Oracle Mobile Cloud Service (MCS) and Integration Cloud Service (ICS): How secure is your TLS connection? By Maarten Smeets

In a previous blog I have explained which what cipher suites are, the role they play in establishing SSL connections and have provided some suggestions on how you can determine which cipher suite is a strong cipher suite. In this blog post I’ll apply this knowledge to look at incoming connections to Oracle Mobile Cloud Service and Integration Cloud Service. Outgoing connections are a different story altogether. These two cloud services do not allow you control of cipher suites to the extend as for example Oracle Java Cloud Service and you are thus forced to use the cipher suites Oracle has chosen for you.

Why should you be interested in TLS? Well, ‘normal’ application authentication uses tokens (like SAML, JWT, OAuth). Once an attacker obtains such a token (and no additional client authentication is in place), it is more or less free game for the attacker. An important mechanism which prevents the attacker from obtaining the token is TLS (Transport Layer Security). The strength of the provided security depends on the choice of cipher suite. The cipher suite is chosen by negotiation between client and server. The client provides options and the server chooses the one which has its preference.

Disclaimer: my knowledge is not at the level that I can personally exploit the liabilities in different cipher suites. I’ve used several posts I found online as references. I have used the OWASP TLS Cheat Sheet extensively which provides many references for further investigation should you wish.

Method

Cipher suites

The supported cipher suites for the Oracle Cloud Services appear to be (on first glance) host specific and not URL specific. The APIs and exposed services use the same cipher suites. Also the specific configuration of the service is irrelevant we are testing the connection, not the message. Using tools described here (for public URL’s https://www.ssllabs.com/ssltest/ is easiest) you can check if the SSL connection is secure. You can also check yourself with a command like: nmap –script ssl-enum-ciphers -p 443 hostname. Also there are various scripts available. Read the complete article here.

PaaS Partner Community

For regular information on business process management and integration become a member in the SOA & BPM Partner Community for registration please visit www.oracle.com/goto/emea/soa (OPN account required) If you need support with your account please contact the Oracle Partner Business Center.

Blog Twitter LinkedIn Facebook Wiki

Technorati Tags: SOA Community,Oracle SOA,Oracle BPM,OPN,Jürgen Kress

Open Banking based on API Platform Cloud Service – support Payment Services Directive (PSD2) EU Regulation

Revised Directive on Payment Services or PSD2 is aimed at further developing an EU-wide market for electronic payments. Member states have to transpose the directive into their national laws till January 2018.

Payment service user must have an overview of financial situation at any given moment and have aggregated online information on payment accounts held with other payment service providers, particularly payment account transaction and balance data, all within a secure environment, with strong customer authentication, via application programming interfaces (APIs).

PSD2 contemplates a simplified payments value chain in which the card network can be fully disintermediated. In addition to the dramatic erosion of their payments revenues, banks are also set to see their interest-based revenue streams impacted by a loss of ‘customer ownership’. Account-data aggregators aiming to pull account information from multiple banks into their application, are warning for banks, unless banks themselves also become aggregators of choice.

By offering ‘payment initiation provider’ and ‘account information provider’ services – a bank could significantly improve its ability to sell customer insights, due to the increased availability of customer data and touch points.

Oracle API Platform Cloud Service (APIPCS) simplifies and accelerates the process of delivering open banking and PSD2 compliance by enabling speedy and secure delivery of banking APIs. APIPCS increases level of comfort that businesses are gaining in having their applications and data outside the security of their on‐premises firewalls.

APIPCS offers full life cycle API management: planning, design, implementation, publication, operation, consumption, maintenance and retirement of APIs. It includes a developer’s portal to target, assist and govern the communities of developers who embed the APIs, as well as the runtime management and analytics.

APIPCS provides key features of API platform: (i) Building APIs – Creating an API on top of a service that, for example, accesses data formerly locked inside monolithic applications. Rapid API construction with run‐ready policies for controlling usage of APIs; (ii) Securing APIs – Assigning industry‐standard securities to APIs with no coding. Integration with existing enterprise identity management systems; (ii) Deploying APIs – Once the APIs are created, they’re deployed to an API gateway for usage with one‐click. Gateways can run in the Oracle Cloud or on‐premises, close to back‐end services; (iii) Publishing APIs – Documentation can be auto‐generated while the API is being developed; (iv) Consuming APIs – Centralized location for finding and learning about available APIs. Simple approach to register applications so they can utilize APIs; (v) Monitoring APIs – Instant visibility into operational metrics on usage and API business key performance indicators.

