Skip to main content

Security – Oracle ERP Cloud

Sending Rates

FXLoader sends rates by calling a web service provided by Oracle ERP Cloud. The web service authenticates via a user which must exist in Oracle ERP Cloud and have the roles needed to create Daily Rates. The authentication of the user can be achieved either by using a password or by using a Json Web Token (JWT). Note that the JWT option is only available with the Enterprise Plan of FXLoader.

When

The user must be created in Oracle ERP Cloud before setting up the Instance in FXLoader.

Oracle ERP Cloud User Requirements

For loading to test instances, you can use an existing user. Any user with the role General Accounting Manager will work.

For loading to production, we recommend creating a new user which only has the ability to create Daily Rates.

The Privileges needed are:

Privilege Name

Privilege Code

Access FSCM Integration Rest Service

FUN_FSCM_REST_SERVICE_ACCESS_INTEGRATIO N_PRIV

Load File to Interface

FUN_FSCM_FILE_TO_INTERFACE_PRIV

Load Interface File for Import

FUN_FSCM_LOAD_INTERFACES_PRIV

Manage File Import and Export

FND_MANAGE_FILE_IMPORT_AND_EXPORT_PRIV

Transfer File

FUN_FSCM_TRANSFER_FILE_PRIV

Define Conversion Rate Type*

GL_SET_UP_CURRENCY_CONVERSION_RATE_TYP E_PRIV

Maintain Daily Conversion Rate*

GL_MAINTAIN_DAILY_CURRENCY_CONVERSION_ RATE_PRIV

Run Daily Rates Import and Calculation Program*

GL_RUN_DAILY_RATES_IMPORT_AND_CALCULAT ION_PROGRAM_PRIV

View Daily Conversion Rate*

GL_VIEW_DAILY_CURRENCY_CONVERSION_RATE

_PRIV

You will need to create a new Job Role to contain these privileges. They can be added individually, or by selecting the following roles:

Role Name

Role Code

FSCM Load Interface Administration

ORA_FUN_FSCM_LOAD_INTERFACE_ADMIN_DUT Y

Daily Rates Administration Duty*

GL_DAILY_RATES_MANAGEMENT_DUTY

* Some environments do not have the role ‘Daily Rates Administration Duty’, so you will need to add the four privileges it contains, marked above, manually if you can’t find it. If you can’t find these privileges, you may need to run the ‘Import User and Role Application Security Data’ job first.

The user may also need the Employee role (code PER_EMPLOYEE_ABSTRACT) in order to submit ESS requests, but not all environments report needing this.

Note: Oracle web services do not currently support SSO (Single Sign On). So if you have SSO enabled, the user will either need to be non-SSO, or if you set them up as SSO you will need to set the password explicitly in Oracle ERP Cloud (if using the password to authenticate) and use the username listed there.

Create and Assign the New Role

The following are example steps to create a new role for FXLoader and assign it to your user, using the Security Console in Oracle ERP Cloud.

  1. Click Create Role and enter:

    Role Name: FXLoader Rates

    Role Code: FXLOADER_RATES

    Role Category: Financials – Job Roles

  2. Click Next and enter Function Security Policies:

    The quickest way is to click Add Function Security Policy and search for the following two roles, to add the Privileges from them:

    FSCM Load Interface Administration

    Daily Rates Administration Duty

  3. Click Next till you reach the end of the steps and Save – Data Policies are not needed.

  4. Create a new User and add this new role only.

Authentication via Password

The web service allows authentication via username and password. If the user is SSO enabled, you will need to use the username and password stored in Oracle ERP Cloud as the web services do not support SSO.

Password Expiry

If your policies allow the password to be set to never expire, this can be done in Oracle ERP Cloud – see My Oracle Support document ‘How To Extend Password Expiration Date for Integration User Accounts (Doc ID 2394923.1)’.

If not, we recommend you set a reminder to change the password before it expires. It will need to be changed in Oracle ERP Cloud and updated in FXLoader. There are separate instructions for updating the password in FXLoader, or our support team can do it on request.

If the password does expire, the next FXLoader run will fail with a message indicating a problem with the username or password. Our support team will act on this notification and help you resolve it.

Password Storage

The ERP Cloud username and password are entered against the Instance in the FXLoader Cloud Service. These are stored and used in the call to the Oracle web service (ERPIntegrationService) in Oracle ERP Cloud.

The following security applies to the password entered against the Instance:

  • The password field is never displayed, and the type of field used means it is never stored in session state.

  • The password is encrypted in the database using DBMS_CRYPTO with AES256 encryption.

  • Best practices for storage are used, including separate randomly generated keys and schema separation.

Authentication via JWT – JSON Web Token

JSON Web Token (JWT) is a compact token format that lets a client application authorize a user account without using a password.

A JWT has a username or a principle and an expiration period for the token.

This type of authentication requires configuring an Oracle API Authentication provider in the security console of the Oracle ERP Cloud environment.

FXLoader Cloud Service Configuration

On the instances page, select Authentication Type as Json Web Token. The Configure JWT button opens up a pop-up where keys for API issuer can be generated.

It is possible to generate up to two certificates keys, each for one issuer key, FXLKP1 or FXLKP2. However, only one key can be activated at any given time. This helps with the switch over to a new certificate when the active one is about to expire.

The certificates generated are unique for the environment being setup. The generated certificate keys are encrypted in the database using DBMS_CRYPTO with AES256 encryption.

The issuer tag FXLKP1 or FXLKP2 must be used used to configure the API authentication on the Oracle Cloud ERP instance using the public certificate that can be retrieved using the Pub Key download button.

Oracle Fusion ERP Cloud Configuration

  1. Navigate to Tools > Security Console.

  2. Click Create Oracle API Authentication Provider.

  3. Create a JWT type Trusted issuer: FXLKP1 or FXLKP2.

  4. Upload the public certificate downloaded from the FXLoader Cloud Service. Please note the suffix certificate alias should match the trusted issuer that is being setup (FXLKP1 or FXLKP2).

Certificate Expiry

  • Set a reminder for 30 days before the certificate expires, and at that point generate a new one in the FXLoader Cloud Service using the non-active issuer (FXLKP1 or FXLKP2).

  • Create this in Oracle ERP Cloud as above.

  • Switch over the Instance in the FXLoader Cloud Service to this new issuer and use the Send Test button to check it is working. If there are any problems, you can switch back to the original issuer whilst they are resolved.

Was this article helpful?

We're sorry to hear that.