Configure an Oracle-Managed Custom Endpoint
If you want Oracle to procure and manage the public certificate for your custom host name, you can create an Oracle-managed custom endpoint.
Perform the following steps to create an Oracle-managed custom endpoint for your instance.
Prerequisites for Configuring an Oracle-Managed Custom Endpoint
To configure an Oracle-managed custom endpoint, complete the following prerequisites.
| Task | Where to perform the task | Associated documentation | 
|---|---|---|
| Create your Oracle Integration instance | Oracle Cloud Infrastructure Console | Create an Oracle Integration Instance Note: 
 | 
| Choose a vanity URL or custom hostname for your Oracle Integration instance | N/A | N/A | 
| Create a public DNS zone | Oracle Cloud Infrastructure Console | Creating a Public DNS Zone Note: DNS zones are region-specific. If you have Oracle Integration instances in multiple regions, you must create a DNS zone with a unique subdomain for each region. | 
| Delegate the DNS zone and update the name servers with your registrar | Your domain name registrar | Delegating a Public DNS Zone Note: If you created DNS zones for multiple regions, you must perform this task for each DNS zone in their respective subdomain. | 
| Register your Oracle Integration instance hostname with the DNS zone by adding a CNAME record | Oracle Cloud Infrastructure Console | Adding a Record to a DNS Zone | 
| Create Oracle Cloud Infrastructure Identity and Access Management (IAM) policies to allow your Oracle Integration tenancy to manage the public DNS zone | Oracle Cloud Infrastructure Console | Create IAM Policies | 
Create IAM Policies
You must create the following IAM policies to allow your Oracle Integration instance to manage the DNS resources.
- A policy to grant your Oracle Integration instance to manage dns-zones and dns-records resources in your tenancy:
                           ALLOW dynamic-group group-Name TO READ dns-zones IN compartment compartment-nameALLOW dynamic-group group-Name TO USE dns-records IN compartment compartment-name WHERE ALL {target.dns-zone.name='dns-zone-name'}where: - group-Name is the name of the dynamic group that defines the compartment that stores your Oracle Integration instance.
- compartment-name is the name of the compartment that stores the DNS resources.
- dns-zone-name is the public DNS zone you created.
 Note: - The dynamic group is defined in the identity domain in which the Oracle Integration instance was created.
- The matching rule that defines the dynamic group must point to the Oracle Cloud service client ID for your Oracle Integration instance. For example:
                                    Matching rule: any {resource.id='Oracle-Cloud-service-client-ID'}
 
- A generic endorse policy to allow your Oracle Integration instance to manage certificate resources  in the Oracle Integration tenancy. This is the endorse part of the cross-tenant policy. 
                           ENDORSE any-user TO MANAGE certificate-authority-family IN any-tenancy
For more information, see Managing DNS Resources Across Tenancies.
Create the Oracle-Managed Custom Endpoint
After completing the prerequisites, perform the following steps to configure an Oracle-managed custom endpoint:
- If you're not already on the Integration instances page, open it.
                           - Open the Oracle Cloud Infrastructure Console.
- Open the navigation menu and click Developer Services. Under Application Integration, click Integration.
 
- Open your instance.
- On the left, under Resources, click Custom Endpoint.
- Click Create custom endpoint.
- Select Oracle managed.
- Make sure the correct compartment is selected.
- Select the DNS zone you created as a prerequisite.
- Enter your custom host name for the instance.
- Click Create.
After configuring your Oracle-managed custom endpoint, you must complete some post-configuration tasks.
Post-Configuration Tasks for an Oracle-Managed Custom Endpoint
After creating your Oracle-managed custom endpoint, perform the following post-configuration tasks:
- Modify your custom hostname IP record to point to the Oracle Integration origin. If you use a CNAME record, you must enter the FQDN for your load balancer's public IP address.
- If you're using three-legged OAuth with third-party identity providers (such as Google, Facebook, etc.), update the redirect URL in your identity provider (IdP) application with the custom hostname. If the custom hostname for your Oracle Integration instance is mycustom.example.org, your redirect URL must be, for example,https://mycustom.example.org/icsapis/agent/oauth/callback.After updating the redirect URL in the IdP application, you must reacquire the access token by providing consent on the connection page. 
- If you created integration flows prior to mapping a custom endpoint to your instance, they will continue to work without any issues. However, if you want to update your integrations to use the custom endpoint:
                           - For triggers, deactivate and re-activate those integrations to regenerate the WSDLs.
- For parent-child integrations, edit the existing connection to replace the hostname with the custom host; test and save the connection; then reactivate the integration.
 
Note:
If you're using the Oracle NetSuite Adapter, the adapter's TBA Authorization Flow security policy won't work with custom endpoints for Oracle Integration.