 of the HSM firmware, it is possible to use a PKCS#7 object that contains several chains. It is important to note that in the case of an HSM PKCS#7 object containing multiple chains, the presence of an expired certificate in any of the chains will generate a valid signature return code with an expired certificate (non-zero code) in the verification, even if the signature was made with a certificate from a non-expired chain; it is up to the application to handle this correctly according to local policy.
strCRLId	Name of the Certificate Revocation List (CRL) - stored internally in the HSM - where the digital certificate will be verified. It is possible to pass NULL indicating that there is no CRL to check.
baJWS	JWS signed.
nFlags	Check options. It should be 0.

Return: JwsComponents class that will contain the return code, the Header and the Payload of the signed message.

Exceptions

TacException

◆ checkPIXJWS() [2/4]

JwsComponents checkPIXJWS	(	String	strChainId,
		String	strCRLId,
		String	strJWS,
		int	nFlags ) throws TacException

Validates an RFC 7515 signed JWS following the PIX standard defined in the SPI (Instant Payment System).

Parameters

strChainId	Name of the PKCS#7 chain (stored internally in the HSM) of the certificate used in the signature. The chain must be complete, from the root CA to the certificate used in the signature. This formatting is necessary because the XML message from Pix does not contain the certificate used in the signature. Optionally, only the X.509 certificate used to sign can be passed instead of the complete chain. As of version 5.0.23 of the HSM firmware, it is possible to use a PKCS#7 object that contains several chains. It is important to note that in the case of an HSM PKCS#7 object containing multiple chains, the presence of an expired certificate in any of the chains will generate a valid signature return code with an expired certificate (non-zero code) in the verification, even if the signature was made with a certificate from a non-expired chain; it is up to the application to handle this correctly according to local policy.
strCRLId	Name of the Certificate Revocation List (CRL) - stored internally in the HSM - where the digital certificate will be verified. It is possible to pass NULL indicating that there is no CRL to check.
strJWS	JWS signed.
nFlags	Check options. It should be 0.

Return: JwsComponents class that will contain the return code, the Header and the Payload of the signed message.

Exceptions

TacException

◆ checkPIXJWS() [3/4]

boolean checkPIXJWS	(	String	strChainId,
		String	strCRLId,
		byte[]	baJWS ) throws TacException

Validates an RFC 7515 signed JWS following the PIX standard defined in the SPI (Instant Payment System).

Parameters

strChainId	Name of the PKCS#7 chain (stored internally in the HSM) of the certificate used in the signature. The chain must be complete, from the root CA to the certificate used in the signature. This formatting is necessary because the XML message from Pix does not contain the certificate used in the signature. Optionally, only the X.509 certificate used to sign can be passed instead of the complete chain. As of version 5.0.23 of the HSM firmware, it is possible to use a PKCS#7 object that contains several chains. It is important to note that in the case of an HSM PKCS#7 object containing multiple chains, the presence of an expired certificate in any of the chains will generate a valid signature return code with an expired certificate (non-zero code) in the verification, even if the signature was made with a certificate from a non-expired chain; it is up to the application to handle this correctly according to local policy.
strCRLId	Name of the Certificate Revocation List (CRL) - stored internally in the HSM - where the digital certificate will be verified. It is possible to pass NULL indicating that there is no CRL to check.
baJWS	JWS signed.

Return: True if the check was successful.

Exceptions

TacException

◆ checkPIXJWS() [4/4]

boolean checkPIXJWS	(	String	strChainId,
		String	strCRLId,
		String	strJWS ) throws TacException

Validates an RFC 7515 signed JWS following the PIX standard defined in the SPI (Instant Payment System).

Parameters

strChainId	Name of the PKCS#7 chain (stored internally in the HSM) of the certificate used in the signature. The chain must be complete, from the root CA to the certificate used in the signature. This formatting is necessary because the XML message from Pix does not contain the certificate used in the signature. Optionally, only the X.509 certificate used to sign can be passed instead of the complete chain. As of version 5.0.23 of the HSM firmware, it is possible to use a PKCS#7 object that contains several chains. It is important to note that in the case of an HSM PKCS#7 object containing multiple chains, the presence of an expired certificate in any of the chains will generate a valid signature return code with an expired certificate (non-zero code) in the verification, even if the signature was made with a certificate from a non-expired chain; it is up to the application to handle this correctly according to local policy.
strCRLId	Name of the Certificate Revocation List (CRL) - stored internally in the HSM - where the digital certificate will be verified. It is possible to pass NULL indicating that there is no CRL to check.
strJWS	JWS signed.

