Configuration Signed Punch-in Attributes

Overview

Oracle CPQ 19D introduces a new configurable attribute called Signed Punch-in attributes. These attributes can be of float, integer, date, currency, boolean, or text data type. Signed Punch-in attributes can only be created with the attribute type of text field. The status of Signed Punch-in attributes can be active, inactive, or internal. Signed Punch-in attributes can also be made active during certain time periods by specifying start and end dates.

Unlike Configuration attributes, Signed Punch-in attributes cannot be Array attributes, Multi Select Menu attributes, Single Select Menu attributes, Pick List attributes, or HTML attributes.

Signed Punch-in attributes are available to help ensure proper pricing information is provided only to the designated buyer. These attributes function the same as Configuration attributes except they require verification of digital signature data before pricing data is provided to the end customer. The digital signature includes the configurable attribute request data and encoded key pairing of the Oracle CPQ public key and customer private key.

The digital signature data must be generated and verified every time a Signed Punch-in Attribute pricing request is initiated. Administrators will need to define a process to automate encoding the access token, access token data, public key and private key data using a SHA-256 with RSA algorithm.

Notes:

  • Oracle CPQ does not hold the private key; it is retained by the customer's system.
  • Public keys are validated and stored in a secure keystore and used to verify the authorized digital signature. At runtime, public keys are retrieved from the keystore and used for encryption.

  • You cannot migrate public keys between Oracle CPQ environments. The public keys can be the same for each environment, but they must be uploaded to each Commerce Process on each environment individually.
  • Signed Punch-in attributes require Authentication Certificate integration. Refer to Create an Authentication Certificate Integration Type for more information.

The punch-in request includes the following parameters in the Request body of the Oracle CPQ Configuration Run-time Data REST API:

Data Requirements for Encoding Signed Punch-in Attribute Requests

The Signed Punch-in attribute URL includes attribute request data and encoded key pairing of the Oracle CPQ public key and customer private key. The following table defines the required data and format to make the Signed Punch-in attribute request:

Required Data Format
Oracle CPQ Model Punch-in URL

The Oracle CPQ Model Punch-in URL.

For client-side integrations, i.e. Oracle CX Commerce integration, the URL must include "_from_partner=true" appended to the end of the URL.

For example: https://sitename.oracle.com/commerce/new_equipment/products/model_configs.jsp?segment=testbed&product_line=aBOAssetBasedOrdering&model=basicAsset&_from_partner=true

Access Token Data

The access token data contains the following:

1. Expiry time in ISO8601 format.

2. JSON string containing the permitted asset keys.

3. JSON string containing the Configuration attribute values to be set during punch in.

The access token data must be URL encoded.

Example:

{"expiryTime": "2019-10-26T08:46:44.849+01:00", "permittedAssetKeys": ["asset-key1", "asset-key2"],"configAttrPunchinValues": {"attr": "attrValue"}}

Private Key The private key is retained in the customer's system and is not stored in CPQ. The RSA private key must be in PEM format.
Access Token

The access token is a SHA256 digest of the access token data signed with the private key that is then Base64 encoded and then URL encoded.

Example:

BftWNDczJttsaTJgJ3uHtBEJR1peOoMucfQy+mbgx++ahCH0jUHoN/3OZ/z8+bSBuPdw6wpm1xzSoPmKr7peekmqsaUdZu/cHoPBucPMJT7z+SwZnc3wMiauBrrHcKwT2OEvyil4fUyPYxr2XTE8wnpE0Jn87C/xwoJ4CacbRmJ

Authentication Certificate

The authentication certificate or RSA public key must be in PEM format.

Example:   MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQhl6E80A+3M3CwjNm9vWJMGUUp6m60eFe8/5o9esWQ+dqmfudzGw+YElC4/u02XvPcA+WVpfQ1E6VrXNCBSA1NLpPwb6WhiVi2KcBMZaI6Ze/AzSIKBrzVvC8zqjvLxFUJ0PXh9aU6d+LmMRa6l6Z72jV8aV9XrmyDFxyx480b+9wIDAQAB

Public Key The Oracle CPQ public key is defined using the Oracle CPQ Integration Center. This value must be in PEM format. The authentication certificate must be uploaded to the Oracle CPQ site.
Public Key Name

The variable name of the public key set up in CPQ.

Example: integ1

The following provides an example of the resulting punch-in URL.

example of the resulting punch-in URL

In Oracle CPQ 19D, signed punch-in configurable attributes were introduced for use in the CPQ Pricing Engine. This provided secure configurable attributes for punch-in whose values cannot be changed. An example pricing scenario is wanting to determine a customer's pricing level based on the value of a configurable attribute for Account ID. In this case, you would want the Account ID attribute value to be secure so it cannot be manipulated during the punch-in to obtain a better pricing level.

In 20A, the signed punch-in configurable attribute values are available in ConfigXML and the Pipeline Viewer. This allows access to the signed punch-in configurable attributes values via BML to include them in the punch-in payload response.

Administration

ClosedImplementing a Signed Punch-in Attribute with Product Pricing Administration

If you are implementing Signed Punch-in attributes, administrators need to complete the following steps:

1. Define a process to automate encoding and verifying the digital signature data every time a Signed Punch-in Attribute request is initiated. Refer to Data Requirements for Encoding Signed Punch-in Attribute Requests.

2. Create a Signed Punch-in attribute. Refer to Adding an Attribute within Configurable Attributes Overview.

3. Map a Price attribute to the Signed Punch-in attribute. Refer to Add a Price Attribute.


Notes

A Signed Punch-in attribute functions the same as a Configuration attribute except that private and public key data is assigned to a Signed Punch-in attribute and this secure access token is verified when a pricing request is made.
Signed Punch-in Attributes are:
  • Note able to be modified
  • Not available for putting on a Layout

  • Not available for use in BML editing
  • Not available as input to rule conditions

Related Topics

Related Topics Link IconSee Also