ORACLE INFORMATION SECURITY – Where It Begins, Where It Ends

Background and Introduction

Targeted cyber intrusions remain the biggest threat to government ICT systems. Since opening in early 2010, the Australian Cyber Security Centre (ACSC) has detected and responded to thousands of these intrusions. These attacks are dealing with the Zero-Day exploits, DoS, DDoS, SQL Injections, Phishing, Ransomware, Large XML payloads and many other innovative attacks on IT systems.

You should never assume that your information is of little or no value. Adversaries are not just looking for classified information. A lot of activity observed by the ACSC has an economic focus, looking for information about Australia’s business dealings, its intellectual property, its scientific data and the government’s intentions.

The advent of cloud has challenged the traditional Security Operations Centres because users are outside the traditional network boundaries and they are using channels such as Mobile and Social. Modern IT Security attacks therefore become unpredictable. They are not carried out by humans but mobile devices or IoT Botnets. These attacks are adaptive in nature that remain dormant for some time waiting for an event to happen. These Advanced Persistent Threats (APT) in the Kill Chain process are inevitable and unpredictable.

Continue reading “ORACLE INFORMATION SECURITY – Where It Begins, Where It Ends”

Teaching How to use Terraform to automate Provisioning of Oracle Integration Cloud (OIC)

In a previous blog, I explained how to treat your Infrastructure as Code by using technologies such as Vagrant and Terraform in order to help automate provisioning and decommissioning of environments in the cloud. Then, I evolved those concepts with this other blog, where I explained how to use Oracle PaaS Service Manager (PSM) CLI in order to provision Oracle PaaS Services into the Cloud.

In this blog, I am going to put together both concepts and show how simply you can automate the provisioning of Oracle Integration Cloud with Terraform and PSM CLI together.

To provision a new PaaS environment, I first create a “Build Server” in the cloud or as my boss calls it a “cockpit” that brings all the required bells and whistles (e.g. Terraform, PSM CLI, GIT, etc) to provision PaaS environments. I will add all the tooling it requires as part of its bootstrap process. To create the “Build Server” in the first place, I am using Vagrant + Terraform as well, just because I need a common place to start and these tools highly simplify my life. Also, this way, I can also treat my “Build Server” as “infrastructure as code” and I can easily get rid of it after I built my target PaaS environments and save with that some bucks in the cloud consumption model.

Once I build my “Build Server”, I will then simply git clone a repository that contains my scripts to provision other PaaS environments, setup my environment variables and type “terraform apply”. Yes, as simple as that!

This is a graphical view of what I will be doing:

Continue reading “Teaching How to use Terraform to automate Provisioning of Oracle Integration Cloud (OIC)”

Hey Dude, where’s my keys?

I was asked recently to speak at a Developer forum about ways to make life easier for developers to secure their applications in the cloud. The session was great and lots of questions were asked but perhaps the most surprising question asked was from a developer who wants to integrate a custom application with Oracle Identity Cloud. This developer needs access to the public keys used by Identity Cloud Service before a user has authenticated to the service. More importantly, the developer needs the keys represented in the JWK format. According to the specification, a JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key.

There are very valid reasons why the developer needs access to the public keys without an authenticated session. Public keys let someone verify the signature on something signed with the associated private key or encrypt a message to send to you.

The developer asked Can I get a JWK from Oracle Identity Cloud Service without an OAuth Access Token?

The answer is simple… YES!!! There are two important API’s available in Oracle Identity Cloud Service

Continue reading “Hey Dude, where’s my keys?”

What if in the middle of the conversation the user changes mind?

Bots that can survive human contact

User: "Wats PaaS?"

Bot: "Oracle Cloud Platform has the most comprehensive suite of PaaS 
solutions to help you increase business agility and drive innovation in 
the cloud. The most popular are Integration Cloud, Mobile & Chatbots and 
Blockchain"

User: "Oops! I meant SaaS"

Bot: "Oracle Cloud Platform has the most comprehensive suite of [....]

User: "Sure... See you later"

I believe machines are very good at doing repeatable and predictable tasks. Humans by nature are everything but predictable. This is why it takes a lot of work to build a Bot that can survive human contact….

This post is a deep technical dive into sub-intents, System components and how we combine them to build a dialog flow that attempts to maintain a conversation even when the user “goes off script”.

Continue reading “What if in the middle of the conversation the user changes mind?”

‘API life Cycle is invalid!’ Error for Oracle API CS API’s

Hi, just thought to post the solution for this error, when I hit this error, searched all over internet couldn’t find any specific blog describing possible cause of getting this error while invoking an API.

Let me give some background. I have created an API using Oracle API Platform Management Portal and when I tried invoking that API using google postman tool I was getting below error –

postmane

This was a silly mistake but worth highlighting. When we create API definition in API Management portal there is tab page “API Implementation” which has configuration field “API Request” where we need to define the API endpoint URL where consumer of this API will send input request. While I was declaring that portion I have given this URL “api/medrec”.

Continue reading “‘API life Cycle is invalid!’ Error for Oracle API CS API’s”

Oracle API Platform Cloud Service – Installation Steps of Gateway Node

In this blog I am going to document the Oracle API Platform Gateway Node (Version : 18.1.3) Installation steps which is one of the critical components of API Platform Cloud Service.

Oracle provides API Platform Cloud Service as a foundation product for API Management that comprises the Full API Lifecycle, encompassing the complete API Design & Documentation, API Security, Discovery & Consumption, Monetization, and Analysis etc.

Oracle API Platform comprises 3 major components as stated below to serve specific purpose-

Management Portal – This is used to create and manage APIs, deploy APIs to gateways, and manage gateways, and create and manage applications. You can also manage and Deploy APIs and manage gateways with the REST API.

Developer Portal – Application developers subscribe to APIs and get the necessary information to invoke them from this portal.

Gateway Node  – This is the security and access control run-time layer for APIs. Each API is deployed to a gateway node from the Management Portal or via the REST API.

In addition to above, Oracle also offer Oracle Apiary to quickly design, prototype, document and test APIs.

Below is the high level architecture diagram of API Platform.

Continue reading “Oracle API Platform Cloud Service – Installation Steps of Gateway Node”

Teaching How to use Oracle Load Balancer as a Service (LBaaS) to front end your APIs

In this blog, I am going to show you how to configure Oracle Load Balancer as a Service (LBaaS) to proxy/redirect traffic into multiple APIs. For the sake of this example, I am going to point to running APIs hosted on my Oracle API Gateway, as well as running on a 3rd party Cloud provider. However, you can use Oracle LBaaS to proxy traffic to any HTTP or HTTPS endpoint(s).

In this example, I am going to consume an existing API that I built some time ago that when invoked returns a random joke. In order to test it in high availability mode, I am also going to configure yet another “jokes” API that will serve as a redundant backend endpoint/API.

This is the high-level view of how Oracle LBaaS can easily enable multiple proxy/redirections to backend APIs hosted across various places:

Continue reading “Teaching How to use Oracle Load Balancer as a Service (LBaaS) to front end your APIs”