Encrypt Data in Oracle Integration Cloud using OCI Vault Service

In one of my previous blogs, I talk about storing the payload in a database. Now to demonstrate end to end steps, I had saved the payload in clear text. While there are features in database to control access to these tables but a better approach would be to encrypt this payload. And encryption/decryption is a very common requirement that we see in integration projects. Today, we will see how we can call OCI Vault service and its APIs to perform this task from Oracle Integration Cloud.

OCI Vault

Before we jump into OIC, let’s first create a key in OCI Vault. Log into your OCI Cloud Tenancy and in Identity & Security go to Vault

Click Create Vault.

In case you do not have access, please ask your Administrator to grant your user group appropriate policies as detailed in the documentation.

Next in the wizard, provide any name as per your naming convention and click Create Vault

Once the Vault is created, let’s create our first Master Encryption Key by clicking on Create Key

Here provide the information like Name of the key, Algorithm and click Create Key.

OCI Vault supports importing your own key or generate a key, I have chosen the second option. And in algorithms it supports AES, RSA and ECDSA. For our purpose we need AES.

Before we go into OIC to use this key for encryption, we need to copy the following information. So please copy them or later when can come to OCI Vault and copy these values.

1)?????Cryptographic Endpoint

2)?????Encryption key OCID

OCI Vault service provide extensive APIs that can be used by third party systems. The reference of these APIs can be found here in the documentation.

OIC Recipe Encrypt Decrypt Data

Now let’s log into OIC and here we will take benefit of one of the recipes that uses OCI Vault service to encrypt and decrypt data. Log into Oracle Integration Cloud and find this recipe and install it in your environment

Lets configure this recipe, as you can see it has two connections.

1)?????Oracle Rest Connection: It is used for Trigger.

2)?????Oracle OCI Vault Connection : It is used to call the OCI Vault API

Let’s edit the Oracle OCI Vault Connection.

In Connection URL, provide the Cryptographic Endpoint that we had copied earlier from OCI Vault screen. And for security policy we will use OCI Signature Version 1 policy. Please refer to this blog for step by step guide on how to set it up.

https://blogs.oracle.com/integration/post/oci-signature-in-rest-adapter-for-oci-rest-apis

Once it is setup, kindly save and test it.

Now that we have the recipe connections done. We have one lookup in this recipe that we need to configure

• KeyId : Provide the OCI Vault Encryption key OCID that we have copied earlier after creating OCI Encryption Key
• EmailTo & EmailFrom : The recipe in case of error, sends a notification email so provide email address where you would like email to be sent and a from email address.
• ?APIVersion : This value you can get from OCI API documentation e.g. from Encrypt API and at the time of writing this blog the version is 20180608

After configuring and saving the lookup. You will notice there are two integrations in this recipe. One to Encrypt the data and the other to Decrypt the data. Go ahead and activate both these integrations. You can go to Design->Integration and find these integrations and not only view these but modify also but for my use case this meets the requirement cent percent. So no need of modification for me.

Oracle Integration calling Recipe Integration

Now that our recipe has been configured. Let’s use this in one of the integrations. I will take you back to my previous blogs where I was storing payload as plain text into Oracle ATP database table. Now we will pass and store encrypted data.

A quick refresher, in this integration we had used StageFile to save the payload as is using opaqueElement before inserting the data in the database table.

Now we will introduce the step to encrypt this data right before invoking the database. So from the Actions menu on the right drop the Integrations Action after Stage File (ReadOpaque) action.

It opens the Integration Adapter wizard, in Basic Info provide a name.

Next in Select Integrations choose Oracle Encrypt Data. Please note, you will only find activated integrations here so ensure this recipe integration has been activated.

It has only one operation Post, select that. View the summary and click Done.

Now our integration looks like this, we have a mapper for EncryptPayload integration to edit

In the mapper, we will pass our Payload that is coming from StageFile-ReadOpaque activity in the opaqueElement. As we had seen in earlier post, this is in base64 thus we are using decodebase64 function here. This is specific to my use case, to use EncryptData Integration, we just need to pass plain text and here we are converting the data into plain text by using decodebase64 function.

Finally mapping opaqueElement to PlainText in the target.

Now the mapper that sends the data to EncryptData integration has been setup. We will update the mapper that is inserting records in our ATP Table

It used to send payload from Stagefile but now we shall be passing the encrypted data coming out of EncryptData integration. So in our mapping, we have mapped EncryptPayload Response and the element we have mapped is Cipher Text to our payload element in the database table.

Testing the Integration

Now that we have completed this integration, let’s activate and test it.

I can see this time the payload that is saved in the ATP database is encrypted.

If we want to decrypt this, we can use the other integration in the recipe i.e. Oracle Decrypt Data. But I will leave that for you to test. I can assure you that works as flawlessly as this one.

Conclusion

Encrypting and Decrypting data is a common requirement. Oracle Cloud Infrastructure provides OCI Vault service that can manage keys and the APIs that can be utilized for this task. There are other methods available and in some cases this might not be the most efficient way due to multiple API calls. But it’s a simple way to achieve the task where it meets your requirement.

And OIC provides a recipe that you can easily configure and use in any of your integrations. While recipes are editable, in this case I did not have to make any modifications as it meets my requirements completely.

I have used?Oracle Integration 3?here for my screenshots. If you are currently using Oracle Integration 2, you can follow the exact same steps to achieve the goal.