Secure your OIC Integration using OAuth Security Policy

Security is the key aspect in any implementation, specially when it comes to publish your API/Integration to external consumer outside of your organization.

Oracle Integration Cloud has capability to design an Integration which could be shared across internal/external Organisation. In this scenario security is paramount to protect that endpoint which will be published through OIC. By default, if your OIC Integration has REST Endpoint with Trigger role, it’s offering Basic Authentication Or OAuth 2.0 Or both Security policy.

With Invoke role there are many other flavours of OAuth grant type which I won’t be covering in this blog. I am more focused on this blog for OAuth 2.0 for OIC Rest Adapter for trigger role only.

Continue reading “Secure your OIC Integration using OAuth Security Policy”

Token Based Authentication (TBA) Policy configuration for Oracle Integration Cloud NetSuite Adapter !!!

I have been recently engaged in one assignment where I was expected to make connectivity with NetSuite to create Customer inside NetSuite. However, condition was to connect NetSuite using “Token based Authentication” only. That was Customer’s key requirement to establish secure connectivity to NetSuite.

Token based authentication needs many input parameters such as WSLD URL, Consumer Key, Consumer Secret, Token, Token Secret and Account ID.

I had to spent bit of time to work-out how to get all above parameters values and in this blog I just want to share that learning.

There is already NetSuite Connector Documentation available which describe the instructions about Token Based Authentication. This blog is just expanding that document with some additional info and screenshots.

So, let’s get started-


Before you establish connectivity from OIC to NetSuite using Token Based Policy there are certain prerequisite which you need to accomplish as listed below-

Enable Client/Server SuiteScript, REST/SOAP Suite Talk and Token based Authentication

To connect to Oracle NetSuite, you must have registered with Oracle NetSuite and enabled key features (such as SOAP and REST web services) on your Oracle NetSuite instance.

1. Visit to register with Oracle NetSuite. Ensure that you obtain an account with administrator privileges.

2. Enable connection-related features on your Oracle NetSuite instance.

a. On your NetSuite home page, select Setup, then Company, and then Enable Features.

b. Click the SuiteCloud subtab.

c. In the SuiteScript section, check the following boxes:

i. CLIENT SUITESCRIPT. Click I Agree on the SuiteCloud Terms of Service page.

ii. SERVER SUITESCRIPT. Click I Agree on the SuiteCloud Terms of Service page.

d. In the SuiteTalk section, check the following boxes:

i. SOAP WEB SERVICES. Click I Agree on the SuiteCloud Terms of Service page.

ii. REST WEB SERVICES. Click I Agree on the SuiteCloud Terms of Service page.

e. In the Manage Authentication section, check the TOKEN-BASED AUTHENTICATION box. Click I Agree on the SuiteCloud Terms of Service page.

You must enable the TBA feature if you want to use the TBA authentication policy to connect to Oracle NetSuite from external applications.

f. Click Save.

Create an Integration Role with Token-Based Authentication (TBA) Permissions

Create a new role and assign TBA permissions along with other necessary permissions (specific to your integration) to it. You’ll assign the Oracle Integration user account—which you’ll subsequently create—to this role.


As a best practice, avoid using the Administrator and Full Access roles/users in Oracle NetSuite connections that use the TBA security policy.

To create a new role:

1. On the NetSuite home page, select Setup, then User/Roles, then Manage Roles, and then New.

2. On the Role page:

a. Enter a name for the role, for example, Oracle Integration Role.

b. In the CENTER TYPE drop-down field, select System Administrator Center.

c. In the Subsidiary Restrictions section, select All. For information on subsidiary restrictions, see Restricting Role Access to Subsidiaries.

d. On the Permissions tab, To provide TBA permissions to the new role, you must add the User Access Token permission to the role with full access. This permission is present on the Setup subtab under the Permissions tab.

You can add other permissions to the role depending on the tasks you want to allow the users assigned this role to perform. For any custom role, you must specifically add the SOAP web services permission with the Full level. See Assigning the SOAP Web Services Permission to a Role.

e. After you’ve added all the necessary permissions, click Save to create the new role.

