B2B Features with OIC

During last couple of months various new features are getting introduced in Oracle Integration Cloud, out of those there is a new feature for B2B connectivity with OIC which I am going to cover in this blog post.

Earlier only Oracle SOA Cloud Services used to provide support for B2B for which users/administrators need to enable B2B functionalities during server provisioning, but with OIC B2B is enabled by default with both Standard as well as enterprise licence but with limited functionalities.

The New B2B feature provides creation of Documents and Schema's as part of OIC functionality and provides support only for EDI-X12 Protocol having different document version and Types.

Below Steps will help in creation for B2B schema & document Creation:

Create B2B Schema

#1. Go To OIC Home Page and Click on B2B

#2. Click on B2B Schema and Click Create button on the Right. Provide all the details and Create.

#3. Once Created, you can edit your schema and save it.

Create B2B Document:
#1. Click on B2B Documents and Click Create button on the Right. Provide all the details and Create document.

#2. You can now select the Schema you created in above section and associate with the B2B document.

This will complete our process of creation  of B2B Schema and Documents while working on OIC.

In our next post we will work on how we can integrate these B2B documents with OIC till then keep learning.

What is AWS SQS (Simple Queue Service)?

Hello Readers, I want to share what I learnt about AWS SQS.

As per AWS documentation, Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and server-less applications.

SQS includes key features which helps in building serverless applications and Microservice Architectures. Lets us have a look on few of those.

• These are Pull based system
• Decouples the components of an application
• Acts as a buffer between Producer and Consumer applications
• Supports Unlimited Transactions per Second
• Supports FIFO queues which are designed to guarantee that messages are processed exactly once, in the exact order that they are sent
• Default Retention period of SQS is 4 days, but can be customized from 1 min to 14 days
• Default message size which SQS supports is 256 KB and it supports maximum message size upto 2 GB using Amazon SQS Extended Client Library for Java

Benefits of AWS SQS:

• Provide a highly available and scalable message queuing service
• Transmits any volume of data, at any level of throughput, without losing messages or requiring other services to be available
• Exchange of sensitive data between applications using server-side encryption (SSE) integrated with KMS
• SQS scales elastically with your application so you don’t have to worry about capacity planning and pre-provisioning

What is Visibility Timeout in SQS?

Visibility timeout is time for which message is invisible in SQS post it is picked from the application.

Default visibility timeout value for an SQS is 30 seconds. This can be increased based on the message processing time and can be set to a maximum value of 12 hours.

References:

https://aws.amazon.com/sqs/

VPC Peering in AWS

Today I am going to share what I learnt in AWS VPC Peering.

What is VPC Peering?

As per AWS documentation, "Amazon Virtual Private Cloud (Amazon VPC) enables you to launch AWS resources into a virtual network that you've defined.

A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses. Instances in either VPC can communicate with each other as if they are within the same network. You can create a VPC peering connection between your own VPCs, or with a VPC in another AWS account. The VPCs can be in different regions (also known as an inter-region VPC peering connection)."

How to Create Peering Connection/VPC Peering?

Before Creating a VPC Peering connection we need to understand the requirements for peering connections.

1. If VPC Peering need to be done for VPC's in same account?
2. If peering connection to be created for different accounts then Account ID is required
3. Details of the VPC's to be peered
4. Region for the VPC's to be peered
5. Which VPC to be taken as Source VPC

If we have above details then peering connection for VPC will be easier.

Below section will provide glimpse on VPC Peering Connections for same account and different accounts

Creating Peering Connection in Same AWS Account:

Creating Peering Connection in Same AWS Account:

Hope this will help in your learning.....

References:

https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html

Network Security in AWS Cloud (BASTION Hosts & NAT Gateways)

During my learning towards AWS, I always thought of how we can secure the network using Bastion Host and NAT Gateways, and here are few pointers which I jotted down.

