API Security Guide

Oracle Banking Origination

Release 14.7.0.0.0
Part Number F72113-01
November 2022
 Table of Contents

1. ABOUT THIS MANUAL....................................................................................................................................1

1.1 INTRODUCTION ...............................................................................................................................................1
1.2 SCOPE .............................................................................................................................................................1
1.2.1 Read Sections Completely ......................................................................................................................1
1.2.2 Understand the Purpose of this Guidance .............................................................................................1
1.2.3 Limitations .............................................................................................................................................1
2. SECURING API SERVICES .............................................................................................................................2
2.1 API SECURITY ................................................................................................................................................2
2.1.1 Register OAuth Clients with API Gateway ............................................................................................2
2.1.2 Modify Token Expiry of Registered OAuth Client ..................................................................................3
2.1.3 API Security with OAuth ........................................................................................................................4
2.1.4 Access APIs through Oracle Banking Routing Hub ..............................................................................5
2.2 LIST OF SERVICES ...........................................................................................................................................6
 1. About this Manual
1.1 Introduction
Purpose:

This guide provides security-related usage and configuration recommendations for Oracle Banking
Origination. This guide may outline procedures required to implement or secure certain features,
but it is also not a general-purpose configuration manual.

Audience:

This guide is primarily intended for Developers for Oracle Banking Origination and third party or
vendor software’s. Some information may be relevant to IT decision makers and users of the
application are also included. Readers are assumed to possess basic operating system, network,
and system administration skills with awareness of vendor/third-party software’s and knowledge of
Oracle Banking Origination application.

1.2 Scope
1.2.1 Read Sections Completely

Each section should be read and understood completely. Instructions should never be blindly
applied. Relevant discussion may occur immediately after instructions for an action, so be sure to
read whole sections before beginning implementation.

1.2.2 Understand the Purpose of this Guidance

The purpose of the guidance is to provide security-relevant code and configuration
recommendations.

1.2.3 Limitations
This guide is limited in its scope to security-related guideline for developers.

1
 2. Securing API Services

Different applications deployed on disparate platforms and using different infrastructure need to be
able to communicate and integrate seamlessly with Oracle Banking Origination to exchange data.
The Oracle Banking Origination Service API Gateway will cater to these integration needs.

The integration needs supported by the Gateway can be broadly categorized from the perspective
of the Gateway as follows:

 Inbound application integration – used when any external system needs to add, modify or
query information within Oracle Banking Origination.
 Outbound application integration – used when any external system needs to be accessed
for processing transactions within Oracle Banking Origination.

2.1 API Security

Oracle Banking Origination application provides an API Layer (also known as the Service API
Layer) which is used by external consumers to access Oracle Banking Origination’s functionality.

Access to this API layer is granted only via the following methods
- OAuth with OAM (Oracle Access Manager)
- OAuth without OAM
- Oracle Banking Routing Hub

As stated before, in case the customer does not have OAM, an enterprise API Management layer
should be implemented to protect the service API(s)

2.1.1 Register OAuth Clients with API Gateway

New Oath users can be registered with Oracle Banking Microservices Architecture using the
below endpoint.

http://<hostname>:<port>/api-gateway/createOauthUsers

Sample Headers:

Header: appId: SECSRV001

Header: Content-Type: application/json

Header: userId: <USERID>

Header: Authorization: Bearer <<JWT Access Token>>

2
 Sample Request Body:

{
"UserList": [
{
"clientId": "<< clientId >>",
"clientSecret": "<< clientSecret >>",
"validity": "<< Validity in seconds >>"
},
{
"clientId": "<< clientId >>",
"clientSecret": "<< clientSecret >>",
"validity": "<< Validity in seconds >>"
}
]
}

2.1.2 Modify Token Expiry of Registered OAuth Client

Token expiry time can be updated using the below endpoint:

http://<hostname>:<port>/api-gateway/modifyvalidity

Sample headers:

Header: appId: SECSRV001

Header: Content-Type: application/json

Header: userId: <USERID>

Header: Authorization: Bearer <<JWT Access Token>>

Sample Request Body:

{"client_id":"<< clientId >>","validity":"<< Validity in seconds >>"}

3
2.1.3 API Security with OAuth

2.1.3.1 OAuth with OAM

The flow is depicted below

 API clients pass the client id & client secret and grant type as CLIENT CREDENTIALS, to
get the access token, using the below endpoint
o /oauth2/rest/token
 API Clients will pass the access token in the Authorization Header as Bearer token in
their subsequent calls to access the Service APIs.
 API Gateway validates the client access token on OAM Authorization server
 If valid, it passes the request on to the Svc APIs and gets the response.
 The client can choose to get a new token (refresh) before the expiry of the current token.
In case the token expires, they will pass the client Id and client secret to get a new token.

2.1.3.2 OAuth without OAM

The flow for token generation is depicted below:

4
 The flow for accessing svc is depicted below:

 API clients pass the client id & client secret in the body and other required headers, to get
the access token, using the below endpoint:
http://<<hostname>>:<<port>>/api-gateway/platojwtauth/
 API Clients will pass the access token in the Authorization Header as Bearer token in
their subsequent calls to access the Service APIs.
 API Gateway validates the client access token on Authorization server
 If valid, it passes the request on to the Svc APIs and gets the response.
 The client can choose to get a new token (refresh) before the expiry of the current token.
In case the token expires, they will pass the client Id and client secret to get a new token.
 Also, an additional facility of increasing the token is provided.

2.1.4 Access APIs through Oracle Banking Routing Hub

If the external services (services in bank or consulting) need to access APIs in Oracle Banking
Microservices Architecture modules, the services will first have to generate an access token using
Oracle Banking Routing Hub endpoints and then use the token to authorize themselves to access
the endpoints.

Refer to Authentication section in Routing Hub Configuration User Guide for the further
details.

5
2.2 List of Services
Refer to the Application Program Interface Guide for the detailed inbound APIs.

https://docs.oracle.com/cd/F72113_01/api.htm

6
API Security Guide
Oracle Financial Services Software Limited
Oracle Park
Off Western Express Highway
Goregaon (East)
Mumbai, Maharashtra 400 063
India
Worldwide Inquiries:
Phone: +91 22 6718 3000
Fax: +91 22 6718 3001
https://www.oracle.com/industries/financial-services/index.html

Copyright © 2021, 2022, Oracle and/or its affiliates. All rights reserved.

Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be
trademarks of their respective owners.

U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated
software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government
end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation
and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and
adaptation of the programs, including any operating system, integrated software, any programs installed
on the hardware, and/or documentation, shall be subject to license terms and license restrictions
applicable to the programs. No other rights are granted to the U.S. Government.

This software or hardware is developed for general use in a variety of information management
applications. It is not developed or intended for use in any inherently dangerous applications, including
applications that may create a risk of personal injury. If you use this software or hardware in dangerous
applications, then you shall be responsible to take all appropriate failsafe, backup, redundancy, and other
measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any
damages caused by use of this software or hardware in dangerous applications.

This software and related documentation are provided under a license agreement containing restrictions
on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in
your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast,
modify, license, transmit, distribute, exhibit, perform, publish or display any part, in any form, or by any
means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for
interoperability, is prohibited.

The information contained herein is subject to change without notice and is not warranted to be error-free.
If you find any errors, please report them to us in writing.

This software or hardware and documentation may provide access to or information on content, products
and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly
disclaim all warranties of any kind with respect to third-party content, products, and services. Oracle
Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your
access to or use of third-party content, products, or services.