In API preparation phase value of APIPCS leads to increased consistency and improves the overall developer experience with formalization of domain semantics or architectural style. Using APIPCS it is possible design and prototype API without writing any code and enable quick iteration on API design change, it is allowed to start of a work on API client before API server is implemented and this way getting very fast feedback from API consumers and stakeholders and provide ready API product much sooner to the market.

The API implementation will be automatically tested against its design, monitoring the contract and implementation changes are made much easier, version control and collaboration comes seamless as well as reporting on any disparities and errors in the description against the results of locally run API, automatic test runs when anything changes.

General differentiators of APIPCS are : it is easy to use and not technically challenging solution; it has focus on ‘API design first’ approach; it has architecture with API management on the cloud (including main portal and developer portal) and only gateways (GWs) being weather on cloud or on-prem. An end customer needs to operate only the gateways (GWs) and APIPCS operates all complex parts of API management in Oracle cloud.

GWs themselves are very mature product with amount of advantages. Management console never goes directly to the GW, it is other way around that only GW goes to cloud – this way providing very elegant security solution. GWs will automatically pull down all new policies. In case of APIPCS, most policies will work with existing versions of the GW, so GW upgrades are minimal and if they are required it will anyway happen through the cloud service. APIPCS pulls down the deployments of GWs extremely fast, as they are done by the cloud service, without need to export a zip or manually deploy GWs. There is no need end customer to perform data backups, no need for upgrades to get new policies, no need to configure clusters. All these brings down operational cost of operating API platform. APIPCS gives control which users have the right to deploy which GWs and what exactly is deployed on which GW, with full audit history.

Want to learn more? Contact Milomir Vojvodic

PaaS Partner Community

For regular information on business process management and integration become a member in the SOA & BPM Partner Community for registration please visit www.oracle.com/goto/emea/soa (OPN account required) If you need support with your account please contact the Oracle Partner Business Center.

Blog Twitter LinkedIn Facebook Wiki

Technorati Tags: SOA Community,Oracle SOA,Oracle BPM,OPN,Jürgen Kress

API Platform Cloud Service REST API scripts and REPL using Python by Shreenidhi Raghuram

Introduction

This blog introduces a few useful Python scripts written to repeatedly perform common administrative tasks and development operations on an API Platform Cloud Service instance.

The scripts are written in Python and can be executed on all Python 3.6+ supported platforms

Why

These scripts are written keeping in mind a few real life use cases, such as –

• Migration of API Platform artifacts between different API server environments
• Export of API Platform artifacts for source control

The scripts require familiarity with API Platform Cloud Service. Knowledge of Python programming language is not essential to execute the scripts and the interactive REPL, but will come in handy to customize or extend the functionality of the scripts to suite any specific needs.

Prerequisites

The scripts require Python version 3.6+ and ‘requests’ and ‘tabulate’ modules installed.

The API Platform Cloud Service (APIPCS) REST API documentation is available here http://docs.oracle.com/en/cloud/paas/api-platform-cloud

The python scripts zip pack can be downloaded FROM here.

Extract the zip archive. All python scripts are found within the apip-rest-python directory.

Usage information: Use ‘—help’ to get the usage of every script

For example, python listapis.py –help. Read the complete article here.

PaaS Partner Community

For regular information on business process management and integration become a member in the SOA & BPM Partner Community for registration please visit www.oracle.com/goto/emea/soa (OPN account required) If you need support with your account please contact the Oracle Partner Business Center.

Blog Twitter LinkedIn Facebook Wiki

Technorati Tags: SOA Community,Oracle SOA,Oracle BPM,OPN,Jürgen Kress

Are You Ready for Microservices?

Oracle ACE Rolanda Carrassco, co-owner and principal SOA Architect at S&P Solutions joins his colleague, SOA Architect Leonardo Gonzalez, to pose two questions that might help you decide if your organization is ready for microservices. Watch the video here.

