A lot of customers require all outbound connections from systems to be validated against a whitelist. This article explains the different types of whitelist that might be applied and why they are important to Oracle Integration Cloud (OIC). Whitelisting means that if a system is not specifically enabled then its internet access is blocked.
If your company requires systems to be whitelisted then you need to consider the following use cases:
In all the above cases we need to be able to make a call to Integration Cloud through the firewall which may require whitelisting.
Typically there are two components involved in whitelisting: the source system and the target system. In our case the target system will be Oracle Integration Cloud, and if using OAuth then the Identity Cloud Service (IDCS) as well. The source system will be either the OIC connectivity agent, or a source system initiating integration flows, possibly via an event mechanism.
|Source Whitelisted||Target Whitelisted|
|Source & Target||Yes||Yes|
Only the first two are usually seen, the third is included for completeness but I have not seen it in the wild.
When providing information to the network group to enable the whitelisting you may be asked to provide IP addresses of the systems being used. You can obtain these by using the nslookup command.
> nslookup myenv-mytenancy.integration.ocp.oraclecloud.com Server: 220.127.116.11 Address: 18.104.22.168#53 Non-authoritative answer: myenv-mytenancy.integration.ocp.oraclecloud.com canonical name = 123456789ABCDEF.integration.ocp.oraclecloud.com. Name: 123456789ABCDEF.integration.ocp.oraclecloud.com Address: 22.214.171.124
You will certainly need to lookup your OIC instance hostname. You may also need your IDCS instance which is the URL you get when logging on.
Once the whitelist is enabled we can test it by using the curl command from the machine from which we require whitelist access.
> curl -i -u 'email@example.com:MyP@ssw0rd' https://myenv-mytenancy.integration.ocp.oraclecloud.com/icsapis/v2/integrations HTTP/1.1 200 OK Date: Sun, 23 Sep 2018 23:19:44 GMT Content-Type: application/json;charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive X-ORACLE-DMS-ECID: 1234567890abcdef X-ORACLE-DMS-RID: 0 Set-Cookie: iscs_auth=0123456789abcdef; path=/; HttpOnly ...
The -i flag is used to show the header of the response, if there is an error this flag will enable you to see the HTTP error code.
The -u glag is used to provide credentials.
In the example above we have listed all the integrations that are in the instance. If you don't see the list of integrations then something is wrong. Common problems are:
As you can see gathering the information for whitelisting and then testing that it is correctly enabled are straightforward and don't require advanced networking skills.