Return: True if the check was successful.

Exceptions

TacException

◆ postPIX() [1/2]

PIXResponse postPIX	(	String	strKeyId,
		String	strCertId,
		String	strPIXCertChainId,
		String	strURL,
		String[]	straRequestHeaderList,
		byte[]	baRequestData,
		int	nTimeOut,
		boolean	bUseGzip,
		boolean	bVerifyHostName ) throws TacException

It makes a secure HTTP POST request following the PIX standard defined in SPI (Instant Payment System).

Uses the basic initial HTTP header.

Observation: Make the timeout settings. See more details in the Best practices section.

Parameters

strKeyId	Name of the private key used to close the tunnel. Corresponds to a CPIC certificate.
strCertId	Name of the certificate used to close the tunnel. Digital certificate of the PSP registered in the SPI for connection, also known as CPIC or CERTPIC.
strPIXCertChainId	Name of the PKCS#7 string used to check the PIX server (ICOM or DICT). As of version 5.0.23 of the HSM firmware, it is possible to use a PKCS#7 object containing several strings.
strURL	URL of the server PIX (ICOM or DICT).
straRequestHeaderList	Lines containing the customized HTTP headers that will be used in the request. Can be passed null if you want to use the default header without changes. This option will overwrite the default headers if they overlap. To remove a header, pass the name of the header without a value (e.g. `Accept:`). To include a header without content, use `;` instead of `:` (Ex. `Accept;`). Do NOT use CRLF terminators in headers. Passing these terminators may cause unwanted behavior. Formatting will be done internally. This option cannot be used to change the first line of the request (e.g. POST, PUT, GET, DELETE), which is not a header. You must use the corresponding API, described in this manual. The standard initial header includes Host, User-Agent and Content-Length.
baRequestData	Data sent in the request.
nTimeOut	Operation timeout time in milliseconds. Can be set to 0 for no timeout.
bUseGzip	Automatically gzips the request data. Automatically includes the necessary headers (Content-Encoding and Accept-Encoding).
bVerifyHostName	Checks certificate with host name.

Return: Response to request.

Exceptions

TacException Throws exception in case of signature errors

Notes: It executes a secure request following the PIX standard defined in the SPI in the documents: "Annex IV - Security Manual", "Technical and business specifications of the Brazilian instant payment ecosystem" and "Annex III - Communication Interfaces Manual" defined in the SPI.
The negotiated tunnel is TLS version 1.2 with mutual authentication, using the HTTP protocol version 1.1 with a minimum Cipher Suite of ECDHE-RSA-AES-128-GCM-SHA256.

This API will automatically decompress a response that comes compressed in the gzip standard. If you choose to compress the sending data, the API caller must do so in gzip format.

This request uses the following headers by default.
"Accept-Encoding: gzip"
"User-Agent: DNLC/0.0.0.0", where 0.0.0.0 is the version of the HSM client library used.

Certificate validation with the host name is done by checking that the Common Name field or Subject Alternate Name field of the certificate matches the host name of the URL passed as a parameter.

When making an HTTP request, 2 operations are performed, one to use the HSM objects (private key, certificate and chain, used for tunnel authentication) and the other to open the HTTP session with the HTTP server.
To optimize resources, the session with the HTTP server is kept open and cached; likewise, the session with the HSM is cached by default (the HSM session can optionally be set not to be cached).
The HTTP session is associated with the session opened with the HSM, which means that to reuse an HTTP session you must use the same HSM session that was previously used to open the HTTP session.
The HTTP session is physically closed when the session with the HSM is physically closed.
The HSM session and the HTTP session have thread-session affinity and cannot be used simultaneously by several threads.

Long Polling is adjusted by setting the HTTP operation timeout (POST/GET/DELETE) according to the HTTP server settings.

◆ postPIX() [2/2]

PIXResponse postPIX	(	String	strKeyId,
		String	strCertId,
		String	strPIXCertChainId,
		String	strURL,
		String[]	straRequestHeaderList,
		byte[]	baRequestData,
		int	nTimeOut,
		int	nParam ) throws TacException

It makes a secure HTTP POST request following the PIX standard defined in SPI (Instant Payment System).

Observation: Make the timeout settings. See more details in the Best practices section.

