Encrypt and Decrypt Data Using OCI Vault

Encrypt and Decrypt Data Using OCI Vault

Use this recipe to encrypt and decrypt the field-level data by leveraging the Oracle Cloud Infrastructure (OCI) Vault.

Note: This recipe is available as REST — OCI Vault | Encrypt and Decrypt Data in the Integration Store. Oracle provides this recipe as a sample only. The recipe is meant only for guidance, and is not warranted to be error-free. No support is provided for this recipe.

Overview

This recipe enables you to encrypt or decrypt data received from external systems using the OCI Vault. You can encrypt sensitive information (such as credit card details, salary information, and so on) before you pass it to target applications. Similarly, you can decrypt data from a third-party application and transfer it to another application.

This recipe uses the OCI Vault REST APIs to encrypt and decrypt the data through the REST adapter. It contains the following two integration flows:

• Encrypt Data: Accepts plain text as part of the request payload and invokes the OCI Vault Encrypt REST API, which encrypts the plain text and sends the cipher text as part of the REST API response.

• Decrypt Data: Accepts the cipher text as part of the request payload and invokes the OCI Vault Decrypt REST API, which decrypts the cipher text and sends the plain text as part of the REST API response.

System and Access Requirements

• Oracle Integration, Version 22.1.3.0.0 or higher

• OCI Vault

• An account on OCI with the Administrator role

Before You Install the Recipe

To access OCI Vault from Oracle Integration and encrypt or decrypt data, you’ll require to perform certain configuration tasks on OCI.

Log in to your OCI instance as an Administrator and perform the following tasks.

1. Create an OCI Vault for your master encryption keys. See Managing Vaults.

2. Create a new master encryption key. See Managing Keys.

   Note: You can also upload your own master encryption keys if you want to manage your encryption keys.

3. Get your Tenancy and User OCIDs. See Where to Get the Tenancy’s OCID and User’s OCID.

4. Create your own private key or generate it from the OCI console. See How to Generate an API Signing Key.

5. Get the key’s fingerprint. See How to Get the Key’s Fingerprint.

Install and Configure the Recipe

On your Oracle Integration instance, install the recipe package to deploy and configure the integration and associated resources.

1. On the Oracle Integration home page, scroll to the Accelerators & Recipes section.

2. Click Search All.

3. Find the recipe package that you want to install.

4. Select the package, and then click the Install  icon.

5. After the package is installed, click the Configure  icon on the recipe card to configure the resources deployed by the package.

   The Configuration Editor page opens, displaying all the resources of the recipe package. Configure the following resources before you activate and run the recipe.

Configure the Oracle OCI Vault Connection

1. On the Configuration Editor page, select Oracle OCI Vault Connection, then click Edit .
   The connection configuration page appears.

2. In the Connection Properties section, enter the following details.

   Field	Information to Enter
   Connection Type	Leave REST API Base URL selected.
   Connection URL	Enter the Cryptographic Endpoint URL of the Vault you created earlier. See Before You Install the Recipe.

3. In the Security section, enter the following details.

   Field	Information to Enter
   Security Policy	Select OCI Signature Version 1.
   Tenancy OCID	Enter the Tenancy OCID obtained earlier. See Before You Install the Recipe.
   User OCID	Enter the User OCID obtained earlier.
   Private Key	Enter the API key generated earlier. Note: Before you upload the private key, you must convert it into the PKCS1 format.
   Finger Print	Enter the key’s fingerprint obtained earlier.

4. Click Save. If prompted, click Save for a second time.

5. Click Test to ensure that your connection is successfully configured.
   A confirmation message is displayed if your test is successful.

6. Click Back  to return to the Configuration Editor page. Click Save again if prompted.

Configure the Lookup Table

The Oracle_Encrypt_Decrypt_Data table contains a set of configurable values. Edit the table to update its fields.

1. On the Configuration Editor page, select Oracle_Encrypt_Decrypt_Data, and click Edit .

2. Against the KeyId cell, enter the OCID of the master encryption key created earlier. See Before You Install the Recipe.

3. Against the EmailTo cell, enter an email address to which run-time exception emails are sent.

4. Against the EmailFrom cell, enter an email address from which run-time exception emails are sent.

5. Against the ApiVersion cell, enter the correct REST API version of OCI Vault REST APIs. To obtain the API version, See API Reference and Endpoints.

6. Click Save. If prompted, click Save for a second time.

7. Click Back  to return to the Configuration Editor page.

Activate and Run the Recipe

After you’ve configured the connections and other resources, activate the recipe package and run it.

1. On the Configuration Editor page, click Activate in the title bar. In the Activate Package dialog, click Activate again.
   A confirmation message is displayed informing that the integrations have been submitted for activation. Refresh the page to view the updated status of the integrations.

   Note: To avoid logging of sensitive information, leave the Include Payload box unchecked while activating the recipe.

2. Run the recipe from an external application.

   1. On the Configuration Editor page, select either of the integration flows and click Run .

   2. On the resulting pop-up dialog, click the Metadata URL link.

   3. From the new tab that opens, copy the Endpoint URL value. This is the integration flow’s endpoint URL.

   4. From the external application, send a POST request to this endpoint URL along with the plain text or cipher text, which you want to encrypt or decrypt. Provide the text in the POST request’s Body field. See the subsequent step for example request payloads.
      The recipe encrypts or decrypts the data you pass in the request body.

3. Test the recipe in Oracle Integration.

   1. On the Configuration Editor page, select an integration flow.

   2. Click Run , then click Test.
      The page to test the integration with sample data is displayed.

   3. In the Request section, click Body and enter the request data.

      Example request payload to encrypt data:

      {
            "plain_text": "oracle"
      
      }

      Example request payload to decrypt data:

      {
           "cipher_text": "QW3HfP0AD4bvAFJgNV2RrrLrbuNAmKxa2MhaUhFlsgUU2DwAgMWxp6MWZFcAAAAA"
      
      }

   4. Click Test.
      The recipe invokes an OCI Vault REST API to encrypt or decrypt the data. The Activity Stream pane appears displaying the status of the integration instance’s execution.

   5. In the Response section of the test page, under the Body tab, you’ll find a success response, 200 OK.

Related Documentation

• Using the REST Adapter with Oracle Integration
• Oracle Cloud Infrastructure Documentation

---

Title and Copyright Information

Encrypt and Decrypt Data Using OCI Vault

F59680-02

September 2022

Copyright © 2022, Oracle and/or its affiliates.

Primary Author: Oracle Corporation