My Oracle Support Banner

OIC REST Adapter invoke using AWS Signature Version 4 Security Policy failing with "The request signature we calculated does not match the signature you provided" (Doc ID 2736005.1)

Last updated on DECEMBER 14, 2020

Applies to:

Oracle Integration-OIC - Version 18.2.5 and later
Information in this document applies to any platform.

Goal

When using the OIC REST Adapter to POST to an AWS service, and using AWS Signature Version 4 Security Policy, the invoke is failing with a 403 error and the following reason returned by AWS  :-

SignatureDoesNotMatch - "The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details".

[2020-12-10T02:27:10.509+00:00] [oic_server1] [ERROR] [] [oracle.soa.adapter] [tid: [ACTIVE].ExecuteThread: '45' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: XXXXXXXXXX] [ecid: 19382651-3a8b-42c5-9571-2a7e7ef225dc-00034976,1:23915:3] [partition-name: DOMAIN] [tenant-name: GLOBAL] [oracle.soa.tracking.FlowId: 47603904] [oracle.soa.tracking.InstanceId: 15674138] [oracle.soa.tracking.SCAEntityId: 150029] [composite_name: MYINTEGRATION!01.00.0000] [FlowId: 0000NOf^l7y7U8cLxiCCyW1VmALG0001D9] JCABinding <outbound> Integration Payload : [[

]]
[2020-12-10T02:27:10.509+00:00] [oic_server1] [ERROR] [] [oracle.soa.adapter] [tid: [ACTIVE].ExecuteThread: '45' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: XXXXXXXXXX] [ecid: 19382651-3a8b-42c5-9571-2a7e7ef225dc-00034976,1:23915:3] [partition-name: DOMAIN] [tenant-name: GLOBAL] [oracle.soa.tracking.FlowId: 47603904] [oracle.soa.tracking.InstanceId: 15674138] [oracle.soa.tracking.SCAEntityId: 150029] [composite_name: MYINTEGRATION!01.00.0000] [FlowId: 0000NOf^l7y7U8cLxiCCyW1VmALG0001D9] JCABinding <outbound> <execute xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ns0="http://www.oracle.com/XSL/Transform/java/oracle.tip.dvm.LookupValue" xmlns:ns2="http://xmlns.oracle.com/cloud/generic/rest/fault/REST/PostAWS" xmlns:ns1="http://xmlns.oracle.com/cloud/adapter/REST/PostAWS_REQUEST" xmlns:ns3="http://www.oracle.com/XSL/Transform/java/com.bea.wli.sb.resources.icsxpathfunctions.ICSInstanceTrackingFunctions" xmlns:ns20="http://queue.amazonaws.com/doc/2012-11-05/" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:xml="http://www.w3.org/XML/1998/namespace" xmlns:ns21="http://xmlns.oracle.com/cloud/adapter/connectivityproperties/REST/PostAWS_REQUEST/RESTOUTREQ" xmlns:dvm="http://www.oracle.com/XSL/Transform/java/com.bea.wli.sb.functions.dvm.DVMFunctions" xmlns:nstrgmpr="http://xmlns.oracle.com/cloud/adapter/REST/PostAWS_REQUEST/types" xmlns:ns19="http://xml.oracle.com/adapters/extension" xmlns:ns18="http://xml.oracle.com/types/REST/PostAWS_REQUEST" xmlns="http://xmlns.oracle.com/cloud/adapter/REST/PostAWS_REQUEST/types">[[
<nstrgmpr:QueryParameters>
<ns18:Action>SendMessage</ns18:Action>
<ns18:MessageBody>&lt;?xml version="1.0" encoding="UTF-8"?>&lt;messages>&lt;id>ZZZ&lt;/id>&lt;source>test0&lt;/source>&lt;resource>contact&lt;/resource>&lt;operation>insert&lt;/operation>&lt;timestamp>1607048836000&lt;/timestamp>&lt;version>1&lt;/version>&lt;payload>&lt;event_type>New Contact&lt;/event_type>&lt;updatedBy>YYY&lt;/updatedBy>&lt;test1>&lt;/test1>&lt;row_id>XXXX&lt;/row_id>&lt;/payload>&lt;/messages></ns18:MessageBody>
</nstrgmpr:QueryParameters>
</execute>