Bastion Host

As per "wikipedia.org", A bastion host is a special-purpose computer on a network specifically designed and configured to withstand attacks. In simple terms, A bastion host is a proxy server configured in public subnet and is created to provide access to a private network from an external network.

It is configured only in Public Subnet of a VPC (Virtual private Cloud) or a VCN (Virtual Cloud Network) and acts as a bridge between the Public Subnet and your applications configured in Private Subnets.

Bastion Hosts are used to administer EC2 Instances in Private Subnets.

NAT Gateway

A Network Address Translation (NAT) is a method of remapping Source and Destination IP's to connect with the Host systems. NAT gateways are used to enable the instances/services in a private subnet to connect to the internet or other AWS services and prevent the internet from initiating a direct connection with those instances/services.

NAT Gateways are always created inside Public Subnets, and it routes the external network traffic from configured IP's to applications/instances configured inside Private Subnets.

NAT Gateways are used to enable Instance in a private subnet to connect to Internet

Below are few features of NAT Gateways:

1. A NAT gateway supports 5 Gbps of bandwidth and automatically scales up to 45 Gbps
2. We can associate exactly one Elastic IP address with a NAT gateway
3. A NAT gateway can support up to 55,000 simultaneous connections to a unique destination
4. NAT gateways are not supported for IPv6 traffic—use an egress-only internet gateway instead
5. We cannot associate a Security Group with NAT gateway.

Key Parameters Migrating a Monolithic to Micro-services Architecture

Microservices Architecture:
Microservices as a group of loosely coupled components working together to perform tasks. Below Diagram can also provide a fair example of Microservice architecture.

While Migrating from a Monolithic to a Microservices Architecture below key parameters we need to keep in mind.

• Loose Coupling: The application we are building should be loosely coupled
• Re-usability: Application Components should be reusable
• Easy to Manage: The Applications build should be easy to manage and should be independent
• Security: The Infrastructure and Application Services should be secured
• Easily Scalable: The environment should support scalability
• Support for Monitoring and Reporting

Integration Security using OAuth and JWT

Integration Security used to be an important point for any project Implementation. Oracle Fusion Middleware components provide various type of Security features, commonly SSL Certificates, OSB Service Accounts, OWSM Security Policies like Username Token, SAML Token, HTTP Token etc. But there are few more security features which we can use out of the box for more secured integration design like OAuth and JWT Security.

For implementing OAuth and JWT we will first understand what are these related to and how it will contribute to Integration.

What is OAuth and JWT Security features?

OAuth is an open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords. Generally, OAuth provides to clients a "secure delegated access" to server resources on behalf of a resource owner. It specifies a process for resource owners to authorize third-party access to their server resources without sharing their credentials. Designed specifically to work with Hypertext Transfer Protocol (HTTP), OAuth essentially allows access tokens to be issued to third-party clients by an authorization server, with the approval of the resource owner. The third party then uses the access token to access the protected resources hosted by the resource server.

A JSON Web Token (JWT) is a JSON object which is composed of a token and is a safe way to represent a set of information between two parties. The token is composed of a header, a payload, and a signature.

The JWT Token should be build as a base64encoded string in format “header.payload.signature”.

As JWT is a Jason object so the JWT Header, will be a JSON format data with Key’s for Authorization and Algorithm Type (as below format)

{

    "typ": "JWT",

    "alg": "HS256"

}

In a similar way, JWT Payload will also be a JSON format data as below.

{

    "userId": "b08f86af-35da-48f2-8fab-cef3904660bd"

}

The JWT Signature will be computed with the algorithm as below,

data = base64urlEncode( header ) + “.” + base64urlEncode( payload )

signature = Hash( data, secret );

Implementing OAuth and JWT with Oracle SOA

OAuth uses digital signatures instead of sending the full credentials with each request. Digital signatures help the recipient to verify that the content of the request hasn’t changed in transit.

