Work in progress...
Overview
This blog covers a secure and scalable design pattern in Oracle Integration Cloud (OIC) where:
- Incoming payload is AES encrypted and RSA signed
- Keys are fetched from OCI Vault
- Cryptographic operations are handled via OCI Functions
- Response is encrypted before sending back
Updated Architecture
We use a modular integration design:
Main Integration (1)
↓
Crypto Integration (2)
↓
OCI Functions
- Function 1: AES Encrypt/Decrypt
- Function 2: RSA Sign/Verify
End-to-End Flow
Step 1: Receive Request (Main Integration - 1)
- Expose REST API
- Input contains:
- Encrypted payload (Base64)
- Signature
➡️ Call Crypto Integration (2) for processing
Step 2: Crypto Processing (Integration - 2)
This integration acts as a central reusable crypto layer.
2.1 Fetch Keys from OCI Vault
- Retrieve:
- AES Secret Key
- RSA Private/Public Keys
- Use secure REST call / OCI SDK
Ensures no key is hardcoded in OIC
2.2 Call OCI Function – Decrypt
- Pass encrypted payload + key reference
- Function performs:
- Base64 decode
- AES decryption
Returns: Plain payload
2.3 Call OCI Function – RSA Verify
- Pass payload + signature + public key
- Function validates signature
Condition:
- Valid → proceed
- Invalid → throw fault
Step 3: Return Decrypted Data to Main Integration
- Crypto Integration sends verified plain payload back
Step 4: Business Processing (Main Integration - 1)
- Transform data
- Call target system
- Receive response
Step 5: Encrypt Response
Main Integration again calls Crypto Integration (2)
5.1 Call OCI Function – AES Encrypt
- Encrypt response payload
- Base64 encode
No RSA signing required for response
Step 6: Send Response
- Return encrypted response to source system
OCI Functions Design
Function 1: AES Encrypt/Decrypt
Handles:
- AES Decryption (incoming)
- AES Encryption (outgoing)
Function 2: RSA Sign/Verify
Handles:
- Signature verification (incoming)
- (Optional signing if future needed)
Key Benefits
- ๐ High Security – Keys stored in OCI Vault
- ๐ Reusable Design – Crypto logic centralized
- ⚡ Scalable – Functions handle heavy crypto processing
- ๐งฉ Loose Coupling – Business logic separated from security
Error Handling
- Vault access failure → Security error
- Decryption failure → Invalid payload
- Signature failure → Reject request
- Function failure → Retry / fault
Best Practices
- Use OCI Vault for all secrets
- Restrict access via IAM policies
- Avoid logging sensitive payloads
- Enable tracing only for metadata
- Reuse crypto integration across projects
Final Flow Summary
Source
↓ (AES Encrypted + RSA Signed)
Main Integration (1)
↓
Crypto Integration (2)
→ Fetch keys from OCI Vault
→ Call Function (AES Decrypt)
→ Call Function (RSA Verify)
↓
Main Integration
→ Call Target
← Response
↓
Crypto Integration
→ Call Function (AES Encrypt)
↓
Source (Encrypted Response)
Conclusion
This approach provides a clean, secure, and enterprise-ready pattern in OIC by combining:
- OCI Vault for secure key management
- OCI Functions for cryptographic operations
- Reusable integrations for maintainability
A perfect design for handling sensitive real-time integrations at scale.
No comments:
Post a Comment