Create a User Account for Oracle Integration

Create a user account for Oracle Integration and assign this account to the Token Base Authentication role “OracleIntegrationRole” you created previously. You’ll use the credentials associated with this user account to connect to NetSuite from Oracle Integration.

follow the procedure provided here:

1. On the NetSuite home page, select Lists, then Employees, then Employees, and then New.

2. On the Employee page:

a. In the NAME fields, enter a first name and last name for the user, for example, Integration User05.

b. In the EMAIL field, enter a valid email address.

c. In the SUBSIDIARY drop-down field, select a subsidiary of your choice.

d. Scroll down and click the Access tab to perform additional configurations.


ii. In the PASSWORD field, enter a password for the user account.

iii. Re-enter the password in the CONFIRM PASSWORD field.

iv. To assign this user to the “OracleIntegrationRole“ TBA role created previously:

• With the Roles subtab selected, select the TBA role from the ROLE drop-down field; for example, Oracle “OracleIntegrationRole”.

• Click Add.

e. Click Save to create the new user record.

Create an Integration Record for Oracle Integration

Before you can create and assign API tokens (for TBA) to a user account, you must create an integration record for the application that will use this user account to access NetSuite.

Create an integration record for the Oracle Integration application.

1. On the NetSuite home page, select Setup, then Integration, then Manage Integrations, and then New.

2. On the Integration page:

Enter a name for the integration record, for example, “ExtIntegrationApp”

a. Optionally, enter a description for the record.

b. Leave the Enabled option selected in the STATE drop-down field.

c. On the Authentication tab:

i. Leave the TOKEN-BASED AUTHENTICATION check box selected.


d. Click Save.

The confirmation page displays the client credentials for this integration record or application.

Create an Access Token for the User Account

Create and assign an access token to the Oracle Integration user account.

1. On the NetSuite home page, select Setup, then User/Roles, then Access Tokens, and then New.

Note: “Access Tokens” page was not appearing before, only when I executed “Enable Client/Server SuiteScript, REST/SOAP Suite Talk and Token based Authentication” section as per this document then only “Access Token” page appears.

2. On the Access Token page:

a. In the APPLICATION NAME field, select the integration record created previously e.g. “ExtIntegrationApp”

b. In the USER field, select already existed Oracle Integration’s user account e.g. “rn13manish”

c. In the ROLE field, select the appropriate Token Base Authentication role e.g. “OracleIntegrationRole”

d. Leave the TOKEN NAME field unchanged.

e. Click Save.

The confirmation page displays the token values for the user account.

3. Note down the Token ID and Token Secret values. You’ll use these credentials to connect to NetSuite from Oracle Integration.

Make a Note of the NetSuite Account ID

Along with other credentials, you’ll require the NetSuite Account ID to connect to NetSuite from Oracle Integration.

To view your account ID:

1. On the NetSuite home page, select Setup, then Integration, and then SOAP Web Services Preferences.

2. Note down the Account ID displayed at the top of the page.

3. Click Cancel to exit the page.

Assemble the Oracle NetSuite WSDL URL

You need to draft the NetSuite WSLD using below technique –

Sample URL



So, In above URL you need to replace two things 1) Your NetSuite Instance URL and NetSuite Application Version.

To get those value follow the below steps.

NetSuite Instance URL

Navigate to Setup >> Company >> Company Information >> Get Suite Talk URL


Get NetSuite Version –

Login to NetSuite Instance and bottom of home page you can see version –

e.g., 2021.2, now you need to convert this to this v2021_2_0

Final URL –

Now you just replace above two values in final URL –


Once you WSDL are ready, make sure you test in browser and it should open –

OIC Connection to NetSuite Using Token Based Authentication

Once all parameters values such as WSLD URL, Consumer Key, Consumer Secret, Token, Token Secret and Account ID are ready then make connection to NetSuite using NetSuite Adapter from OIC Home Page >> Integration >> Connection

Once connection is established, you can perform any CRUD operation for any business object as per your option available. In my case I did create Customer inside NetSuite by posting a JSON payload via REST Adapter to NetSuite Adapter.

Note: The role what you using to communicate to NetSuite e.g. in my case it was “OracleIntegrationRole” must have given permission to particular business object such as “Customers”, otherwise your integration will be keep failing and will give below error message –


“Status” : {

“IsSuccess” : “true”,

“Type” : “ERROR”,


“Message” : “Permission Violation: You need the ‘Lists -> Customers’ permission to access this page. Please contact your account administrator.”,

“FaterSubmittedFailed” : “”


“ContactRef” : {

“InternalId” : “”,

“ExternalId” : “”,

“Name” : “”,

“Status” : “false”



In order to fix above error. Make sure you give “Customer” and “Customer Profile” permission to “OracleIntegrationRole” role.

