Introduction

Oracle Business Intelligence Cloud Connector (BICC) allows you to extract business intelligence and other data in bulk and load it into external storage destinations. For more information, refer to the official BICC documentation.

By default, the SOAP and REST API examples in the documentation use basic authentication (username and password). However, for security and compliance reasons, this method is not allowed in some environments.

This blog will show you how to configure and use token based authentication (JWT) for BICC APIs, which provides a more secure alternative.

Configuration Steps

First, log in to your Fusion Applications instance.

Step 1: Open Security Console

  • Navigate to the Hamburger Menu (top left corner)

  • Go to ToolsSecurity Console

Step1

 

Step 2: Create an External Client Application

  • Click “API Authentication

  • Click “Create External Client Application”

  • Click “Edit”

  • Enter a Name

  • Select “JWT Custom Claims” as the authentication method

  • Click “Save and Close”

 

Step2

 

Step3

Step 3: Configure JWT Claims

  • In the JWT Custom Claims Details, click “Edit”

  • In the Value for Tenant, enter your Fusion tenant name.

 

Step4

 

Generate Keys and Certificate for JWT Authentication

Now that your external client application is configured in Fusion, let’s generate the public/private key pair, X.509 certificate, and DER file needed to authenticate with BICC using JWT.

Step 5: Generate Keys and Certificate

Run the following commands in a terminal (with OpenSSL installed):

openssl genrsa -out private.key 2048

openssl req -new -x509 -key private.key -out publickey.cer -days 365

You’ll be prompted to enter certificate information. Example input:

Country Name (2 letter code) [AU]:US

State or Province Name (full name) [Some-State]:CA

Locality Name (eg, city) []:LA

Organization Name (eg, company) [Internet Widgits Pty Ltd]:BICC

Organizational Unit Name (eg, section) []:BICC

Common Name (e.g. server FQDN or YOUR name) []:.

Email Address []:.

 

Step 6: Convert Private Key and Create DER File

openssl rsa -in private.key > private_key.pem

openssl pkcs8 -topk8 -inform PEM -outform DER -in private_key.pem -nocrypt > jwt.der

cp publickey.cer pub.pem

 

Upload Certificate to Fusion

Step 7: Upload Public Certificate to FAWServiceISS

  • In Fusion, navigate to API Authenticator

  • Click on FAWServiceISS

  • Under Inbound API Authentication Public Certificates, upload the publickey.cer file

 

Step6

 

Step7

 

Java Code Setup

Before running your Java code to generate the JWT and call the BICC API, make sure you have the following:

  • jwt.der: Private key in DER format

  • pub.pem: Public key (optional if needed for validation)

  • PRN and Tenant values: These are available in the JWT Custom Claims Details section in the Security Console:

 

Step5

 

Step 8: Modify and Run the Java Code

You can now update the Java code to use the keys and configuration from the previous steps. This Java code can be found on oracle documentation. I named the file GenerateJWT.java

import oracle.security.restsec.jwt.JwtToken;
import java.io.FileInputStream;
import java.io.InputStream;
import java.io.RandomAccessFile;
import java.security.KeyFactory;
import java.security.PrivateKey;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.Date;
 
public class GenerateJWT
{
public static void main(String[] args) throws Exception
{
String iss =www.mycompany.com; //JWT issuer -iss attribute
String prn=<>; //JWT principalll -prn attribute
JwtToken jwtToken = new JwtToken();
//Fill in all the parameters- algorithm, issuer, expiry time, other claims etc
jwtToken.setAlgorithm(JwtToken.SIGN_ALGORITHM.RS256.toString());
jwtToken.setIssuer(iss);
jwtToken.setPrincipal(prn);
jwtToken.setType(JwtToken.JWT);
jwtToken.setClaimParameter(tenant,<>); //this will set custom claim parameters,example “tenant” is custom JWT claim with value “123456”)
//iat attribute-time when JWT was generated
long nowMillis = System.currentTimeMillis();
Date now = new Date(nowMillis);
jwtToken.setIssueTime(now);
//token expires in 10 minutes
jwtToken.setExpiryTime(new Date(nowMillis + 10*60*1000));
 
//x5t attribute,read the public key from pem format
InputStream inStream = new FileInputStream(pub.pem);
CertificateFactory cf = CertificateFactory.getInstance(X.509);
X509Certificate publicKey = (X509Certificate)cf.generateCertificate(inStream);
inStream.close();
jwtToken.setX509CertThumbprint(publicKey);
 
//for signing read private key in der format
RandomAccessFile raf = new RandomAccessFile(jwt.der, r);
byte[] buf = new byte[(int)raf.length()];
raf.readFully(buf);
raf.close();
PKCS8EncodedKeySpec kspec = new PKCS8EncodedKeySpec(buf);
KeyFactory kf = KeyFactory.getInstance(RSA);
PrivateKey privateKey = kf.generatePrivate(kspec);
 
// sign the token with a private key
String jwtString = jwtToken.signAndSerialize(privateKey);
System.out.println(jwtString);
}
}

 

Step 9: Download Required Java Libraries

Before running the JWT generation code, you’ll need to download the following Java libraries and dependencies.

Required JAR Files:

Jackson Libraries:

Oracle Security Development Toolkit (OSDT) Libraries:

Note: These usually come with Oracle Fusion Middleware. I’m hosting these files, so you can donwload it directly without installing Fusion Middleware. They might not be available in the future.

 

Step 10: Generate JWT Token via Java

Use the following command to compile and run it with the required classpath:

java -cp “./jackson-mapper-asl-1.9.13.jar:jackson-core-asl-1.9.13.jar:jackson-core-2.10.2.jar:jackson-databind-2.10.2.jar:osdt_cert-19.3.0.0.jar.jar:osdt_restsec.jar:osdt_core-19.3.0.0.jar.jar:jackson-annotations-2.10.2.jar” GenerateJWT.java

 

Step8

Copy the token and save it.

 

Step 11: Test the BICC APIs

Once you have the JWT, you can test BICC API calls using different tools.

 

Using Postman

  • Open Postman

  • Set the request method to GET

  • Enter the API endpoint: 

    https://<fusion-host>/biacm/rest/meta/offerings

  • In the Authorization tab, choose Bearer Token

  • Paste your generated JWT token

  • Click Send

step9

Using cURL

curl –location ‘https://<fusion-host>/biacm/rest/meta/offerings’ \
–header ‘Authorization: Bearer <YOUR_JWT_TOKEN>’

Replace <fusion-host> with your Fusion instance URL and <YOUR_JWT_TOKEN> with the token you generated.

 

Using SOAP

For SOAP-based services, you will need to insert the Authorization: Bearer <TOKEN> header into the SOAP envelope. Most SOAP tools (like SOAP UI) allow you to configure headers easily.

 

Soap

 

Conclusion

Using token-based authentication improves security and aligns with modern best practices for accessing Oracle Fusion APIs like BICC. With the above configuration, you’re now ready to securely authenticate without relying on username/password credentials.