Satish Kumar's Blog
JWT Setup for Oracle Fusion ERP

Photo by ZSun Fu on Unsplash

JWT Setup for Oracle Fusion ERP

Satish Kumar's photo
Satish Kumar
·

3 min read

This blog will detail the steps required to setup JWT Authentication for invoking ERP SOAP and REST Services.

Pre Requisites

  1. The SaaS user should have access to Security Console to setup JWT

  2. A local machine which can run OpenSSL commands to generate the necessary keys

Generate a X.509 Key Pair

  1. Generate a private key (private.key)

     openssl genrsa -out private.key 2048

  2. Using the created private key, create an X509 certificate (.cer file) containing your public key. Note that 365 signifies the expiry of this key.

     openssl req -new -x509 -key private.key -out publickey.cer -days 365

  3. Retrieve the x5t or fingerprint of the trusted issuer certificate. The fingerprint output will be in hexadecimal

     openssl x509 -sha1 -in publickey.cer -noout -fingerprint

  4. Once the fingerprint has been retrieved, we will need to convert to base64 using below command. This will be the "x5t" values in the JWT Header

     echo "<generated fingerprint>"|xxd -r -p | base64

Configure JWT in SaaS

  1. Login to Fusion SaaS, Navigator > [Tools] > Security Console.

  2. Click API Authentication . Click Create Oracle API Authentication Provider

  3. On the newly opened Oracle API Authentication Provider Details page, click Edit and enter the following information and then Click Save and Close.

    Note : Trusted Issuer will be the “iss“ in JWT Payload

     Trusted Issuer : [name of the calling provider] e.g. VISION ]
 Token Type : JWT

  4. Next Select the Inbound API Authentication Public Certificates from the left-hand menu.

  5. Add New Certificate. Complete the Certificate Alias e.g. 'ORA_ASE_VISION_JWT'.

  6. Select Browse for the Import Public Certificate and navigate to the location of the publickey.cer file created in the earlier

  7. Click Save and Select Done which will return you to the API Authentication overview page

JWT Credentials

  1. Share the following details to the development team

    • Private key

    • "x5t"

    • "iss"

  2. HEADER

    • x5t : as received above

    • typ : JWT

    • alg : RS256

        {
     "x5t":"/vxxxxY=",
     "typ":"JWT",
     "alg":"RS256"
  }

  3. PAYLOAD

    • sub : SaaS User

    • iss : as received above

    • exp : Unix epoch time format of when the token will expire

    • prn : SaaS User

    • iat : Unix epoch time format of when the token was generated

        {
     "sub":"SaaS User Name",
     "iss":"VISION",
     "exp":188876764,
     "prn":"SaaS User Name",
     "iat":188874764
  }

  4. Using the above format along with Private Key the JWT token can be generated programmatically. Alternatively you can generate a JWT using https://jwt.io/ to test the setup. The Token generated can be passed as Bearer token to Fusion SaaS REST and SOAP Services.

JWT token,JSON Web,Token,Token authentication,Access token,JSON token,JWT security,JWT authentication,Token-based authentication,JWT decoding,JWT implementationJWTOracle Cloud