Parameters

strKeyId Name of the private key used to close the tunnel. Corresponds to a CPIC certificate.

strCertId Name of the certificate used to close the tunnel. Digital certificate of the PSP registered in the SPI for connection, also known as CPIC or CERTPIC.

strPIXCertChainId Name of the PKCS#7 string used to check the PIX server (ICOM or DICT). As of version 5.0.23 of the HSM firmware, it is possible to use a PKCS#7 object containing several strings.

strURL URL of the server PIX (ICOM or DICT).

straRequestHeaderList Lines containing the customized HTTP headers that will be used in the request. Can be passed null if you want to use the default header without changes.
This option will overwrite the default headers if they overlap.
To remove a header, pass the name of the header without a value (e.g. Accept:).
To include a header without content, use ; instead of : (Ex. Accept;).
Do NOT use CRLF terminators in headers. Passing these terminators may cause unwanted behavior. Formatting will be done internally.
This option cannot be used to change the first line of the request (e.g. POST, PUT, GET, DELETE), which is not a header. You must use the corresponding API, described in this manual.
The standard initial header includes Host, User-Agent, Accept, Accept-Encoding, Content-Type, Expect and Content-Length.

baRequestData Data sent in the request.

nTimeOut Operation timeout time in milliseconds. Can be set to 0 for no timeout.

nParam

Value	Meaning
0	Default option. Does not check the certificate with the host name.
TacNDJavaLib.PIX_VERIFY_HOST_NAME	Checks certificate with host name.
TacNDJavaLib.PIX_BASIC_HTTP_HEADER	Uses the basic initial HTTP header. Includes Host, User-Agent and Content-Length.
TacNDJavaLib.PIX_GZIP	Automatically gzips the request data. Automatically includes the necessary headers (Content-Encoding and Accept-Encoding).

Return: Response to request.

Exceptions

TacException Throws exception in case of signature errors

Notes: It executes a secure request following the PIX standard defined in the SPI in the documents: "Annex IV - Security Manual", "Technical and business specifications of the Brazilian instant payment ecosystem" and "Annex III - Communication Interfaces Manual" defined in the SPI.
The negotiated tunnel is TLS version 1.2 with mutual authentication, using the HTTP protocol version 1.1 with a minimum Cipher Suite of ECDHE-RSA-AES-128-GCM-SHA256.

This API will automatically decompress a response that comes compressed in the gzip standard. If you choose to compress the sending data, the API caller must do so in gzip format.

This request uses the following headers by default.
"Accept-Encoding: gzip"
"User-Agent: DNLC/0.0.0.0", where 0.0.0.0 is the version of the HSM client library used.

Certificate validation with the host name is done by checking that the Common Name field or Subject Alternate Name field of the certificate matches the host name of the URL passed as a parameter.

When making an HTTP request, 2 operations are performed, one to use the HSM objects (private key, certificate and chain, used for tunnel authentication) and the other to open the HTTP session with the HTTP server.
To optimize resources, the session with the HTTP server is kept open and cached; likewise, the session with the HSM is cached by default (the HSM session can optionally be set not to be cached).
The HTTP session is associated with the session opened with the HSM, which means that to reuse an HTTP session you must use the same HSM session that was previously used to open the HTTP session.
The HTTP session is physically closed when the session with the HSM is physically closed.
The HSM session and the HTTP session have thread-session affinity and cannot be used simultaneously by several threads.

Long Polling is adjusted by setting the HTTP operation timeout (POST/GET/DELETE) according to the HTTP server settings.

◆ putPIX() [1/2]

PIXResponse putPIX	(	String	strKeyId,
		String	strCertId,
		String	strPIXCertChainId,
		String	strURL,
		String[]	straRequestHeaderList,
		byte[]	baRequestData,
		int	nTimeOut,
		boolean	bUseGzip,
		boolean	bVerifyHostName ) throws TacException

It makes a secure HTTP PUT request following the PIX standard defined in the SPI (Instant Payment System).

Uses the basic initial HTTP header.

Observation: Make the timeout settings. See more details in the Best practices section.

