Protecting Sensitive Data in OIC Integrations using OCI Vault

Oracle Integration Cloud (OIC) is a middleware platform that integrates data from various applications. OIC provides strong connection-level security for credentials to end systems, protecting sensitive information during integrations. However, when connecting to a few third-party APIs, the API requests require credentials to be part of the message or payload, and hardcoding these values in OIC integration can lead to security risks.

Introducing Oracle Cloud Infrastructure (OCI) Vault’s secret management with OIC integrations allows organizations to improve the security of integrations and simplify how they manage sensitive information, making integrations safer and more efficient.

This blog will describe the use of OCI Vault and provide a step-by-step guide on securely storing credentials and effectively utilizing them in OIC integrations.

What is OCI Vault?

OCI Vault is a secret management service that helps organizations securely manage sensitive data, such as cryptographic keys and secrets. It allows for safe storage and access, protecting against unauthorized use and security breaches.

Key Features of OCI Vault

Below are some of the key features of OCI Vault

• Key Management: Create, import, and manage encryption keys, including both symmetric and asymmetric types.
  • Symmetric encryption – It uses one key for both encrypting and decrypting, which is faster and better for large data.
  • Asymmetric encryption – It uses two keys, one for encryption and other for decryption. Asymmetric keys simplify the process of sharing encryption keys because they use a pair of keys: a public key and a private key. The public key can be freely distributed and shared with anyone.
• Secret Management: Securely store and manage secrets such as API keys and passwords
• Access Control: To define who can access and manage secrets stored in OCI Vault, and what actions they can perform.

Here are some examples of Access policies that can use to manage permissions to users and groups to access OCI vault resources.

• Allow a specific group of users to manage Vault
• Allow a user to access read secrets from Vault
• Deny all access to a specific Vault

Common Use Cases for OCI Vault

Below are a few use cases that we have come across working with different customers.

Use Case 1: Dynamic OAuth Token Retrieval

Many third-party applications need OAuth tokens for authentication. These applications often require credentials to be sent at the time of the token request, rather than being fixed in the setup.

Example: Some applications require credentials to be sent to a specific endpoint when requesting a token. This means organizations must securely retrieve these credentials each time they need a token.

Using OCI Vault, organizations can safely store these credentials and access them whenever needed. This approach ensures that sensitive information isn’t hardcoded into the application, reducing security risks and improving overall safety.

Use Case 2: SOAP API Credential Management

Many SOAP APIs have specific requirements for authentication that involve including credentials directly in the request. This means that the API key or username/password must be added to the request header or body instead of relying on connection-level security protocols.

Example: When integrating with a legacy SOAP service that requires credentials in the header, using OCI Vault allows the application to fetch these credentials securely at runtime. The application can dynamically pull the credentials from the vault just before making the API call, ensuring that sensitive information is not stored in the codebase or configuration files.

This approach not only enhances security but also simplifies credential management, as updates to the credentials can be made in OCI Vault without requiring changes in the application code.

Use Case 3: Access to external systems with APIs having Credentials in the payload

Example: When integrating with external systems, especially databases or third-party APIs, there are instances where credentials must be included directly in the payload of the API request. This could involve sending user credentials as part of a login request or providing access tokens to external services that validate each request.

Securing secrets in OCI Vault

Below are the key components involved in setting up OCI Vault to secure the secrets.

• Vault:
  • It is a dedicated space like a container to store keys and secrets. Vaults can be created under a specific OCI compartment.
• Define Keys:
  • Defining the type of encryption key to encrypt data in OCI Vault. AES, RSA and ECDSA are different types of algorithms available for encryption. OCI provides two different storage areas to protect these keys, HSM and Software. HSM is more secure than software, as it stores keys in a physical security module, while software keeps the keys in the OCI environment
• Storing Secrets:
  • Manage sensitive data, such as passwords, API keys, and tokens, as “secrets” in the vault.
  • OCI Vault automatically tracks version history for any updates to the secrets and holds the latest version as active.
• Access Policies:
  • OCI provides Role Based Access Control (RBAC) via Identity and Access Management (IAM).
  • It can be managed through IAM, to control access to different users/resources.
• Generating API Key:
  • This is essential to access keys and their secrets. It enables APIs to authenticate API requests securely, ensuring only authorized applications/users can interact with OCI vault.

Seamlessly Accessing Your Secrets in OIC Integrations

Accessing OCI Secrets in OIC integration is easy and it requires

• Establish a REST Connection:
  • Set up a Connection in OIC with OCI Vault service. OCI Vault service is specific to OCI region, and its Format: https://vaults.<<region>>.oci.oraclecloud.com
• Utilizing the Connection in the integration:
  • Integration now can access the secrets by invoking REST endpoint. It is similar to accessing any REST clients. API returns the secrets in Base64 encoded format, which can be decoded in the integration

Conclusion

OCI Vault is an important tool for securing secrets in OCI. It helps manage keys and secrets to protect sensitive data through encryption and access control. By working with different OCI services, it makes secure application development easier and helps meet regulatory requirements. Overall, it’s essential for any organization wanting to securely manage sensitive information in the cloud.

Apps Associates is a premier enterprise applications and technology advisor, counseling and executing across every stage of the enterprise transformation journey. We have more than twenty years of experience in Oracle, specializing in data integration. For more information on OCI, OIC, and other integration options, contact us today!

References

For more information on Oracle Documentation please refer below:

https://docs.oracle.com/en-us/iaas/Content/KeyManagement/home.htm

https://docs.oracle.com/en-us/iaas/api/#/en/secretretrieval/20190301/

API Documentation: https://docs.oracle.com/en-us/iaas/api/#/en/secretretrieval/20190301/SecretBundle/GetSecretBundle

This blog was a collaboration between Sravanthi Kodakandla, Lead Consultant and Mounika Reddy Pathuri, Senior Consultant in Business Integration & Automation Practice. 

About the Author

Mounika Reddy Pathuri is a Senior Consultant at Apps Associates with more than 8 years of experience in developing custom integrations across systems like Oracle Cloud ERP, Salesforce, databases, and other legacy platforms. She specializes in Oracle Integration Cloud (OIC) and is highly proficient in various middleware technologies, including OSB, SOA, and ADF, enabling her to design effective and scalable integration solutions.