Tuesday, April 9, 2024

Enhance Oracle Integration API Security Using Oracle API Gateway

In today's interconnected digital landscape, businesses are increasingly relying on seamless integrations to streamline operations and enhance productivity. Oracle Integration APIs serve as crucial conduits for exchanging data and functionalities between diverse applications, systems, and services. However, ensuring the security of these integrations is paramount to safeguard sensitive information, maintain regulatory compliance, and mitigate potential threats.

Oracle API Gateway emerges as a robust solution for fortifying Oracle Integrations by providing comprehensive security features and capabilities. In this blog post, we'll delve into the significance of securing Oracle Integrations and explore how Oracle API Gateway empowers organizations to achieve heightened levels of protection.

  • Let's start with simple integration

The integration will receive "name" as a parameter and return "Hello, name"



From Postman let us call the integration

We will use Basic Auth to call the integration




Any user who has access to the OIC instance will be able to invoke the integration. So, if you make an integration, everyone who can use OIC can get to it. That's where the API gateway comes in to make sure it's safe.

To set up the API Gateway, you need to start by creating a Virtual Cloud Network (VCN), which is where the API Gateway operates. Using this network adds an extra layer of security because you can decide which IP addresses are allowed to access the network and block any unwanted ones.

  • Provision Virtual Cloud Network (VCN)

From OCI console --> Networking --> Virtual cloud networks




Start VCN Wizard and create VCN with internet connectivity. After creating VCN, you will find the VCN is created with Subnets, Gateways, security lists and Route tables




Open the default Security List and add the Ingress Rule as shown


This means VCN will accept any request from any source (0.0.0.0/0) and can access port 443 which is the OIC integrations port.

Open Network Security Group and create one like this:







  • Provision API Gateway


Create a new instance and set the following:
Type: Public
Compartment: select the compartment where VCN is created
Network: select VCN, then select public sub-net then tick on the Enable Network security groups and select network security groups




From Gateway, select Deployment and create a deployment


From API request policies you can add policies on the API like you can limiting the number of requests per second either total requests or the limitation will be per client IP




You can add usage plans where you force the client to add API token to the header of the request.

From Usage plans press "Add" and in the Token location add the following "request.headers[X-Client-Token]"
This means request should have X-Client-Token in the header





In the Authentication you have multiple options, let us go with No Authentication and this means the only users has access to the VCN network will have access to this deployment





In Route 1 enter the path of the Route, Method and select HTTP then enter the OIC integration URL






You can add up to 50 routes per deployment (this number can be changed in the future)

You can find the deployment URL from







Create Usage plans and Subscribers
Once you create the deployments, you can create a Usage Plan for each deployment (or for multiple Deployments) then define a subscriber for the usage plan.


From API Gateway select Usage plans and press Create usage plan







Enter Name and select Compartment then select Entitlements.

Create entitlement and associate the deployment(s) to this Usage plan




Back to API Gateway and select Subscribers and create new subscriber



In the Client enter Name "A" and enter Client token where the token should be sent in the request header. Then add Usage Plans







Let's try to call the integration through API Gateway

From API Gateway Deployment copy URL then add the route path

Use the basic authentication and try to invoke the integration




You will find it is Forbidden because we need to add the token in the request header "X-Client-Token"



Once we add token in the header, we are able to invoke the API



  • Force using API Gateway through API Gateway
Now the integration can be invoked through API Gateway but at the same time the user still be able to invoke integration directly without API Gateway. To force the OIC integrations to be invoked only through API Gateway

From OCI àDeveloper Services àIntegration àIntegration Instance àNetwork Access


Enable Restrict Network Access --> then either select Virtual Cloud Network and select API Gateway VCN or select IP and enter API Gateway IP (you can find it in the API Gateway instance). Then restart OIC instance.







Conclusion

Securing Oracle Integrations is essential to safeguard sensitive data, ensure regulatory compliance, and protect against evolving cybersecurity threats. Oracle API Gateway offers a comprehensive suite of security features and capabilities to fortify Oracle Integrations effectively. By adopting best practices and leveraging Oracle API Gateway's robust security controls, organizations can enhance the resilience and integrity of their integrations in an increasingly interconnected digital ecosystem.



















No comments:

Post a Comment