One of the recent additions to Oracle Cloud Infrastructure (OCI) is IAM Domains. New OCI tenancies are provisioned with IAM Domains and at time of writing tenancies with IDCS instances are being migrated to IAM Domains.
I originally created Peek to create a visual representation of effective user permissions inside an OCI tenancy to assist with performing user access reviews. Excessive permissions and IAM misconfigurations are a common issue found in cloud environments that can lead to privilege escalation and/or unauthorised access to resources and data.
At time of writing the latest release of the OCI CLI now supports interacting with IAM Domain resources and so I have created a version of Peek that works with IAM domains.
With the recent announcement from Gartner Magic Quadrant Report, it’s no surprise that Oracle Integration Cloud (OIC) is the Leader in Data Integration.
As a result, we have seen an explosion of demand for the service over the past 12 months. What we have seen is that many customers have been reaching out to my colleague @lsiliver and myself across APAC (Asia Pacific) and we are seeing that OIC customers want observability and deeper insights into their integration processes, data pipelines, workflows, automation and services.
So, in this blog post, we will walk you through this scenario on how you can get started on achieving this.
Many customers may not be aware but we already have existing native integration capabilities for OIC with our Observability & Management platform.
Recently came across interesting use case, so thought to cover blog on that topic. One of my Customer was having issue to connect OIC to Oracle Autonomous Database (ADB) which is sitting in private subnet via Oracle Integration Cloud connectivity agent. So, I did some debugging and fix the issue and that learning I am going to cover here. I will explain here how we can setup an ATP Database in private subnet, setup all required security/firewall rules, setup OIC connectivity agent, bastion compute in public subnet and then connecting OIC to ATP DB sitting in private subnet via Connectivity agent.
In this fictitious scenario, customer HR division representative sending employee code to OIC REST endpoint to retrieve detailed information for an employee record which is been stored in Oracle ADB instance located in private subnet. Since, ADB is in private subnet it’s not accessible to outside world even app tier, and that’s where OIC Connectivity agent comes into picture to provide connectivity between OIC which is public internet and ADB database which is in private subnet.
Please refer below network architecture diagram –
Some assumptions considered –
Readers should have fair understanding about Oracle Cloud Infrastructure components such as Compartment, VCN, Public/Private Subnet, Security rules, ADB offering, IDCS/IAM, Oracle Integration Cloud etc. I will be covering solution at high level only.
High-level steps to perform this setup –
Create compartment, Setup VCN, Private and Public Subnet
Step-by-step guide discovering how to provision and build a business processwith OCI Process Automation
OCI Process Automation (shortly OPA) is an OCI PaaS Oracle Managed cloud service which helps customers to build their business processes based on Structured or Unstructured models. This is the best solution to easily manage business processes granting to business users to build their own implementations without coding but just using a web browser and drag&drop capabilities… what we usually call a “no code” environment
The article has the goal to explain how, step by step, we can quickly test the features included in OPA… starting from my experience with the tool.
Just to simplify the explanation, I will describe a “happy path” process … in my example building one business process which usually is quite loved by everyone…. mainly when talking about the Vacation Request Approvals 🙂
If you’re running workloads in Oracle Cloud Infrastructure (OCI) then it’s likely you’ll be familiar with Virtual Cloud Network (VCN) resources such as Subnets, Route Tables, Gateways etc. These software defined components allow you to build networks in OCI for you to deploy and run your workloads.
Oracle has documentation that explains VCN access and security features which include things like Security Rules, Security Zones, Local and Network Firewalls, and IAM policies. Security rules are made up of Security Lists and Network Security Groups (NSG’s) and are a foundational element of every VCN and Subnet that you create. They define what traffic is allowed in and out of your subnets and what hosts can talk to one another. When you create a subnet a Security List is automatically created with some default rules:
Default Security List Ingress RulesDefault Security List Egress Rules
When it comes to implementing network access controls, you can use Security Lists, Network Security Groups or both. They are virtual firewall features that control traffic at the packet level. I’ll be covering Network Security Group reviews in a later post as I want to focus on Security Lists, specifically how you can easily review and validate rules to ensure they align with your workload, organisational, security and compliance requirements.
In my previous post I explained how you can use Let’s Encrypt and Oracle Cloud Infrastructure (OCI) serverless functions to obtain a publicly signed SSL certificate, and automatically manage its renewal lifecycle. The solution works as expected; I have a Let’s Encrypt certificate for my website automatically renewing 30 days before expiry. If you haven’t read my previous post I’d recommend taking a look before following the setup outlined below as it covers how the solution works, and some prerequisites.
Having multiple workloads running in various OCI regions I started thinking about a more elegant way to provision certificates across multiple regions. Certificates stored in the certificate service are only available to resources in the same region and would have required a function to be deployed in each region, and for each SSL certificate required.