Parameters

strKeyId	Name of the private key used to close the tunnel. Corresponds to a CPIC certificate.
strCertId	Name of the certificate used to close the tunnel. Digital certificate of the PSP registered in the SPI for connection, also known as CPIC or CERTPIC.
strPIXCertChainId	Name of the PKCS#7 string used to check the PIX server (ICOM or DICT). As of version 5.0.23 of the HSM firmware, it is possible to use a PKCS#7 object containing several strings.
strURL	URL of the server PIX (ICOM or DICT).
straRequestHeaderList	Lines containing the customized HTTP headers that will be used in the request. Can be passed null if you want to use the default header without changes. This option will overwrite the default headers if they overlap. To remove a header, pass the name of the header without a value (e.g. `Accept:`). To include a header without content, use `;` instead of `:` (Ex. `Accept;`). Do NOT use CRLF terminators in headers. Passing these terminators may cause unwanted behavior. Formatting will be done internally. This option cannot be used to change the first line of the request (e.g. POST, PUT, GET, DELETE), which is not a header. You must use the corresponding API, described in this manual. The standard initial header includes Host, User-Agent and Content-Length.
baRequestData	Data sent in the request.
nTimeOut	Operation timeout time in milliseconds. Can be set to 0 for no timeout.
bUseGzip	Automatically gzips the request data. Automatically includes the necessary headers (Content-Encoding and Accept-Encoding).
bVerifyHostName	Checks certificate with host name.

Return: Response to request.

Exceptions

TacException Throws exception in case of signature errors

Notes: It executes a secure request following the PIX standard defined in the SPI in the documents: "Annex IV - Security Manual", "Technical and business specifications of the Brazilian instant payment ecosystem" and "Annex III - Communication Interfaces Manual" defined in the SPI.
The negotiated tunnel is TLS version 1.2 with mutual authentication, using the HTTP protocol version 1.1 with a minimum Cipher Suite of ECDHE-RSA-AES-128-GCM-SHA256.

This API will automatically decompress a response that comes compressed in the gzip standard. If you choose to compress the sending data, the API caller must do so in gzip format.

This request uses the following headers by default.
"Accept-Encoding: gzip"
"User-Agent: DNLC/0.0.0.0", where 0.0.0.0 is the version of the HSM client library used.

Certificate validation with the host name is done by checking that the Common Name field or Subject Alternate Name field of the certificate matches the host name of the URL passed as a parameter.

When making an HTTP request, 2 operations are performed, one to use the HSM objects (private key, certificate and chain, used for tunnel authentication) and the other to open the HTTP session with the HTTP server.
To optimize resources, the session with the HTTP server is kept open and cached; likewise, the session with the HSM is cached by default (the HSM session can optionally be set not to be cached).
The HTTP session is associated with the session opened with the HSM, which means that to reuse an HTTP session you must use the same HSM session that was previously used to open the HTTP session.
The HTTP session is physically closed when the session with the HSM is physically closed.
The HSM session and the HTTP session have thread-session affinity and cannot be used simultaneously by several threads.

Long Polling is adjusted by setting the HTTP operation timeout (POST/GET/DELETE) according to the HTTP server settings.

◆ putPIX() [2/2]

PIXResponse putPIX	(	String	strKeyId,
		String	strCertId,
		String	strPIXCertChainId,
		String	strURL,
		String[]	straRequestHeaderList,
		byte[]	baRequestData,
		int	nTimeOut,
		int	nParam ) throws TacException

It makes a secure HTTP PUT request following the PIX standard defined in the SPI (Instant Payment System).

Observation: Make the timeout settings. See more details in the Best practices section.

Parameters

strKeyId Name of the private key used to close the tunnel. Corresponds to a CPIC certificate.

strCertId Name of the certificate used to close the tunnel. Digital certificate of the PSP registered in the SPI for connection, also known as CPIC or CERTPIC.

strPIXCertChainId Name of the PKCS#7 string used to check the PIX server (ICOM or DICT). As of version 5.0.23 of the HSM firmware, it is possible to use a PKCS#7 object containing several strings.

strURL URL of the server PIX (ICOM or DICT).

straRequestHeaderList Lines containing the customized HTTP headers that will be used in the request. Can be passed null if you want to use the default header without changes.
This option will overwrite the default headers if they overlap.
To remove a header, pass the name of the header without a value (e.g. Accept:).
To include a header without content, use ; instead of : (Ex. Accept;).
Do NOT use CRLF terminators in headers. Passing these terminators may cause unwanted behavior. Formatting will be done internally.
This option cannot be used to change the first line of the request (e.g. POST, PUT, GET, DELETE), which is not a header. You must use the corresponding API, described in this manual.
The standard initial header includes Host, User-Agent, Accept, Accept-Encoding, Expect and Content-Length.

baRequestData Data sent in the request.

nTimeOut Operation timeout time in milliseconds. Can be set to 0 for no timeout.

nParam

Value	Meaning
0	Default option. Does not check the certificate with the host name.
TacNDJavaLib.PIX_VERIFY_HOST_NAME	Checks certificate with host name.
TacNDJavaLib.PIX_BASIC_HTTP_HEADER	Uses the basic initial HTTP header. Includes Host, User-Agent and Content-Length.
TacNDJavaLib.PIX_GZIP	Automatically gzips the request data. Automatically includes the necessary headers (Content-Encoding and Accept-Encoding).

Return: Response to request.

Exceptions

TacException Throws exception in case of signature errors

Notes: It executes a secure request following the PIX standard defined in the SPI in the documents: "Annex IV - Security Manual", "Technical and business specifications of the Brazilian instant payment ecosystem" and "Annex III - Communication Interfaces Manual" defined in the SPI.
The negotiated tunnel is TLS version 1.2 with mutual authentication, using the HTTP protocol version 1.1 with a minimum Cipher Suite of ECDHE-RSA-AES-128-GCM-SHA256.

This API will automatically decompress a response that comes compressed in the gzip standard. If you choose to compress the sending data, the API caller must do so in gzip format.

This request uses the following headers by default.
"Accept-Encoding: gzip"
"User-Agent: DNLC/0.0.0.0", where 0.0.0.0 is the version of the HSM client library used.

Certificate validation with the host name is done by checking that the Common Name field or Subject Alternate Name field of the certificate matches the host name of the URL passed as a parameter.

When making an HTTP request, 2 operations are performed, one to use the HSM objects (private key, certificate and chain, used for tunnel authentication) and the other to open the HTTP session with the HTTP server.
To optimize resources, the session with the HTTP server is kept open and cached; likewise, the session with the HSM is cached by default (the HSM session can optionally be set not to be cached).
The HTTP session is associated with the session opened with the HSM, which means that to reuse an HTTP session you must use the same HSM session that was previously used to open the HTTP session.
The HTTP session is physically closed when the session with the HSM is physically closed.
The HSM session and the HTTP session have thread-session affinity and cannot be used simultaneously by several threads.

Long Polling is adjusted by setting the HTTP operation timeout (POST/GET/DELETE) according to the HTTP server settings.

◆ getPIX() [1/2]

PIXResponse getPIX	(	String	strKeyId,
		String	strCertId,
		String	strPIXCertChainId,
		String	strURL,
		String[]	straRequestHeaderList,
		int	nTimeOut,
		boolean	bUseGzip,
		boolean	bVerifyHostName ) throws TacException

It makes a secure HTTP GET request following the PIX standard defined in the SPI (Instant Payment System).

Uses the basic initial HTTP header.

Observation: Make the timeout settings. See more details in the Best practices section.

Parameters

strKeyId	Name of the private key used to close the tunnel. Corresponds to a CPIC certificate.
strCertId	Name of the certificate used to close the tunnel. Digital certificate of the PSP registered in the SPI for connection, also known as CPIC or CERTPIC.
strPIXCertChainId	Name of the PKCS#7 string used to check the PIX server (ICOM or DICT). As of version 5.0.23 of the HSM firmware, it is possible to use a PKCS#7 object containing several strings.
strURL	URL of the server PIX (ICOM or DICT).
straRequestHeaderList	Lines containing the customized HTTP headers that will be used in the request. Can be passed null if you want to use the default header without changes. This option will overwrite the default headers if they overlap. To remove a header, pass the name of the header without a value (e.g. `Accept:`). To include a header without content, use `;` instead of `:` (Ex. `Accept;`). Do NOT use CRLF terminators in headers. Passing these terminators may cause unwanted behavior. Formatting will be done internally. This option cannot be used to change the first line of the request (e.g. POST, PUT, GET, DELETE), which is not a header. You must use the corresponding API, described in this manual. The standard initial header includes Host, User-Agent, Accept, Accept-Encoding.
nTimeOut	Operation timeout time in milliseconds. Can be set to 0 for no timeout.
bUseGzip	Includes the Accept-Encoding: gzip header if basic header is enabled.
bVerifyHostName	Checks certificate with host name.

Return: Response to request.

Exceptions

TacException Throws exception in case of signature errors

Notes: It executes a secure request following the PIX standard defined in the SPI in the documents: "Annex IV - Security Manual", "Technical and business specifications of the Brazilian instant payment ecosystem" and "Annex III - Communication Interfaces Manual" defined in the SPI.
The negotiated tunnel is TLS version 1.2 with mutual authentication, using the HTTP protocol version 1.1 with a minimum Cipher Suite of ECDHE-RSA-AES-128-GCM-SHA256.

This API will automatically decompress a response that comes compressed in the gzip standard. If you choose to compress the sending data, the API caller must do so in gzip format.

This request uses the following headers by default.
"Accept-Encoding: gzip"
"User-Agent: DNLC/0.0.0.0", where 0.0.0.0 is the version of the HSM client library used.

Certificate validation with the host name is done by checking that the Common Name field or Subject Alternate Name field of the certificate matches the host name of the URL passed as a parameter.

When making an HTTP request, 2 operations are performed, one to use the HSM objects (private key, certificate and chain, used for tunnel authentication) and the other to open the HTTP session with the HTTP server.
To optimize resources, the session with the HTTP server is kept open and cached; likewise, the session with the HSM is cached by default (the HSM session can optionally be set not to be cached).
The HTTP session is associated with the session opened with the HSM, which means that to reuse an HTTP session you must use the same HSM session that was previously used to open the HTTP session.
The HTTP session is physically closed when the session with the HSM is physically closed.
The HSM session and the HTTP session have thread-session affinity and cannot be used simultaneously by several threads.

Long Polling is adjusted by setting the HTTP operation timeout (POST/GET/DELETE) according to the HTTP server settings.

◆ getPIX() [2/2]

PIXResponse getPIX	(	String	strKeyId,
		String	strCertId,
		String	strPIXCertChainId,
		String	strURL,
		String[]	straRequestHeaderList,
		int	nTimeOut,
		int	nParam ) throws TacException

It makes a secure HTTP GET request following the PIX standard defined in the SPI (Instant Payment System).

Observation: Make the timeout settings. See more details in the Best practices section.

Parameters

strKeyId Name of the private key used to close the tunnel. Corresponds to a CPIC certificate.

strCertId Name of the certificate used to close the tunnel. Digital certificate of the PSP registered in the SPI for connection, also known as CPIC or CERTPIC.

strPIXCertChainId Name of the PKCS#7 string used to check the PIX server (ICOM or DICT). As of version 5.0.23 of the HSM firmware, it is possible to use a PKCS#7 object containing several strings.

strURL URL of the server PIX (ICOM or DICT).

straRequestHeaderList Lines containing the customized HTTP headers that will be used in the request. Can be passed null if you want to use the default header without changes.
This option will overwrite the default headers if they overlap.
To remove a header, pass the name of the header without a value (e.g. Accept:).
To include a header without content, use ; instead of : (Ex. Accept;).
Do NOT use CRLF terminators in headers. Passing these terminators may cause unwanted behavior. Formatting will be done internally.
This option cannot be used to change the first line of the request (e.g. POST, PUT, GET, DELETE), which is not a header. You must use the corresponding API, described in this manual.
The standard initial header includes Host, User-Agent, Accept, Accept-Encoding.

nTimeOut Operation timeout time in milliseconds. Can be set to 0 for no timeout.

nParam

Value	Meaning
0	Default option.Does not check the certificate with the host name.
TacNDJavaLib.PIX_VERIFY_HOST_NAME	Checks certificate with host name.
TacNDJavaLib.PIX_BASIC_HTTP_HEADER	Uses the basic initial HTTP header. Includes Host and User-Agent.
TacNDJavaLib.PIX_GZIP	Includes the Accept-Encoding: gzip header if basic header is enabled.

Return: Response to request.

Exceptions

TacException Throws exception in case of signature errors

Notes: It executes a secure request following the PIX standard defined in the SPI in the documents: "Annex IV - Security Manual", "Technical and business specifications of the Brazilian instant payment ecosystem" and "Annex III - Communication Interfaces Manual" defined in the SPI.
The negotiated tunnel is TLS version 1.2 with mutual authentication, using the HTTP protocol version 1.1 with a minimum Cipher Suite of ECDHE-RSA-AES-128-GCM-SHA256.

This API will automatically decompress a response that comes compressed in the gzip standard. If you choose to compress the sending data, the API caller must do so in gzip format.

This request uses the following headers by default.
"Accept-Encoding: gzip"
"User-Agent: DNLC/0.0.0.0", where 0.0.0.0 is the version of the HSM client library used.

Certificate validation with the host name is done by checking that the Common Name field or Subject Alternate Name field of the certificate matches the host name of the URL passed as a parameter.

When making an HTTP request, 2 operations are performed, one to use the HSM objects (private key, certificate and chain, used for tunnel authentication) and the other to open the HTTP session with the HTTP server.
To optimize resources, the session with the HTTP server is kept open and cached; likewise, the session with the HSM is cached by default (the HSM session can optionally be set not to be cached).
The HTTP session is associated with the session opened with the HSM, which means that to reuse an HTTP session you must use the same HSM session that was previously used to open the HTTP session.
The HTTP session is physically closed when the session with the HSM is physically closed.
The HSM session and the HTTP session have thread-session affinity and cannot be used simultaneously by several threads.

Long Polling is adjusted by setting the HTTP operation timeout (POST/GET/DELETE) according to the HTTP server settings.

◆ deletePIX() [1/2]

PIXResponse deletePIX	(	String	strKeyId,
		String	strCertId,
		String	strPIXCertChainId,
		String	strURL,
		String[]	straRequestHeaderList,
		int	nTimeOut,
		boolean	bUseGzip,
		boolean	bVerifyHostName ) throws TacException

It makes a secure HTTP DELETE request following the PIX standard defined in SPI (Instant Payment System).

Uses the basic initial HTTP header.

Observation: Make the timeout settings. See more details in the Best practices section.

Parameters

strKeyId	Name of the private key used to close the tunnel. Corresponds to a CPIC certificate.
strCertId	Name of the certificate used to close the tunnel. Digital certificate of the PSP registered in the SPI for connection, also known as CPIC or CERTPIC.
strPIXCertChainId	Name of the PKCS#7 string used to check the PIX server (ICOM or DICT). As of version 5.0.23 of the HSM firmware, it is possible to use a PKCS#7 object containing several strings.
strURL	URL of the server PIX (ICOM or DICT).
straRequestHeaderList	Lines containing the customized HTTP headers that will be used in the request. Can be passed null if you want to use the default header without changes. This option will overwrite the default headers if they overlap. To remove a header, pass the name of the header without a value (e.g. `Accept:`). To include a header without content, use `;` instead of `:` (Ex. `Accept;`). Do NOT use CRLF terminators in headers. Passing these terminators may cause unwanted behavior. Formatting will be done internally. This option cannot be used to change the first line of the request (e.g. POST, PUT, GET, DELETE), which is not a header. You must use the corresponding API, described in this manual. The default initial header includes Host and User-Agent.
nTimeOut	Operation timeout time in milliseconds. Can be set to 0 for no timeout.
bUseGzip	Includes the Accept-Encoding: gzip header if basic header is enabled.
bVerifyHostName	Checks certificate with host name.

Return: Response to request.

Exceptions

TacException Throws exception in case of signature errors

Notes: It executes a secure request following the PIX standard defined in the SPI in the documents: "Annex IV - Security Manual", "Technical and business specifications of the Brazilian instant payment ecosystem" and "Annex III - Communication Interfaces Manual" defined in the SPI.
The negotiated tunnel is TLS version 1.2 with mutual authentication, using the HTTP protocol version 1.1 with a minimum Cipher Suite of ECDHE-RSA-AES-128-GCM-SHA256.

This API will automatically decompress a response that comes compressed in the gzip standard. If you choose to compress the sending data, the API caller must do so in gzip format.

This request uses the following headers by default.
"Accept-Encoding: gzip"
"User-Agent: DNLC/0.0.0.0", where 0.0.0.0 is the version of the HSM client library used.

Certificate validation with the host name is done by checking that the Common Name field or Subject Alternate Name field of the certificate matches the host name of the URL passed as a parameter.

When making an HTTP request, 2 operations are performed, one to use the HSM objects (private key, certificate and chain, used for tunnel authentication) and the other to open the HTTP session with the HTTP server.
To optimize resources, the session with the HTTP server is kept open and cached; likewise, the session with the HSM is cached by default (the HSM session can optionally be set not to be cached).
The HTTP session is associated with the session opened with the HSM, which means that to reuse an HTTP session you must use the same HSM session that was previously used to open the HTTP session.
The HTTP session is physically closed when the session with the HSM is physically closed.
The HSM session and the HTTP session have thread-session affinity and cannot be used simultaneously by several threads.

Long Polling is adjusted by setting the HTTP operation timeout (POST/GET/DELETE) according to the HTTP server settings.

