6 Verifying your Private Endpoint from an OCI VM

This chapter guides you through confirming that your AIFCS Private Endpoint is correctly configured and operational. You will create a temporary OCI VM, configure it with the required tools, fetch the necessary credentials, and connect to your AIFCS ADW database to verify connectivity.

At this point:

• Your AIFCS environments have been provisioned.
• Each AIFCS environment has an ADW instance.
• Your Private Endpoint setup is complete for each of your AIFCS environments (that is, PROD, STG, and UAT).

In order to verify that your private endpoint connection is working properly, you need an appropriately configured VM with:

• Java 11 Open JDK
• SQLcI
• A database wallet for each of your environments

Note:

You are creating this VM for verification. If you do not intend to use it beyond verification, you should delete it to avoid future charges.

Create an OCI VM

This section explains how to provision a compute instance in OCI. It covers selecting the appropriate compartment, network configuration, and SSH key setup to ensure the VM can access your private endpoint.

1. Sign in to the OCI Console for your tenancy. Ensure you are in the same region as the AIFCS deployment.
2. Click the navigation menu in the upper left corner of the OCI Console, and then select Identity & Security > Compartments.
3. Click Create Instance.
   1. Name: Enter a name for your compute instances (that is, VM).
   2. Create in Compartment: Select your dedicated private endpoint compartment.
   3. Placement: Accept the default.
   4. Image: Accept the default.
4. Click Next.
5. Accept the Security defaults. Click Next.
   1. VNIC Name: Enter a name for your VNIC (that is, VM).
   2. Primary network: Choose Select existing virtual cloud network.
      1. Virtual cloud network compartment: Select your dedicated private endpoint compartment.
      2. Virtual cloud network: Select your dedicated private endpoint VCN.
   3. Subnet: Choose Select existing subnet.
      1. Subnet compartment: Select your dedicated private endpoint compartment.
      2. Subnet: Select your public subnet. Although database traffic will flow through the private endpoint, the VM requires a public IP to allow SSH access for verification purposes.
   4. Private IPv4 addresses: Select Automatically assign private IPv4 addresses.
   5. Automatically assign public IPv4 addresses: Enabled
   6. Add SSH keys:
      1. Select Generate a key pair for me.
      2. Click Download private key.
      3. Click Download public key.
      4. Retain the private and public keys, preferably in ~/.ssh/my_private.key
   7. Accept the Storage defaults. Click Next.
   8. Review and then click Create. Your instance will take a moment to build.

   9. Click the navigation menu in the upper left corner of the OCI Console, and then select Compute & Instances. Note the Public IP address of your newly created VM.

Connecting to Your VM

This section describes how to securely access the newly created OCI VM over SSH from your local machine. The instructions provide the necessary command format and remind you to use the correct private key permissions.

The following example was run on MacOSX:

1. Open a terminal window.

2. SSH into your VM.

   ssh -i <private_key> opc@<public_ip>

Configuring Your VM

This section describes how to prepare the VM with the tools needed to connect to your AIFCS database. It includes steps to install Java 11 (required for SQLcI), download and set up SQLCI, and configure your environment for easy execution.

1. Install Java 11 Open JDK (needed for SQLcI).

   sudo dnf install java-11-openjdk

2. Install SQLcI.

   # In HOME directory create a tools directory
   mkdir tools
   # Set current working directory to ~/tools
   cd tools
   # Download and unzip SQLcl
   curl -O https://download.oracle.com/otn_software/java/sqldeveloper/sqlcl-latest.zip
   unzip sqlcl-latest.zip
   # Return to HOME directory
   cd
   # For persistence, append the export line to .bashrc
   echo 'export PATH=$PATH:$HOME/tools/sqlcl/bin' >> ~/.bashrc
   # Update Linux environment
   source ~/.bashrc
   

Fetching Credentials for your VM

You will retrieve the database wallet and schema credentials required for secure access. The steps guide you through generating an authentication token, fetching credentials from the Credential Exchange Service, decoding the wallet files, and configuring them for SQLcI.

