RSA Signature Validation
To support validation of RSA-based digital signatures of incoming requests for invoking Oracle Integration flows, use the RSA_SIGNATURE_VALIDATION managed security policy. You can customize the security policy as needed for a connection definition.
Overview
RSA signature verification validates the RSA signatures part of incoming requests. This policy validates signatures that are sent by an HTTP Client based on the HMAC validation function (JQ) that is defined in the policy.
This security policy asserts the client ID value that is provided in clientIdentifier and checks that the clientID is associated with a ServiceInvoker role.
To add the RSA Signature Validation policy to your document, use the available authentication scheme template. See Implement a New Connection Definition.
Note:
You can use this policy to verify multiple signatures in a single request.Security Properties
A connection definition that uses this
security policy defines the following properties in the
securityProperties section. See Connection Properties and Sample Code.
The values in the name,
displayName,
shortDescription, and
description columns list the default values
that appear when you insert a security policy into an adapter
definition document. You can update these values if needed.
| name | displayName | shortDescription | Value Description | Data type | Required | Recommendation |
|---|---|---|---|---|---|---|
|
|
|
|
JQ Expression or Flow to extract Signing String. In case of more than 1 signature output should be ArrayNode for all signatures. |
String |
Yes |
|
|
|
|
|
JQ Expression or Flow to extract Signing String. In case of more than 1 signature output should be ArrayNode for all signing strings. |
String |
Yes |
|
|
|
|
|
Text. Enter one of the following values:
|
Choice |
Yes |
|
|
|
|
|
Enter one of the following values: URL: The HTTPS URL that returns the X.509 certificate. Alias: The alias of the Digital Signature certificate uploaded in Oracle Integration. For information on how to upload a Digital Signature certificate in Oracle Integration, see Upload a Certificate to Connect with External Services. JQ/Flow: JQ or flow that returns a JSON array of RSA certificate contents. If multiple signatures exist, you can either separate them by commas, or use one algorithm for all signatures. |
String |
Yes |
N/A |
|
|
|
|
Optional, JQ Expression or Flow to validate message timestamp or expiry. |
String |
No |
|
|
|
|
|
This ID is used to authorize after signature validation. The ID must belong to a valid client application in the Oracle Integration's identity domain. It must have the |
String |
Yes |
|
Sample Code: Digital Signature Validation (RSA)
"securityPolicies": [
{
"type": "managed",
"policy": "RSA_SIGNATURE_VALIDATION",
"description": "Validates RSA Signature",
"displayName": "RSA SIGNATURE VALIDATION",
"scope": "TRIGGER",
"securityProperties": [
{
"name": "signatureString",
"displayName": "Signature Statement",
"hidden": true,
"required": true,
"default": "${.request.body)}"
},
{
"name": "signature",
"displayName": "Signature Statement",
"hidden": true,
"required": true,
"default": "${connectivity::base64URLDecode(.request.query.signature)}"
},
{
"name": "signatureAlgorithm",
"displayName": "Request Signature Location",
"hidden": true,
"required": true,
"default": "SHA256withRSA"
},
{
"name": "signatureKey",
"displayName": "Certificate Alias",
"hidden": false,
"required": true
},
{
"name": "timestampValidator",
"displayName": "Request Signature Location",
"hidden": true,
"required": true,
"default": ""
},
]
}
]