]]
[2020-12-10T02:27:10.510+00:00] [oic_server1] [ERROR] [] [oracle.soa.adapter] [tid: [ACTIVE].ExecuteThread: '45' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: XXXXXXXXXX] [ecid: 19382651-3a8b-42c5-9571-2a7e7ef225dc-00034976,1:23915:3] [partition-name: DOMAIN] [tenant-name: GLOBAL] [oracle.soa.tracking.FlowId: 47603904] [oracle.soa.tracking.InstanceId: 15674138] [oracle.soa.tracking.SCAEntityId: 150029] [composite_name: MYINTEGRATION!01.00.0000] [FlowId: 0000NOf^l7y7U8cLxiCCyW1VmALG0001D9] JCABinding <outbound> Query Params : [[
[Action : [SendMessage]]
[MessageBody : [<?xml version="1.0" encoding="UTF-8"?><messages><id>ZZZ</id><source>test0</source><resource>contact</resource><operation>insert</operation><timestamp>1607048836000</timestamp><version>1</version><payload><event_type>New Contact</event_type><updatedBy>YYY</updatedBy><test1></test1><row_id>XXXX</row_id></payload></messages>]]

]]
[2020-12-10T02:27:10.510+00:00] [oic_server1] [ERROR] [] [oracle.soa.adapter] [tid: [ACTIVE].ExecuteThread: '45' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: XXXXXXXXXX] [ecid: 19382651-3a8b-42c5-9571-2a7e7ef225dc-00034976,1:23915:3] [partition-name: DOMAIN] [tenant-name: GLOBAL] [oracle.soa.tracking.FlowId: 47603904] [oracle.soa.tracking.InstanceId: 15674138] [oracle.soa.tracking.SCAEntityId: 150029] [composite_name: MYINTEGRATION!01.00.0000] [FlowId: 0000NOf^l7y7U8cLxiCCyW1VmALG0001D9] JCABinding <outbound> Curl command : [[
curl -X POST https://xxx.yyyy.amazonaws.com/123456789012/test-service?Action=SendMessage&MessageBody=xxxxxxxxxxxxxxxxxxx -H "Accept:application/xml" -H "User-Agent:oracle-cloud-rest/20.4.3" -H "X-Amz-Date:**********" -H "Host:xxx.yyyy.amazonaws.com" -H "x-amz-content-sha256:**********" -H "Authorization:**********"
]]
.
.
.
.

[2020-12-10T02:27:07.865+00:00] [oic_server1] [ERROR] [] [oracle.soa.adapter] [tid: [ACTIVE].ExecuteThread: '45' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: XXXXXXXXXX] [ecid: 19382651-3a8b-42c5-9571-2a7e7ef225dc-00034976,1:23915:3] [partition-name: DOMAIN] [tenant-name: GLOBAL] [oracle.soa.tracking.FlowId: 47603904] [oracle.soa.tracking.InstanceId: 15674138] [oracle.soa.tracking.SCAEntityId: 150029] [composite_name: MYINTEGRATION!01.00.0000] [FlowId: 0000NOf^l7y7U8cLxiCCyW1VmALG0001D9] Response cannot be handled by the Generic REST adapter.Fault Details : [[
<ns2:APIInvocationError xmlns:ns2="http://xmlns.oracle.com/cloud/generic/rest/fault/REST/PostAWS"><ns2:type/><ns2:title/><ns2:detail/><ns2:errorCode/><ns2:errorDetails><ns2:type>http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.4</ns2:type><ns2:title>Forbidden</ns2:title><ns2:errorCode>403</ns2:errorCode><ns2:errorPath>&lt;![CDATA[POST https://xxx.yyyy.amazonaws.com/123456789012/test-service?Action=SendMessage&amp;MessageBody=xxxxxxxxxxxxxxxxxxx returned a response status of 403 Forbidden]]&gt;</ns2:errorPath><ns2:instance>&lt;![CDATA[&lt;?xml version="1.0"?&gt;&lt;ErrorResponse xmlns="http://queue.amazonaws.com/doc/2012-11-05/"&gt;&lt;Error&gt;&lt;Type&gt;Sender&lt;/Type&gt;&lt;Code&gt;SignatureDoesNotMatch&lt;/Code&gt;&lt;Message&gt;The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

The Canonical String for this request should have been
'POST
/123456789012/test-service
Action=SendMessage&amp;amp;MessageBody=%xxxxxxxxxxxxxxxxxxx
accept:application/xml
host:xxx.yyyy.amazonaws.com
user-agent:oracle-cloud-rest/20.4.3
x-amz-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
x-amz-date:20201204T022707Z

accept;host;user-agent;x-amz-content-sha256;x-amz-date
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'