Here is my OIC Integration.

Here is my mapping.


There could be some mandatory field for the object what you trying to create inside NetSuite, so first try creating object directly using NetSuite frontend with minimal fields which will give you idea what are the mandatory fields needed for that object.

Once above JSON got posted and I got success reply, you can further login into NetSuite to validate whether that particular Customer got created or not. In my case its absolutely got created.

Happy Blogging 🙂

CI/CD working with EiPaaS Oracle Integration (OIC)

Everyone is aware of the continuous integration and continuous development relevance which is nowadays the mantra of DevOps practices.

Oracle Integration is obviously part of the end2end lifecycle development being involved for connecting legacy applications usually deployed on-premise and SaaS applications often provided by Oracle Cloud or hosted on other Cloud providers.

It doesn’t matter where the applications are, where the integration is; the continuous delivery of new integration processes and versions need to be included in a smart and automated tool able to reduce the gap between the different developer teams.

Developers, who have the ownership to build new services and IT Operators, who have the task of deploying new code versions to the different environments, need to converge on one single tool to simplify complex procedures that can be simply considered as two sides of the same coin.

The common need is to keep all environments aligned with the latest implementations, possibly having everything monitored and tracked to grant audit activities in terms of compliance; this is a must when the project is starting to become critical and relevant at the enterprise level.

Oracle Integration (OIC), as you know, includes Visual Builder Cloud Service which allows open-source standards-based integration to develop, collaborate on, and deploy applications within Oracle Cloud.

Just for this, it’s easy to use Visual Builder Studio, the built-in tool, that allows developers to manage the software life cycle automating the development.

Oracle VB Studio natively supports Oracle Integration artifacts, so we can leverage this one to easily promote our integration flows from an environment to another one moving for example our integration projects from development to test environment once you we completed the new implementation and of course ready to test it.

That’s the right path to be used for promoting projects from Test to Production or from Production to a DR environment, this one probably running on a different OCI Region.

Working with the current implementation you can:

  • Export integration flows
  • Import integration flows
  • Delete integration flows

As shown below in the picture, the options we have working with Oracle Visual Builder Studio and OIC

Herewith an example of pipeline that you can easily configure to automate the Export / Import procedure and defining in cascade all steps (“jobs”) to define the required actions, of course this one below just for demo purposes. This procedure will be later explained step-by-step just in case you want to reproduce this one for your own purposes

In order to export our assets from the development environment, for example, it’s enough to configure our source and target environments about the OIC instances

How to configure our OIC environments?

This is a straightforward operation working with VB Studio, as shown below:

We can create all connections we need to configure properly the tool

Once we have configured our instances, we need to build our “pipeline” so to automate the procedure when needed

Each pipeline can include all “jobs” we need (in the previous screenshot we have used two different jobs “select your OIC project” and “import OIC project”) so to build the right chain among the different available “jobs”

To create a job, select the Build link from the left panel of the Visual Builder studio and then we can create a new job

Each job has some options and parameters to be configured as below the screenshot shows:

Select the “Parameters” tab to configure the string parameter:

The “Default Value” is the value of the integration flow version on our OIC instance to be selected and moved to the new instance. Of course, this value can be changed when we run the build so to properly set the right integration flow version

Now it’s time to select the “Steps” tab to identify the OIC instance from where we want to export our integration flow

If needed, we can also include the asserter recording just flagging the box. In this case we are moving (exporting / importing) the integration flow named “ECHO” and working with its *.iar file once we have exported this one.

Now you can click the “After Build” tab to configure it as below described. The *.iar extension is the default extension of the integration flow when you decide to download it.

Click save and that’s all. Our first job is properly configured now.

To proceed we are now ready to configure the second job (“import OIC project”).

In this case, the first step to be accomplished is the configuration of the “Before Build” tab as below shown and adding a “Copy Artifacts” option

And now, as we did with the first job, we can properly configure the OIC instance target, in our sample, but in this case for the import action.

We can also check the box about the “activate integration” option so that our integration flow will be imported and started just to have this one ready to be invoked by applications

Also, in this case, we can now save our configuration.

