1. Using the Rapid Adapter Builder with Oracle Integration 3
  2. Work with the Adapter Definition Document
  3. Update Connection Definitions
  4. Understand Security Policies in Connection Definitions
  5. Learn About Security Policies for Trigger Connections
  6. RSA Signature Validation

RSA Signature Validation

To support validation of RSA-based digital signatures of incoming requests for invoking Oracle Integration flows, use the RSA_SIGNATURE_VALIDATION managed security policy. You can customize the security policy as needed for a connection definition.

Overview

RSA signature verification validates the RSA signatures part of incoming requests. This policy validates signatures that are sent by an HTTP Client based on the HMAC validation function (JQ) that is defined in the policy.

This security policy asserts the client ID value that is provided in clientIdentifier and checks that the clientID is associated with a ServiceInvoker role.

To add the RSA Signature Validation policy to your document, use the available authentication scheme template. See Implement a New Connection Definition.

Note:

You can use this policy to verify multiple signatures in a single request.

Security Properties

A connection definition that uses this security policy defines the following properties in the securityProperties section. See Connection Properties and Sample Code.

The values in the name, displayName, shortDescription, and description columns list the default values that appear when you insert a security policy into an adapter definition document. You can update these values if needed.

name displayName shortDescription Value Description Data type Required Recommendation

signature

Actual Signature

Example:

${connectivity::base64Decode(.request.token)}

JQ Expression or Flow to extract Signing String.

In case of more than 1 signature output should be ArrayNode for all signatures.

String

Yes

"hidden":true

signatureString

Signing String

Example:

${.request.body}

JQ Expression or Flow to extract Signing String.

In case of more than 1 signature output should be ArrayNode for all signing strings.

String

Yes

"hidden":true

signatureAlgorithm

Signing Algorithm

Example: SHA256withRSA

Text. Enter one of the following values:

  • SHA256withRSA: RSA Signature with SHA-256

  • SHA384withRSA: RSA Signature with SHA-384

  • SHA512withRSA: RSA Signature with SHA-512

  • SHA256withRSASSA_PSS: RSASSA-PSS Signature with SHA-256

  • SHA256withRSAandMGF1: RSASSA-PSS Signature with MGF1-SHA256

  • SHA384withRSASSA_PSS: RSASSA-PSS Signature with SHA-384

  • SHA384withRSAandMGF1: RSASSA-PSS Signature with MGF1-SHA384

  • SHA384withRSASSA_PSS: RSASSA-PSS Signature with SHA-512

  • SHA256withRSAandMGF1: RSASSA-PSS Signature with MGF1-SHA512

Choice

Yes

"hidden":true

signatureKey

Signature key alias.

Example: orakey

Enter one of the following values:

URL: The HTTPS URL that returns the X.509 certificate.

Alias: The alias of the Digital Signature certificate uploaded in Oracle Integration. For information on how to upload a Digital Signature certificate in Oracle Integration, see Upload a Certificate to Connect with External Services.

JQ/Flow: JQ or flow that returns a JSON array of RSA certificate contents.

If multiple signatures exist, you can either separate them by commas, or use one algorithm for all signatures.

String

Yes

N/A

timestampValidator

Timestamp Validation Strategy

Example: ${.request.headers.ts < now()}

Optional, JQ Expression or Flow to validate message timestamp or expiry.

String

No

"hidden":false

clientIdentifier

client Identifier

Example:

741abdd2ca2ddddd055670cfa856bf

This ID is used to authorize after signature validation.

The ID must belong to a valid client application in Oracle Integration IAM domain.

It must have the ServiceInvoker Application Role assigned.

String

Yes

"hidden":false

Sample Code: Digital Signature Validation (RSA)

"securityPolicies": [
     {  
        "type": "managed",
        "policy": "RSA_SIGNATURE_VALIDATION",
        "description": "Validates RSA Signature",
        "displayName": "RSA SIGNATURE VALIDATION",
        "scope": "TRIGGER",
        "securityProperties": [
           {
               "name": "signatureString",
               "displayName": "Signature Statement",
               "hidden": true,
               "required": true,
               "default": "${.request.body)}"
           },
           {
               "name": "signature",
               "displayName": "Signature Statement",
               "hidden": true,
               "required": true,
               "default": "${connectivity::base64URLDecode(.request.query.signature)}"
           },    
           {
               "name": "signatureAlgorithm",
               "displayName": "Request Signature Location",
               "hidden": true,
               "required": true,
               "default": "SHA256withRSA"
           },
           {
               "name": "signatureKey",
               "displayName": "Certificate Alias",
               "hidden": false,
               "required": true
           },
           {
               "name": "timestampValidator",
               "displayName": "Request Signature Location",
               "hidden": true,
               "required": true,
               "default": ""
           },
            
       ]
      }
   ]