OCI Vault to sign request payload using private keys in Oracle Integration
- Ankur Jain
- 1994
The question often arises regarding how to sign the request payload in Oracle Integration before sending it to a third-party application. The answer isn’t straightforward, as Oracle Integration lacks built-in support for signing the payload.
In this article, we’ll guide you through the process of signing the request payload in Oracle Integration using OCI Vault. While you could use JavaScript for signing, leveraging OCI Vault provides a more secure approach.
OCI Vault:
OCI Vault is a managed service provided by Oracle Cloud Infrastructure (OCI), offering centralized management of encryption keys safeguarding your data and secret credentials used to securely access resources.
Integration use-case to use Vault private keys:
- Sign Request Payload:
- Before sending the request to the third-party REST API, use external private keys to sign the payload. You can do this using various methods, such as using OCI Vault or custom code within Oracle Integration.
- If you’re using OCI Vault, integrate it into your Oracle Integration flow to securely access the private keys for signing the payload.
- Verify Signed Payload:
- Upon receiving a response from the third-party application, verify the signed payload before further processing.
- Implement logic within Oracle Integration to verify the signature using the corresponding public key. This ensures the authenticity and integrity of the received payload.
- If you’re using OCI Vault, securely retrieve the public key from the vault to perform the verification process.
Pre-requisites to sign payload using OCI Vault
- Private key file .der format
- OpenSSL 3
The process to import a private key into the OCI Vault
Before signing/verifying the payload, a new key has to be generated by importing a wrapped file containing key data that matches the specified key shape.
Following are the steps to wrap the public key:
- Download the wrapping key from OCI Vault
openssl rand -out aeskey 32
3. Wrap the temporary AES key with the public wrapping key
openssl pkeyutl -encrypt -in aeskey -inkey wrappingkey.pem -pubin -out wrappedkey.bin -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256
AESKEY_HEX=$(hexdump -v -e '/1 "%02x"' < aeskey)
API to sign the payload
POST /20180608/sign