More from Rolando Carrasco

Cloud Integration in HR | Carrasco and Viveros [Video]

Podcast Show Notes: Building a Real Cloud Solution

Podcast Show Notes: Oracle API Management Implementation

Integrate Your HR System with a Talent Management System in the Cloud

SOA Cloud Service in a Nutshell [Article]

SOA & BPM Partner Community

For regular information on Oracle SOA Suite become a member in the SOA & BPM Partner Community for registration please visit www.oracle.com/goto/emea/soa (OPN account required) If you need support with your account please contact the Oracle Partner Business Center.

Blog Twitter LinkedIn Facebook Wiki

Technorati Tags: SOA Community,Oracle SOA,Oracle BPM,OPN,Jürgen Kress

3rd-Generation API Management: From Proxies to Micro-Gateways by Oracle ACE Director Luis Weir

Businesses today understand that, in order to remain competitive in a market dominated by digital disruptors[i], they must innovate and gain business agility and speed. To this end, organizations of all sizes are adopting cloud (SaaS, PaaS, IaaS)[ii] not only as the means to reduce TCO, but also as a vehicle to achieve digital transformation and customer centricity.

However, moving to cloud does not mean one cloud. Research suggests that organizations are opting for multi-cloud strategies[iii] as opposed to putting all their eggs in a single cloud vendor’s basket. This best-of-breed approach to cloud adoption means that on-premises monolithic system(s)[iv] (e.g., an ERP) and other on-premises applications are re-implemented in the cloud as discrete SaaS applications and integrated or extended with PaaS.

For those on-premises applications that either don’t have a cloud equivalent or simply don’t address the desired requirements, many organizations are also opting for application development in the cloud.[v] Microservices architectures[vi] have become predominant as an architectural style for implementing such cloud-native applications. To do this, a monolith is broken down into smaller pieces — each representing a business capability — and then implemented as a fully decoupled service (microservice),[vii] typically in PaaS.

As cloud adoption continues, information inevitably becomes more and more federated, not only across many different SaaS and PaaS applications (from different vendors), but also across many on-premises systems.

In order to achieve digital transformation, an organization must first either adapt or enhance its existing (on-premises) IT systems or attempt to replace them with modern ones (probably in the cloud), so products and services can be offered digitally via multiple channels (web, mobile apps, kiosks, partner online stores, bots, etc.).

Digital transformation makes co-workers more productive by enabling them to execute business processes whilst on the move through a seamless journey delivered by different device interactions.

It also enhances an organization’s partner ecosystem by giving them on-demand access to relevant business data and providing the means to execute business transactions electronically.

However, none of the above are possible if access to core business information assets is not availableÑand with information becoming federated, access can be a big problem.

Integration platform as a service (iPaaS)[viii] solutions address this issue. Their selling point is their ability to connect to any cloud and/or on-premises system and deliver the access required. A robust iPaaS platform should be capable of connecting to any cloud and/or on-premises application to deliver seamless access to information via RESTful Application Programming Interfaces (otherwise known as Web APIs[ix]).

The use of APIs as the means to deliver standard, consistent and secured access to information enables multi-channel applications to consume the assets they need when they need them. Read the complete article here.

For more information please visit https://www.capgemini.com/oracle and attend the

API Event April 26th 2018 in London www.tinyurl.com/CapgeminiOracle.

SOA & BPM Partner Community

For regular information on Oracle SOA Suite become a member in the SOA & BPM Partner Community for registration please visit www.oracle.com/goto/emea/soa (OPN account required) If you need support with your account please contact the Oracle Partner Business Center.

Blog Twitter LinkedIn Facebook Wiki

Technorati Tags: SOA Community,Oracle SOA,Oracle BPM,OPN,Jürgen Kress

Digital Transformation: Oracle API Platform Cloud Service

API exposes and manages hidden information to create new solutions. Watch Luis Weir’s video here.

For more information please visit https://www.capgemini.com/oracle and attend the

API Event April 26th 2018 in London www.tinyurl.com/CapgeminiOracle.

SOA & BPM Partner Community

For regular information on Oracle SOA Suite become a member in the SOA & BPM Partner Community for registration please visit www.oracle.com/goto/emea/soa (OPN account required) If you need support with your account please contact the Oracle Partner Business Center.

Blog Twitter LinkedIn Facebook Wiki

Technorati Tags: SOA Community,Oracle SOA,Oracle BPM,OPN,Jürgen Kress