X

The Integration blog covers the latest in product updates, best practices, customer stories, and more.

  • October 26, 2020

Security Improvements for Database & FTP Adapters

Michael Meiner
Engineering Director

Overview

Oracle Integration (OIC)  has a rich set of security capabilities to enable our customers to connect applications and technologies in a secure manner. We continue to enhance Oracle Integration to provide additional security settings and functionality. In the November 2020 release, Oracle Integration offers new security-related functionality for the Database and FTP adapters.

The features discussed here include:

  • Integration with ATP Serverless configured with Private Endpoint
  • Support for Wallet based authentication with privately hosted databases
  • Automatic Database Wallet and Password refresh 
  • Message payload security capabilities with privately hosted SFTP servers

Two of these features involve use of the Oracle Integration Connectivity Agent. Using the connectivity agent, you can create hybrid integrations and exchange messages between applications in private or on-premises networks and Oracle Integration. 

1. Integration with ATP Serverless configured with Private Endpoint

Autonomous Database (ATP) is becoming more widely adopted, along with its use within integration flows using OIC. When configuring your Autonomous Database, you can specify that it use a private endpoint within your VCN in your tenancy. This allows you to keep all traffic to and from your Autonomous Database off of the public internet. When using the ATP adapter in Oracle Integration to connect to an ATP instance using a private endpoint, you need to set up the connectivity agent. Inside the connection details for the ATP adapter, there are 2 options for security: JDBC Basic Authentication and JDBC over SSL. When selecting JDBC over SSL, you are prompted to enter the wallet and wallet password. Prior releases of Oracle Integration do not allow you to use the JDBC over SSL (wallet) option with the connectivity agent. In addition, Username-token policy is not supported by ATP Serverless, This means that there were no options for integrating OIC with ATP-S with the connectivity agent.

This enhancement now offers support for connecting to ATP-S configured with a Private Endpoint.

  

This figure shows the connections page for ATP. The wallet and password are specified along with the DB service username and password. A connectivity agent group is specified for connecting to ATP-S with a Private Endpoint. In addition, the connectivity agent was downloaded and deployed in the network that has access to the ATP-S instance.

2. Support for Wallet based authentication with privately hosted databases

In prior releases, when connecting to a privately hosted database using one of:

  • Autonomous Database - Dedicated (Oracle Autonomous Transaction Processing - Dedicated, Oracle Autonomous Data Warehouse - Dedicated)
  • Oracle Database Cloud Service

using the connectivity agent, the only supported security option was JDBC Basic Authentication. In the November release, you can also specify JDBC over SSL. This allows you to connect to a privately hosted cloud database and leverage wallet-based authentication.

Note that this is similar to #1 above for ATP-Serverless. The difference is that use of JDBC Basic Authentication with ATP-Serverless is not supported in the database whereas Basic Authentication is supported for ATP-Dedicated and Database Cloud service.

3. Automatic Database wallet and password refresh 

Oracle Wallet can be used to securely store your database credentials. Wallet rotation provides the ability to create a new wallet and invalidate the existing wallet. You may want to rotate wallets for the following reasons:

  • If your organization's policies require regular client certification key rotation.
  • When a client certification key or a set of keys is suspected to be compromised.

When the wallet is rotated or expires (or, if using Basic Auth and the database password is changed), a corresponding change is required in the Oracle Integration connection for that database. Once the connection is modified in Oracle Integration, you then need to de-activate and re-activate the integrations that use that connection. This can sometimes mean 100's of integrations which need to be re-activated which is very impractical.

With our November, 2020 release it is no longer necessary to de-activate and re-activate the integrations. Instead, at runtime when the integration detects that the credentials have been updated, a session refresh will occur which will fetch the new credentials. You simply update the credentials in your OIC connection, and there is no longer a need to re-activate the integrations using that connection.

Note that it is advisable to update the OIC connection with the new credentials soon after updating the credentials in the database, and to make these changes during a period when you don't expect integrations to be run. This will minimize the possibility that integrations will be run after the credentials are made in the database but before they are applied to your connection in OIC.

4. Message payload security capabilities with privately hosted SFTP servers

When integrating with an FTP server that is hosted on-premise behind a firewall, you configure a connectivity agent in Oracle Integration in order to establish connectivity. In prior releases, there were certain security-related options which were not available when using the FTP adapter with the connectivity agent. In particular:

  • Encrypting the message payload
  • Decrypting the message payload
  • Signing the message payload
  • Verification of signed message payload

The screenshot here shows the settings for encrypting and decrypting the message payload using PGP. There are similar settings for signing and verification. These settings can now be used with the connectivity agent for connecting to privately hosted SFTP servers.

Summary

The features described here extend Oracle Integration security capabilities by providing additional options in the Database (ATP, ADW, Database Cloud Service) and FTP adapters. Oracle Integration continues to invest heavily in security features in the adapters, to provide our customers with the ability to connect applications and technologies in a most secure manner. We hope you will be able to take advantage of these new features for your database and ftp server connectivity.

 

 

 

 

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.