The String-to-Sign should have been
'AWS4-HMAC-SHA256
20201204T022707Z
20201204/eu-west-1/sqs/aws4_request
7c71f02a943f2ecd58467e19f641e9a940d060e1b80d01a8d490c9a5d1c5bf4c'
&lt;/Message&gt;&lt;Detail/&gt;&lt;/Error&gt;&lt;RequestId&gt;6e7f6ef4-ba7b-5842-a41f-36b71ac0de72&lt;/RequestId&gt;&lt;/ErrorResponse&gt;.403 error (forbidden), usually implies a lack of permissions to access the API. You might be required to consult the target API documentation or work with the owner/administrator to resolve this issue. There may be several conditions leading to this, but the exact cause is best described by the target service authorization server. Some probable causes of 403 errors are as follows: (i) The current user is not authorized to access the resources, (ii) The access token was procured for a scope that does not cover the API being accessed, (iii) The access token expired or is not valid to access the resource any longer, (iv) The authorization server revoked access privileges to a particular resource.]]&gt;</ns2:instance></ns2:errorDetails></ns2:APIInvocationError> oracle.cloud.connector.api.RemoteApplicationAuthenticationException: Fault Details :
<ns2:APIInvocationError xmlns:ns2="http://xmlns.oracle.com/cloud/generic/rest/fault/REST/PostAWS"><ns2:type/><ns2:title/><ns2:detail/><ns2:errorCode/><ns2:errorDetails><ns2:type>http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.4</ns2:type><ns2:title>Forbidden</ns2:title><ns2:errorCode>403</ns2:errorCode><ns2:errorPath>&lt;![CDATA[POST https://xxx.yyyy.amazonaws.com/123456789012/test-service?Action=SendMessage&amp;MessageBody=xxxxxxxxxxxxxxxxxxx returned a response status of 403 Forbidden]]&gt;</ns2:errorPath><ns2:instance>&lt;![CDATA[&lt;?xml version="1.0"?&gt;&lt;ErrorResponse xmlns="http://queue.amazonaws.com/doc/2012-11-05/"&gt;&lt;Error&gt;&lt;Type&gt;Sender&lt;/Type&gt;&lt;Code&gt;SignatureDoesNotMatch&lt;/Code&gt;&lt;Message&gt;The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

The Canonical String for this request should have been
'POST
/123456789012/test-service
Action=SendMessage&amp;amp;MessageBody=%xxxxxxxxxxxxxxxxxxx
accept:application/xml
host:xxx.yyyy.amazonaws.com
user-agent:oracle-cloud-rest/20.4.3
x-amz-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
x-amz-date:20201204T022707Z

accept;host;user-agent;x-amz-content-sha256;x-amz-date
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'

The String-to-Sign should have been
'AWS4-HMAC-SHA256
xxxxxxxZ
xxx/xxxxx/sqs/aws4_request
7c71f02a943f2ecd58467e19f641e9a940d060e1b80d01a8d490c9a5d1c5bf4c'
&lt;/Message&gt;&lt;Detail/&gt;&lt;/Error&gt;&lt;RequestId&gt;6e7f6ef4-ba7b-5842-a41f-36b71ac0de72&lt;/RequestId&gt;&lt;/ErrorResponse&gt;.403 error (forbidden), usually implies a lack of permissions to access the API. You might be required to consult the target API documentation or work with the owner/administrator to resolve this issue. There may be several conditions leading to this, but the exact cause is best described by the target service authorization server. Some probable causes of 403 errors are as follows: (i) The current user is not authorized to access the resources, (ii) The access token was procured for a scope that does not cover the API being accessed, (iii) The access token expired or is not valid to access the resource any longer, (iv) The authorization server revoked access privileges to a particular resource.]]&gt;</ns2:instance></ns2:errorDetails></ns2:APIInvocationError>
at oracle.cloud.connector.impl.RESTFaultGenerator.errorResponseException(RESTFaultGenerator.java:213)
at oracle.cloud.connector.impl.RESTEndpoint.handleHttpResponse(RESTEndpoint.java:1116)
at oracle.cloud.connector.impl.RESTEndpoint.createResponseMessage(RESTEndpoint.java:837)
at oracle.cloud.connector.impl.RESTEndpoint.invoke(RESTEndpoint.java:256)

 


 

Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Goal
Solution


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.