Sunday, April 26, 2026

OIC - Secure Payload Handling in OIC using OCI Vault & Functions (AES + RSA) | Message level encryprion/decryption and signing/verification

Work in progress...

Overview

This blog covers a secure and scalable design pattern in Oracle Integration Cloud (OIC) where:

  • Incoming payload is AES encrypted and RSA signed
  • Keys are fetched from OCI Vault
  • Cryptographic operations are handled via OCI Functions
  • Response is encrypted and signed if required before sending back

Architecture

Source
 ↓ (AES Encrypted + RSA Signed)
Main Integration
 ↓
Crypto Integration
   → Fetch keys from OCI Vault
   → Call Function (AES Decrypt)
   → Call Function (RSA Verify)
 ↓
Main Integration
   → Call Target
   ← Response
 ↓
Crypto Integration
   → Call Function (AES Encrypt)
   → Call Function ( RSA Signed) optional
 ↓
Source (Encrypted and signed Response)

OCI Functions: 
   - Function 1: AES Encrypt/Decrypt
   - Function 2: RSA Sign/Verify

Scenarios:

Scenario 1:  Source data is AES encrypted. In OIC, we decrypt the data and use and later on we encrypt the response and send back to Source.

Scenario 2: Source data is RSA signed. Need to verify request message and sign to send response back


Scenario 3:  source data is in AES encrypted, cipher key = rsa encrypted(aes key), sign key rsa key, Need to verify the message and decrypt cipher key as rsa decryprion to get AES key which to use to decrypt the data/message.

RSA key Encryption Decryption:

AES Key Encryption Decryption:

RSA SIGN Verify:

End-to-End Flow:

Step 1: Receive Request (Main Integration)

  • Expose REST API
  • Input contains:
    • Encrypted payload (Base64)
    • Signature
    • Salt or IV
Why Salt or IV required?
TBD

➡️ Call Crypto Integration for processing

Step 2: Crypto Processing Integrations

This integration acts as a central reusable crypto layer.

2.1 Fetch Keys from OCI Vault

  • Retrieve:
    • AES Secret Key
    • RSA Private/Public Keys
  • Use secure REST call / OCI SDK

Ensures no key is hardcoded in OIC

2.2 Call OCI Function – Decrypt

  • Pass encrypted payload + key reference
  • Function performs:
    • Base64 decode
    • AES decryption

Returns: Plain payload

2.3 Call OCI Function – RSA Verify

  • Pass payload + signature + public key
  • Function validates signature

Condition:

  • Valid → proceed
  • Invalid → throw fault

Step 3: Return Decrypted Data to Main Integration

  • Crypto Integration sends verified plain payload back

Step 4: Business Processing (Main Integration - 1)

  • Transform data
  • Call target system
  • Receive response

Step 5: Encrypt Response

Main Integration again calls Crypto Integration (2)

5.1 Call OCI Function – AES Encrypt

  • Encrypt response payload
  • Base64 encode

No RSA signing required for response

Step 6: Send Response

  • Return encrypted response to source system

Conclusion

This approach provides a clean, secure, and enterprise-ready pattern in OIC by combining:

  • OCI Vault for secure key management
  • OCI Functions for cryptographic operations
  • Reusable integrations for maintainability

A perfect design for handling sensitive real-time integrations at scale.

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Featured Post

OIC - OCI Java function code for RSA Encryption and Decryption

Function Java code: package com.test.fn; import java.security.*; import java.security.spec.*; import java.util.Base64; import javax.crypto.C...