1. Using Oracle CASB Cloud Service
  2. Setting Up Cloud Applications for Monitoring
  3. Setting Up Oracle Cloud Infrastructure (OCI)
  4. Preparing OCI

Preparing OCI

Before registering your Oracle Cloud Infrastructure (OCI) application instance with Oracle CASB Cloud Service, create and configure a dedicated OCI user account.

Prerequisite: Ensure that you have a public/private key pair available to use with OCI.

The steps below guide you through performing four tasks in OCI:

  1. Creating an identity account, or user.

  2. Getting the public key for the user from Oracle CASB Cloud Service.

  3. Creating an identity group.

  4. Assigning the identity account, or user to the identity group.

  5. Creating an identity policy to grant access privileges to the group that includes the user.

    1. This is the simplest policy, very convenient for non-production environments:

      Allow group YourGroupNameGoesHere to read all-resources in tenancy

    2. These are the entries for the tightest policy, with the minimal set of privileges required for production:

      Allow group YourGroupNameGoesHere to inspect all-resources in tenancy

      Allow group YourGroupNameGoesHere to read audit-events in tenancy

      Allow group YourGroupNameGoesHere to read object-family in tenancy where request. operation='GetBucket'

      Allow group YourGroupNameGoesHere to read instance-family in tenancy where any { request.operation-'ListInstances', request.operation='GetInstance }

      Allow group YourGroupNameGoesHere to read users in tenancy where any { request.operation-'ListApiKeys', request.operation=ListSwiftPasswords }

Note:

Oracle CASB Cloud Service uses OCI SDK 1.2.28 to monitor the us-ashburn-1, us-phoenix-1, and eu-frankfurt-1 regions.

  1. Log in to your OCI account as an administrator, with privileges to create a user and assign privileges.
  2. From the Navigation Drawer, select Identity, Users.
  3. On the Users page, click the Create User button.
  4. In the Create User dialog box:

    1. Enter MY_CASB_ACCOUNT for the Name.

      If you wish to use a different name, ensure that you select that user name in the next step below.

    2. Enter something like Oracle CASB Service Account for the Description.

      You may enter whatever you like here.

    3. Click Create.

  5. On the Users page, locate the user you just created and click the user name link.
  6. On the user details page, in the Resources panel on the left, click API Keys.
  7. Click Add Public Key, below the API Keys header.

    Now, you need to get the public key from Oracle CASB Cloud Service.

  8. Open the Oracle CASB Cloud Service admin console in a separate browser window.
  9. Click the Navigation Menu icon navigation menu icon, then select Configuration, and then CASB Key-Pair Management.
  10. Click the Copy to Clipboard icon copy to clipboard icon to copy the key.
  11. Switch back to the browser window with the OCI admin console.
  12. Paste the public key in the Public Key field, and then click Add.
  13. From the Navigation Drawer, select Identity, Groups.
  14. Click the Create Group button.
  15. In the Create Group dialog box:

    1. Enter MY_CASB_GROUP for the Name.

      If you wish to use a different name, you must match what you enter here for Name in the Create Policy dialog box step below.

    2. Enter something like Oracle CASB Service Account Group for the Description.

      You may enter whatever you like here.

    3. Click Submit.

  16. From the Navigation Drawer, select Identity, Users.
  17. Click the name link for the user you just created.

    MY_CASB_ACCOUNT, or the user name you used in place of this.

  18. From the Navigation Drawer, select Identity, Groups.
  19. Click the Add User to Group button.
  20. Select MY_CASB_GROUP from the drop-down list to add the user to this group.

    If you gave your group a different name when you created the group in the step above, ensure that you select that name here.

  21. From the Navigation Drawer, select Identity, Policies.
  22. Click the Create Policy button.
  23. In the Create Policy dialog box:
    1. Enter MY_CASB_POLICY for the Name.
    2. Enter something like Oracle CASB Service Account Group Policy for the Description.

      You may enter whatever you like here.

    3. Switch back to the browser window with the Oracle CASB Cloud Service console.
    4. In the informational message at the bottom of the CASB Key-Pair Management page, click the "here" link.

      The Creating a functional OCI Service Account dialog box opens.

    5. In line 3, enter the name of the identity group you just created in OCI.
  24. If this is a production environment:
    1. Click the Copy to Clipboard icon icon for copy to clipboard to the right of the first/next statement in section 5-b.
    2. Switch back to the browser window with the OCI console where the Create Policy dialog box is still open.
    3. In the Policy Statements section, paste the copied statement into the STATEMENT box.
    4. If you didn't name your group MY_CASB_GROUP, replace MY_CASB_GROUP in the pasted statement with the group name you created.
    5. If this wasn't the last of the 5 statements under 5-b in the Oracle CASB Cloud Service Creating a functional OCI Service Account dialog box:

      1. Click the plus sign below the statement you just pasted to open another text box.

      2. Switch back to the browser window with the Oracle CASB Cloud Service console.

      3. Repeat the production environment sub-steps above.

  25. If this is not a production environment:
    1. Click the Copy to Clipboard icon icon for copy to clipboard to the right of the statement in section 5-a.
    2. In the Policy Statements section, paste the copied statement into the STATEMENT box.
    3. If you didn't name your group MY_CASB_GROUP, replace MY_CASB_GROUP in the pasted statement with the group name you created.
  26. Click Create.

Preparing a Public/Private Key Pair

Ensure that you have a public/private key pair available for use by Oracle Cloud Infrastructure (OCI) before you prepare and register an OCI instance to be monitored by Oracle CASB Cloud Service.

  1. Select Configuration from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon Image of the Navigation Menu icon. to display it.
  2. From the Configuration submenu, select CASB Key-Pair Management.
  3. If the Key generation date is not new enough, according to your organization's security policies, click Create new keys.
  4. Click Generate new keys.

    The User public key field is updated with a new key value.

  5. Click the Copy to Clipboard icon Image of the Copy to Clipboard icon. to copy the User public key value to the clipboard.

    You can also use the Download icon Image of the Download icon. to download the public key to a file.

  6. Log in to the OCI console using the credentials for the dedicated Oracle CASB Cloud Service account user.
  7. Drop down the menu from the user icon in the top right corner and select the user ID.
  8. On the User Details page, under API Keys, click Add Public Key.

    Note:

    OCI allows a maximum of three public keys to be added. If the OCI console displays an error message indicating that the maximum number has already been reached, delete one of the keys listed under API Keys, and then add the new key.

  9. In the Add Public Key dialog box, paste the public key you just copied from the CASB Key-Pair Management page into the PUBLIC KEY box.

    If you downloaded the key to a file, open the oci_api_key_public.pem file, copy the entire contents, and then paste into the PUBLIC KEY box.

  10. When you have completed the steps above in the OCI console, return to the CASB Key-Pair Management page and click Install new keys.

    Caution:

    If another person, such as an admin, performs the steps above in the OCI console, ensure that those steps have been completed before you click Install new keys. Clicking Install new keys before the new public key has been added in the OCI console will disable all currently registered OCI application instances.