OAuth is an Out of the Box security functionality which can be embedded with Oracle SOA Rest Services. In Oracle Service Bus 12.2.1, we can secure services with REST endpoints by attaching OAuth OWSM policies, for which we must configure OWSM and the OAuth server to secure REST endpoints with OAuth policies in Service Bus.

Note: The Server Configurations for OAuth are described can be accessed from “Configure OAuth Server”

As OAuth being a authorization security feature only, so it uses JWT to secure the services. For OAuth and JWT configurations with OWSM policies are described here.

Post configuration of the OAuth Server with OWSM, we can attach the OWSM Security policies with the OSB Proxy and Business Services as below.

The oracle/http_jwt_token_service_policy or oracle/http_jwt_token_over_ssl_service_policy policies can be attached to proxy services, and the oracle/http_oauth2_token_client_policy or oracle/http_oauth2_token_over_ssl_client_policy policies can be attached to business services.

References:
https://docs.oracle.com/middleware/1221/osb/develop/toc.htm 
https://medium.com/vandium-software/5-easy-steps-to-understanding-json-web-tokens-jwt-1164c0adfcec
https://en.wikipedia.org/wiki/OAuth 

Handle SOAP Version Mismatch issue using OSB

What is SOAP?

SOAP is a protocol specification for exchanging structured information in the implementation of web services in computer networks. Its purpose is to induce extensibility, neutrality and independence.

Difference Between SOAP 1.1 and SOAP 1.2

SOAP Version 1.2 can do everything that SOAP/1.1 does, and more. Below are some of the properties SOAP 1.2 has over SOAP 1.1.

• Provides clear processing model
• Testing and implementation requirements leads to better interoperability
• Based on XML Information Set i.e. it is specified as an Infoset which is carried from one SOAP node to another. While SOAP/1.1 was based on XML 1.0 serialization
• Gives developers protocol independence by providing a binding framework
• Includes HTTP binding for better integration to the World Wide Web
• Delivers a very well-defined extensibility model
• Has better support for Web standards

WSDL changes observed in SOAP-1.2

1. Namespace Changes: SOAP 1.2 supports below namespace definition.

xmlns:soap12="http://www.w3.org/2003/05/soap-envelope"

2. SOAP 1.2 uses "application/soap+xml" as Content-Type and SOAP 1.1 uses "text/xml".
3.  SOAP:Operation and SOAP Binding need to be specified in SOAP 1.2 WSDL

Use Case Scenario:

We had a requirement where we should create a OSB service which should call first a SOAP1.2 web service (say as service-A) and get data from the service-A. Then the OSB service need to add the retrieved data from service-A and call up another SOAP service based on SOAP 1.1 (say as service-B) to process the data.

In this scenario we have created a OSB Service which was build on a WSDL which was first calling Service-A and then Service-B, but during Testing of the OSB Service, we found that services were failing due to SOAP version mismatch issue as Service-B is built on SOAP version 1.1 and Service-A  being a latest release services are built on SOAP Version 1.2.

Solution

To overcome this versioning issue, we have followed below steps:

1.       Generate the OSB Proxy as a Message Based Proxy service which will be based on the XSD which will have only the “body” part with required parameters to call Service-A and Service-B.

2.       Create a Pipeline Service based on the same methodology explained in point#1.

3.       In the Pipeline Service, go to message flow and add a pipeline pair and rename it as per the process standards.

4.       In the Request Pipeline node, add a Stage and renamed it as per standards.

5.       Inside the stage, add a Service callout, and browse for the proxy service for wrapper of Service-A or business service of Service-A, and configure the Service Callout as shown in below diagram, and assign the required message to Service-A parameters.

6.       Now after the above Pipeline Pair, add a RouteNode .

7.       Inside the Route Node add a Routing Operation and configure the same for the Business Service  of Service-B

8.       Inside the Request Actions, assign or replace the Body and Header to make a successful call for Business Service. Below snapshot will help on the same.