Once these operations have been completed, we are ready to test our pipeline selecting the start button on the right side of the web page and below shown

If the execution of our “build” is properly configured, we can see the “green flag” of our jobs once we run it

Furthermore, we can drill down the execution to look at the log information just in case something wrong having also the chance to download the file including the log for further analysis or if we need to share this one with other people or applications.

From the Visual Builder Studio “Home page” we can also get information about statistics and previous executions so to track the activities managed on the different resources we have

This is for sure the best way to properly manage our environments and the best approach to have under control the lifecycle of our projects and their deployment.

For further information, look at the really interesting content already published here:

Oracle Blog

Oracle Documentation:

OIC Log Management with VB Studio, OCI Bucket and OCI Logging Analytics

Sadly log file identifier icsdiagnosticlog has been deprecated from late November 2020. icsflowlog, icsauditlog are still available so you should be able to apply the same pattern used in this blog to manage your OIC instance log file.

I would like to show how OIC log management can be achieved with OCI Object Storage (I’ll call it bucket) and OCI Logging Analytics, Visual Builder Studio (used to be Developer Cloud, I’ll call it VB Studio).

Interestingly I’m not going to use OIC to download log files, either to ingest log data from OCI Object Storage.  VB Studio will be my tool to do sourcing log files and feeding it to bucket – I’ll be taking advantage of unix shell and oct-cli from VB Studio. Then OCI Logging Analytics will ingest log data from bucket based on cloud event.

Continue reading “OIC Log Management with VB Studio, OCI Bucket and OCI Logging Analytics”

Triggering an OIC integration via OCI Events – the Notifications Service Approach

Do you want to trigger an Oracle Integration Cloud (OIC) integration as soon as a file is uploaded to OCI Object Storage?

This event driven approach allows you to respond to state changes in Oracle Cloud Infrastructure (OCI) in real-time, removing the need to poll Object Storage buckets on a predefined schedule. In a two-part blog series, I will explore how you can achieve this event-driven pattern with OIC. As the name suggests this blog will capture the Notifications Service Approach, while part 2 will provide a guide to using OCI Functions to achieve the same outcome.

Continue reading “Triggering an OIC integration via OCI Events – the Notifications Service Approach”

Invoking Oracle PaaS service APIs protected by OAuth

Oracle PaaS services are typically protected by Identity Cloud Service (IDCS), which provides unified access management for the Oracle Cloud. This protection extends to their exposed APIs, which usually require you to present a valid access token as part of your invocation. Unfortunately, the documentation for a number of the services tends to assume that the reader has an in-depth knowledge of OAuth concepts, and IDCS operations.

Typically my blog posts are around specific proof of concept things I have been working on, or go in-depth into more advanced IDCS concepts, but I have realised (mostly because people kept asking me…) that many developers using these services don’t have a strong practical understanding of OAuth, and struggle to interpret the documentation around the authentication requirements for the services. This blog post is designed to provide a step by step explanation of what is required from an IDCS perspective, as well as an explanation of the techniques to obtain a an access token to use the service APIs.

A non-exhaustive list of PaaS services for which these instructions are applicable:

  • Oracle Integration Cloud
  • Oracle Blockchain Platform
  • Oracle API Platform Cloud Service
  • Oracle Mobile Hub
  • Oracle Digital Assistant
Continue reading “Invoking Oracle PaaS service APIs protected by OAuth”

Retrieve Custom Fields from NetSuite using Oracle Integration Cloud NetSuite Adapter !!!

This blog is showcasing very specific use case related to NetSuite Custom Field retrieval and how we accomplish that using Oracle Integration Cloud NetSuite Adapter.

In this example we will be retrieving custom fields values e.g. birthDt from NetSuite by passing specific Customer Id. It may sound very easy but it was bit complex to deal with because the way how NetSuite was responding Custom Fields values using NetSuite Adapter.

Here is the use-case diagram –


In my previous blog I have already shown all the configuration which needs to be done to connect to NetSuite using Oracle Integration Cloud NetSuite Adapter and deal with NetSuite Custom fields. Hence, this blog will just focus on specific mapping challenges which I have faced initially during implementation.

Continue reading “Retrieve Custom Fields from NetSuite using Oracle Integration Cloud NetSuite Adapter !!!”

%d bloggers like this: