1.1.1 Rest Services Security/ Authentication Scheme

This topic provides information on rest services security/ authentication scheme details.

Authentication in Restful Services is implemented using two ways as per maintained in the Source Maintenance screen:

• Oracle FLEXCUBE Investor Servicing SMS Authentication system
• JSON web token (JWT)

If the Authentication is implemented in FLEXCUBE authentication system the requests to the Restful services needs to contain the headers as follows:

• userId - Oracle FLEXCUBE Investor Servicing login user name
• password – Encrypted Oracle FLEXCUBE Investor Servicing login password
• msgId –This message ID will be a unique id to identify the request

The userId and password headers should contain the userId and password that is created in the Oracle FLEXCUBE Investor Servicing application.

The password field should be encrypted with the msgId as the key.

The Rest API application will decrypt the password and validate the same against the Oracle FLEXCUBE Investor Servicing SMS maintenance, and will service the request only if the validation succeeds.

If the Authentication is implemented through JSON web token (JWT) then the authorization tab must contain the

• Type : Bearer Token
• Token : JSON Web token which is generated with the algorithm (HSA,RSA and ECDSA)

The token will be generated by the external system using any one of the algorithm HSA, RSA or ECDSA with the claims. In FCIS system we will maintain the public key and the clock skew, shared by the external system in the database table SSTB_AUTH_DETAILS and the key value pair (claims) are maintained in the table STB_JWT_PAYLOAD_DETAILS. The JWT token sent by the external system is validated against the public key and the key value pair (claims) maintained in FCIS system.