Overview
Oracle CPQ 19D introduces a new configurable attribute called Signed Punch-in attributes. These attributes can be of float, integer, date, currency, boolean, or text data type. Signed Punch-in attributes can only be created with the attribute type of text field. The status of Signed Punch-in attributes can be active, inactive, or internal. Signed Punch-in attributes can also be made active during certain time periods by specifying start and end dates.
Signed Punch-in attributes are available to help ensure proper pricing information is provided only to the designated buyer. These attributes function the same as Configuration attributes except they require verification of digital signature data before pricing data is provided to the end customer. The digital signature includes the configurable attribute request data and encoded key pairing of the Oracle CPQ public key and customer private key.
The digital signature data must be generated and verified every time a Signed Punch-in Attribute pricing request is initiated. Administrators will need to define a process to automate encoding the access token, access token data, public key and private key data using a SHA-256 with RSA algorithm.
Notes:
- Oracle CPQ does not hold the private key; it is retained by the customer's system.
-
Public keys are validated and stored in a secure keystore and used to verify the authorized digital signature. At runtime, public keys are retrieved from the keystore and used for encryption.
- You cannot migrate public keys between Oracle CPQ environments. The public keys can be the same for each environment, but they must be uploaded to each Commerce Process on each environment individually.
- Signed Punch-in attributes require Authentication Certificate integration. Refer to Create an Authentication Certificate Integration Type for more information.
The punch-in request includes the following parameters in the Request body of the Oracle CPQ Configuration Run-time Data REST API:
-
Access Token (
accessToken) - An encrypted Base64 encoded digital signature generated from the Oracle CPQ access token data and a private key using a SHA-256 with RSA algorithm. -
Access Token Data (
access TokenData) - An encoded object generated from an Oracle CPQ JSON string consisting of the expiry time, a JSON array of strings representing the permitted configurable attribute keys, and a JSON object of string values containing the configuration attribute values to be set during punch-in. Access token data can include multiple asset keys and/or configurable attribute key/value pairs. - Public Key (
publicKeyVarName) - The variable name of the pubic key uploaded in the Oracle CPQ Integration Center.Configuration Run-Time Data REST API Digital Signature Parameters Example:
Data Requirements for Encoding Signed Punch-in Attribute Requests
The Signed Punch-in attribute URL includes attribute request data and encoded key pairing of the Oracle CPQ public key and customer private key. The following table defines the required data and format to make the Signed Punch-in attribute request:
| Required Data | Format |
|---|---|
| Oracle CPQ Model Punch-in URL |
The Oracle CPQ Model Punch-in URL. For client-side integrations, i.e. Oracle CX Commerce integration, the URL must include "_from_partner=true" appended to the end of the URL. For example: https://sitename.oracle.com/commerce/new_equipment/products/model_configs.jsp?segment=testbed&product_line=aBOAssetBasedOrdering&model=basicAsset&_from_partner=true |
| Access Token Data |
The access token data contains the following: 1. Expiry time in ISO8601 format. 2. JSON string containing the permitted asset keys. 3. JSON string containing the Configuration attribute values to be set during punch in. The access token data must be URL encoded. Example: {"expiryTime": "2019-10-26T08:46:44.849+01:00", "permittedAssetKeys": ["asset-key1", "asset-key2"],"configAttrPunchinValues": {"attr": "attrValue"}} |
| Private Key | The private key is retained in the customer's system and is not stored in CPQ. The RSA private key must be in PEM format. |
| Access Token |
The access token is a SHA256 digest of the access token data signed with the private key that is then Base64 encoded and then URL encoded. Example: BftWNDczJttsaTJgJ3uHtBEJR1peOoMucfQy+mbgx++ahCH0jUHoN/3OZ/z8+bSBuPdw6wpm1xzSoPmKr7peekmqsaUdZu/cHoPBucPMJT7z+SwZnc3wMiauBrrHcKwT2OEvyil4fUyPYxr2XTE8wnpE0Jn87C/xwoJ4CacbRmJ |
| Authentication Certificate |
The authentication certificate or RSA public key must be in PEM format. Example: MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQhl6E80A+3M3CwjNm9vWJMGUUp6m60eFe8/5o9esWQ+dqmfudzGw+YElC4/u02XvPcA+WVpfQ1E6VrXNCBSA1NLpPwb6WhiVi2KcBMZaI6Ze/AzSIKBrzVvC8zqjvLxFUJ0PXh9aU6d+LmMRa6l6Z72jV8aV9XrmyDFxyx480b+9wIDAQAB |
| Public Key | The Oracle CPQ public key is defined using the Oracle CPQ Integration Center. This value must be in PEM format. The authentication certificate must be uploaded to the Oracle CPQ site. |
| Public Key Name |
The variable name of the public key set up in CPQ. Example: integ1 |
The following provides an example of the resulting punch-in URL.
In Oracle CPQ 19D, signed punch-in configurable attributes were introduced for use in the CPQ Pricing Engine. This provided secure configurable attributes for punch-in whose values cannot be changed. An example pricing scenario is wanting to determine a customer's pricing level based on the value of a configurable attribute for Account ID. In this case, you would want the Account ID attribute value to be secure so it cannot be manipulated during the punch-in to obtain a better pricing level.
In 20A, the signed punch-in configurable attribute values are available in ConfigXML and the Pipeline Viewer. This allows access to the signed punch-in configurable attributes values via BML to include them in the punch-in payload response.
Administration
Implementing a Signed Punch-in Attribute with Product Pricing Administration
Notes
- Note able to be modified
Not available for putting on a Layout
- Not available for use in BML editing
- Not available as input to rule conditions