I’ve since updated the solution to address this requirement. It is now possible to provision certificates across multiple OCI regions using a single OCI Function application. I’ve also taken the opportunity to implement other features such as:
Loading a list of certificates you want to manage from a JSON file stored in Object Storage.
Adding support for wildcard SSL certificates.
Adding support for Subject Alternative Names (SAN) in addition to the CN name.
Adding support for the use of DNS zones and Vaults that reside in different regions to the OCI Function.
Adding support to specify which vault, and region to use for a given certificate ensures that workloads with strict cryptographic key material requirements can still benefit from this solution.
If you’ve already followed the instructions from my previous post, the solution will continue to work as described. The only limitation being that it’ll only work for a single certificate. By following the steps below you can easily upgrade to issuing multiple certificates. If you haven’t set anything up yet that’s also fine as I’ll be covering the full install again here.
Let’s Encrypt made its debut back in late 2015. It is a free Certificate Authority provided by the Internet Security Research Group. The goal was to support the adoption of SSL / TLS to ensure the privacy of information sent over the public Internet. Let’s Encrypt is now serving over 2.5M certificates per day.
If you’re reading this it’s likely you’ve had to deal with SSL certificates before. It’s also likely some of you will have investigated an outage, only to find that an SSL certificate expired somewhere that no one knew about. Certificate discovery, management, and renewal can be time consuming and not much fun.
Cloud providers have made this job easier with the introduction of certificate services that are able to issue public Domain Validation (DV) certificates. Oracle Cloud Infrastructure (OCI) currently allows you to create private Certificate Authorities (CA’s), private Certificates, and private Certificate Authority bundles. Private certificate resources are used to secure communication across a private network, where certificates can be installed and trusted to enable secure communication.
But what about publicly signed certs for users connecting over the Internet? Using a private OCI certificate will result in a “certificate not trusted” error in your web browser; this is where Let’s Encrypt comes in. I’m going to show you how to run a completely automated serverless Let’s Encrypt solution in your OCI tenancy to install and automatically renew certificates that show as trusted in your web browser.
Oracle Fusion Applications are a suite of applications built on Oracle Cloud that include cloud-based applications for enterprise resource planning, enterprise performance management, supply chain management and manufacturing, human capital management, and customer experience.
There are numerous use cases where standard object resides inside Fusion ERP needs to be extended to include more fields or completely new Custom object needs to be created.
In this blog, I will be covering how you can create a new Custom Object inside Fusion ERP and trigger transactions for that Custom object.
A Custom Purchase Order (PO) will be created inside Fusion ERP, as soon as record will be created, it triggers the event which Oracle Integration Cloud (OIC) has subscribed and get all the data, once data reached integration layer, it is invoking a Visual Basic Cloud Service Web application REST API to insert that data into VBCS application. In turn that PO can further be updated inside VBCS and send back updated information to Fusion ERP.
My Objective in this blog to show the low-level steps needed at Fusion ERP to create & publish Custom object. The Oracle Integration Cloud Integrations & VBCS assets I will not be covering in details.
Oracle Visual Builder is a cloud based UX development Platform as a Service (PaaS) offering from Oracle Cloud. It provides an open-source standards-based solution to develop, collaborate on, and deploy Web and Mobile applications within Oracle Cloud.
VBCS also provide another awesome feature called Business Objects. A business object is a resource, such as an invoice or purchase order, like a database table; it has fields that hold the data for your application. Like a database table, a business object provides the structure for data used with business processes. Business objects are stored in a database.
Business Object also get exposed through REST Endpoint out-of-box, user doesn’t need to install/configure anything other than just creating a Business Object. However, those REST API are protected and need authentication when someone want to access from outside word.
In this blog, I am listing very simple steps what’s needed if developers want to expose Business Object REST API to outside world as anonymous users.
In the world of cloud computing there are often multiple ways to achieve the same or similar result. In Oracle Cloud Infrastructure (OCI) logs are generated by the platform itself such as audit logs, OCI native services such as the Network Firewall Service, and custom logs from compute instances or your applications. These logs typically live in OCI logging where you can view them, or search them if required.
Collecting and storing logs is useful, however if you want to produce insights then you will need a way to analyse and visualise the log data. OCI Logging Analytics allows you to index, enrich, aggregate, explore, search, analyse, correlate, visualise and monitor all log data from your applications and system infrastructure.
From OCI logging there are two common ways in which logs can be ingested into Logging Analytics. The first is using a Service Connector to send logs to an Object Storage bucket, and an Object Collection Rule to then import the logs into Logging Analytics. The second option uses a Service Connector to send the logs directly to Logging Analytics. Both are valid options however require some consideration before use.