Prerequisites for Creating a Connection

You must satisfy the following prerequisites to create a connection with the Oracle Cloud Infrastructure Streaming Service Adapter.

This information is required when configuring the Oracle Cloud Infrastructure Streaming Service Adapter on the Connections page.

Assign the Correct Permissions

Assign the correct permissions to the Oracle Cloud Infrastructure Streaming Service group in the Oracle Cloud Interface Console. This group must contain the SASL user that you enter when creating a connection on the Connections page.

Allow group StreamUsers to manage streams in tenancy/compartment        
Allow group StreamUsers to manage stream-pull in tenancy/compartment

Allow group StreamUsers to manage stream-push in tenancy/compartment

Policy details about letting users publish messages to and a specific stream and consume messages from streams are described in the Oracle Cloud Infrastructure documentation. See Common Policies and Details for the Streaming Service.

Know the Bootstrap Server Host Name and Port

Know the host and port of the bootstrap server to use to connect to a list of Oracle Cloud Infrastructure Streaming Services.

Know the SASL Username and Password

Know the SASL username and password for the Simple Authentication and Security Layer (SASL) over SSL security policy. The username is a combination of the tenancy name, stream user name, and stream pool OCID separated by forward slashes (/). For example:
xxxtenant/abcuser/yyystreampoolocid
  1. Obtain the tenancy name in the Oracle Cloud Infrastructure Console.
    1. From the Profile icon in the upper right corner of the page, select Tenancy. The name is displayed in the title and the Name field.


      Description of tenancy.png follows
      Description of the illustration tenancy.png

  2. Know the stream user name. This is a user with authorization to publish or consume messages from the stream.
  3. Obtain the stream pool OCID by navigating to the streaming instance you are using in the left navigation pane of the Oracle Cloud Infrastructure Console.
    1. Select Analytics & AI > Streaming > Stream Pools > Default Pool (or the specific pool name you are using).
    2. Copy the OCID value.
  4. Generate the SASL password to access the Oracle Cloud Infrastructure Streaming Service. This is an authorization token generated for the streams user. The password can be generated from the streaming instance.
    1. Select Identity & Security, then select Users.
    2. In the Name column, click the specific user and select Auth Tokens.
    3. Click Generate Token.
    4. Use this token as the password.

Know the Trust Store (Optional)

Optionally know the trust store. You generate the trust store from the certificate given for the Oracle Cloud Infrastructure Streaming Service. There are two methods:
  • Create the certificate from the command prompt.
  • Obtain the certificate from the browser. The steps vary from browser to browser.
The following examples are provided:
  1. From the command prompt:
    1. Enter the following command:
      echo -n | openssl s_client -connect HOST:PORT | sed -ne  '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cert_file_name
      keytool -keystore jks_file_name -alias alias_name -import -file cert_file_name
      For example:
      echo -n | openssl s_client -connect streaming.region-1.oci.oraclecloud.com:9092 | sed -ne  '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ociStreaming.cert
      keytool -keystore Streaming_truststore.jks -alias OSSStream -import -file ociStreaming.cert

      Where region is your instance's region.

      This creates the jks file that you upload on the Connections page.

  2. From the browser:
    1. Log in to the Oracle Cloud Infrastructure Console:
    2. From the navigation pane, select Analytics & AI, and then Streaming.
    3. In the Name column, click the stream instance.
    4. Copy the URL in the Messages Endpoint field.
    You are now ready to export the certificate from your browser of choice. Two examples are provided below:
    • Export the certificate from Chrome:
    • Export the certificate from Firefox:

    Note:

    Only the root certificate should be exported, and not the chain or intermediate certificate.
  3. Export the certificate from Chrome:
    1. Enter the messages endpoint URL in the browser, and press Enter.
    2. Click the lock icon in the URL.
      The lock icon is being selected to the right of the URL field. Below is the Google Chrome label and Set as default button. Below that is the code not found message.

    3. Select Connection is secure, then Certificate is valid.
    4. Click the Details tab.
    5. Click Copy to File.
      The General, Details (which is selected), and Certificate Path tabs are shown. Below is the Show list, and a table with Field and Value columns. Below are the Edit Properties button and Copy to File button.

    6. Follow the steps in the Certificate Export Wizard to export the root certificate.
  4. Export the certificate from Mozilla Firefox:
    1. Enter the messages endpoint URL in the browser, and press Enter.
    2. Click the lock icon in the URL.
      The lock icon is being selected to the right of the URL field. Below are the JSON (which is selected), Raw Data, and Headers tabs. Below are the Save, Copy, Collapse All, Expand All, and Filter JSON buttons. Below that are the code not found and message not found entries.

    3. Select Connection Secure > More Information.
    4. Click View Certificate.
    5. Select the top level root certificate, then scroll to the Miscellaneous section to download.
      The DigiCert Global G2 TLS RSA SHA256 2020 CA1 and DigiCert Global Root G2 certificates. Below is the Subject Name section, which includes the Country, Organization, Organizational Unit, and Common Name details. Below is the Issuer Name section, which includes the Country, Organization, Organizational Unit, and Common Name details.

    6. Download the root certificate.


      The Miscellaneous section shows the Serial Number, Signature Algorithm, Version, and Download details. The PEM (cert) link in the Download section is being selected.

    7. Use the certificate to generate the trust store using the keytool utility found in the /oracle/jdk/bin directory of your host. You must have Oracle Java installed on your host. You cannot use OpenJDK.

      For example, you can generate the trust store with the following command:

      keytool -keystore oss_server_truststore2.jks -alias CARoot1 -import -file D:\temp\DigiCertGlobalRootCA1.crt
      Where:
      • filename.jks is any name you want to use.
      • CARoot1 is anything you want to use.
      • filename.crt is the file you exported earlier from the security link in your browser.

      This creates the jks file that you upload on the Connections page.