◆ deletePIX() [2/2]

PIXResponse deletePIX	(	String	strKeyId,
		String	strCertId,
		String	strPIXCertChainId,
		String	strURL,
		String[]	straRequestHeaderList,
		int	nTimeOut,
		int	nParam ) throws TacException

It makes a secure HTTP DELETE request following the PIX standard defined in SPI (Instant Payment System).

Observation: Make the timeout settings. See more details in the Best practices section.

Parameters

strKeyId Name of the private key used to close the tunnel. Corresponds to a CPIC certificate.

strCertId Name of the certificate used to close the tunnel. Digital certificate of the PSP registered in the SPI for connection, also known as CPIC or CERTPIC.

strPIXCertChainId Name of the PKCS#7 string used to check the PIX server (ICOM or DICT). As of version 5.0.23 of the HSM firmware, it is possible to use a PKCS#7 object containing several strings.

strURL URL of the server PIX (ICOM or DICT).

straRequestHeaderList Lines containing the customized HTTP headers that will be used in the request. Can be passed null if you want to use the default header without changes.
This option will overwrite the default headers if they overlap.
To remove a header, pass the name of the header without a value (e.g. Accept:).
To include a header without content, use ; instead of : (Ex. Accept;).
Do NOT use CRLF terminators in headers. Passing these terminators may cause unwanted behavior. Formatting will be done internally.
This option cannot be used to change the first line of the request (e.g. POST, PUT, GET, DELETE), which is not a header. You must use the corresponding API, described in this manual.
The standard initial header includes Host, User-Agent, Accept, Accept-Encoding.

nTimeOut Operation timeout time in milliseconds. Can be set to 0 for no timeout.

nParam

Value	Meaning
0	Default option.Does not check the certificate with the host name.
TacNDJavaLib.PIX_VERIFY_HOST_NAME	Checks certificate with host name.
TacNDJavaLib.PIX_BASIC_HTTP_HEADER	Uses the basic initial HTTP header. Includes Host and User-Agent.
TacNDJavaLib.PIX_GZIP	Includes the Accept-Encoding: gzip header if basic header is enabled.

Return: Response to request.

Exceptions

TacException Throws exception in case of signature errors

Notes: It executes a secure request following the PIX standard defined in the SPI in the documents: "Annex IV - Security Manual", "Technical and business specifications of the Brazilian instant payment ecosystem" and "Annex III - Communication Interfaces Manual" defined in the SPI.
The negotiated tunnel is TLS version 1.2 with mutual authentication, using the HTTP protocol version 1.1 with a minimum Cipher Suite of ECDHE-RSA-AES-128-GCM-SHA256.

This API will automatically decompress a response that comes compressed in the gzip standard. If you choose to compress the sending data, the API caller must do so in gzip format.

This request uses the following headers by default.
"Accept-Encoding: gzip"
"User-Agent: DNLC/0.0.0.0", where 0.0.0.0 is the version of the HSM client library used.

Certificate validation with the host name is done by checking that the Common Name field or Subject Alternate Name field of the certificate matches the host name of the URL passed as a parameter.

When making an HTTP request, 2 operations are performed, one to use the HSM objects (private key, certificate and chain, used for tunnel authentication) and the other to open the HTTP session with the HTTP server.
To optimize resources, the session with the HTTP server is kept open and cached; likewise, the session with the HSM is cached by default (the HSM session can optionally be set not to be cached).
The HTTP session is associated with the session opened with the HSM, which means that to reuse an HTTP session you must use the same HSM session that was previously used to open the HTTP session.
The HTTP session is physically closed when the session with the HSM is physically closed.
The HSM session and the HTTP session have thread-session affinity and cannot be used simultaneously by several threads.

Long Polling is adjusted by setting the HTTP operation timeout (POST/GET/DELETE) according to the HTTP server settings.

◆ getPIXHTTPReqDetails()

PIXHTTPReqDetails getPIXHTTPReqDetails ( ) throws TacException

Retrieves the details of the last PIX HTTP request (POST, GET...) made in this session.

This operation must be called immediately after calling the PIX request API. It must be called using the same session. Do not perform any other operations between these calls.

Return: Details of the last PIX HTTP request for this session.

Exceptions

TacException Throws exception in case of signature errors

◆ getPIXHTTPReqCode()

long getPIXHTTPReqCode ( ) throws TacException

Retrieves the return code of the last PIX HTTP request (POST, GET...) made in this session.

This operation must be called immediately after calling the PIX request API. It must be called using the same session. Do not perform any other operations between these calls.

Return: HTTP return code.

Exceptions

TacException Throws exception in case of error