Monday, October 21, 2019

12c SOA - encryption and decryption of sensitive data

Oracle SOA Suite is used for reliable transfer of information; it stores whole the message in SOA_INFRA schema. We can see incoming and outgoing messages in audit trail from EM console. That means user which has access to EM console can see all the messages coming and going through middleware, sometimes some of the information which is flowing through Oracle SOA Suite is very critical and SOA Suite user should not have access to see that critical piece of information. In this post we will discuss how to fulfill this requirement using Oracle SOA Suite.

In previous version of Oracle SOA Suite (11g) there were no out of box provision to encrypt and decrypt sensitive data so user can see the data which is flowing through fusion but in current version of Oracle SOA Suite which is 12c, Oracle provided out of box functionality to encrypt specific fields in the message which is flowing through middleware. Below is sample encrypted message field.

In Oracle SOA 12c, encryption policy is used to encrypt and decrypt the message, message encryption happens at component binding that means message get encrypted before it come to component (BPEL or Mediator) and we see only encrypted message in audit trail. Message decryption happens at reference binding level that means message fields get decrypted before it is sent to target service/system.


 Schema created for encrypt composite:
<?xml version="1.0" encoding="windows-1252" ?>
<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://www.orderm.org"
            targetNamespace="http://www.orderm.org" elementFormDefault="qualified">
  <xsd:element name="Orderm">
    <xsd:complexType>
      <xsd:sequence>
        <xsd:element name="Name" type="xsd:string"/>
        <xsd:element name="Quantity" type="xsd:string"/>
      </xsd:sequence>
    </xsd:complexType>
  </xsd:element>
</xsd:schema>

Create a BPEL and encrypt as following:






 Decrypt in target side as following:





Deploy and test:
Encrypted
 Decrypted in target service:

Note: 
  1. The source and target schema naming convention should be different to have a unique xpath while encrypting and decrypting the source or target.
  2. Make sure pii-csf-key should exist, if it does not exist then you will not be able to encrypt the message and see error message. Click here to see how to create csf-key.


No comments:

Post a Comment

Featured Post

OIC - Restrictions on Using Stage File Action Operations with the File/Attachment Features of the Connectivity Agent

Restrictions on Using Stage File Action Operations with the File/Attachment Features of the Connectivity Agent When configuring the stage fi...