Enter your keyword

post

OCI Vault to sign request payload using private keys in Oracle Integration

OCI Vault to sign request payload using private keys in Oracle Integration

The question often arises regarding how to sign the request payload in Oracle Integration before sending it to a third-party application. The answer isn’t straightforward, as Oracle Integration lacks built-in support for signing the payload.

In this article, we’ll guide you through the process of signing the request payload in Oracle Integration using OCI Vault. While you could use JavaScript for signing, leveraging OCI Vault provides a more secure approach.

OCI Vault:

OCI Vault is a managed service provided by Oracle Cloud Infrastructure (OCI), offering centralized management of encryption keys safeguarding your data and secret credentials used to securely access resources.

Integration use-case to use Vault private keys:

  1. Sign Request Payload:
    • Before sending the request to the third-party REST API, use external private keys to sign the payload. You can do this using various methods, such as using OCI Vault or custom code within Oracle Integration.
    • If you’re using OCI Vault, integrate it into your Oracle Integration flow to securely access the private keys for signing the payload.
  2. Verify Signed Payload:
    • Upon receiving a response from the third-party application, verify the signed payload before further processing.
    • Implement logic within Oracle Integration to verify the signature using the corresponding public key. This ensures the authenticity and integrity of the received payload.
    • If you’re using OCI Vault, securely retrieve the public key from the vault to perform the verification process.

Pre-requisites to sign payload using OCI Vault

  • Private key file .der format
  • OpenSSL 3

The process to import a private key into the OCI Vault

Before signing/verifying the payload, a new key has to be generated by importing a wrapped file containing key data that matches the specified key shape.

Following are the steps to wrap the public key:

  1. Download the wrapping key from OCI Vault
2. Generate a temporary AES key:
openssl rand -out aeskey 32

3. Wrap the temporary AES key with the public wrapping key

openssl pkeyutl -encrypt -in aeskey -inkey wrappingkey.pem -pubin -out wrappedkey.bin -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256
4. Generate hexadecimal of the temporary AES key material
AESKEY_HEX=$(hexdump -v -e '/1 "%02x"' < aeskey)
5. Wrap your RSA private key with the temporary AES key
openssl enc -id-aes256-wrap-pad -iv A65959A6 -K $AESKEY_HEX -in rsaprivkey.der -out rsawrapkey.bin
 6. Create the wrapped key material by concatenating both wrapped keys
cat wrappedkey.bin  rsawrapkey.bin > rsafinalwrap.bin
The final key rsafinalwrap.bin has to be uploaded to the OCI Vault.

API to sign the payload

POST /20180608/sign
Request Payload
{
  "keyId" : "",
  "message" : "",
  "signingAlgorithm" : "SHA256_RSA_PKCS_PSS "
}
Response Payload:
{
  "keyId" : "",
  "keyVersionId" : "",
  "signature" : "",
  "signingAlgorithm" : "SHA256_RSA_PKCS_PSS"
}

We have captured all the necessary steps to show how to create Vault, wrap private keys, sign data, etc in the following video. Please look at it end to end.

If you found this article valuable, we would greatly appreciate your support through likes, comments, and shares. Additionally, we invite you to subscribe to our YouTube channel for more insightful videos. Don’t miss out on our latest updates – be sure to click the subscribe button to stay informed about our newest content.

Further readings:

About the Salesforce REST Adapter

Leveraging Salesforce REST adapter to push accounts to Database

OData adapter in Oracle Integration-3

Place the file in ATP from BIP using OIC

Place the file in Object Storage from BIP using OIC

How to write files using an OIC FTP adapter