1. Generate the authentication token. In order to obtain a wallet for accessing the AIFCS database through your private endpoint, you need an access token.

   #Assign you client id and secret to environment variables. 
   #Replace your_client_id and your_client_secret with the 
   #credentials obtained when creating your OAuth 2.0 client. 
   CLIENT_ID=”your_client_id”
   CLIENT_SECRET=”your_client_secret”
   #Combine the client ID and secret, then encodei n Base64
   #Assign the result to an environment variable
   ENCODED_CREDS=$(echo -n “${CLIENT_ID}:${CLIENT_SECRET}” | base64 -w 0)
   
   echo “Encoded Base64 credentials: $ENCODED_CREDS
   
   #Use cURL to obtain the authentication token
   RESPONSE=$(curl -–location –-request\
   POST https://<idcs authorization server host>/oauth2/v1/token \
   --header “Content-Type: application/x-www-form-urlencoded” \
   --header “Authorization: Basic #{ENCODED_CREDS}” \
   --data-urlencode “grant_type=client_credentials” \
   --data_urlencode “scope=urn:opc:idm: myscopes “{
   
   #Extract the token using jq
   ACCESS_TOKEN=$(echo ${RESPONSE} | jq -r .access_token)
   echo ${ACCESS_TOKEN}
   

2. Fetch the token.

   # Assign your region, customer_id, and env to environment variables.
   REGION=your_region
   CUSTOMER_ID=your_customer_id
   ENV=your_env
   CES_URL=https://home.retail.${REGION}.ocs.oracle.com:443/rgbu-common-${CUSTOMER_ID}-
   ${ENV}
   curl --location "${CES_URL}/api/data-pe/v1/fetch-credentials" \
   --header "Authorization: Bearer ${ACCESS_TOKEN}" > response.json
   

3. Decode the wallet.

   # Extract wallet and schema credentials
   cat response.json | jq -r '.wallets' > wallets.json
   cat response.json | jq -r .schemas > schemas.json
   # Create a wallet directory
   mkdir -p wallet
   # Extract wallets to the wallet directory
   cat wallets.json | jq -r '.wallet.README' | base64 -d > wallet/README
   cat wallets.json | jq -r '.wallet."cwallet.sso"' | base64 -d > wallet/cwallet.sso
   cat wallets.json | jq -r '.wallet."ewallet.p12"' | base64 -d > wallet/ewallet.p12
   cat wallets.json | jq -r '.wallet."keystore.jks"' | base64 -d > wallet/keystore.jks
   cat wallets.json | jq -r '.wallet."ojdbc.properties"' | base64 -d >
   wallet/ojdbc.properties
   cat wallets.json | jq -r '.wallet."sqlnet.ora"' | base64 -d > wallet/sqlnet.ora
   cat wallets.json | jq -r '.wallet."tnsnames.ora"' | base64 -d > wallet/tnsnames.ora
   cat wallets.json | jq -r '.wallet."truststore.jks"' | base64 -d >
   wallet/truststore.jks
   

4. Set the TNS Admin.

   #Make wallet accessible to SQLcl
   export TNS_ADMIN=$HOME/wallet
   echo ‘TNS_ADMIN=$HOME/wallet ‘ >> ~/.bashrc 
   

Connecting to your Database

This section describes using the wallet and SQLcI to establish a secure connection to your AIFCS ADW database. You will select a schema and service name, set the TNS_AMDIN variable, and verify successful connectivity.

In order to connect to your database, you need:

• A schema name and password

  Choose a schema name and password from your schemas.json file.

• A service name

  Choose a service name from tnsnames.ora, for example <name>_low.

Log in to your AIFCS ADW database using:

sql RASE01@<name>_low

Securely Copying your Wallet with SCP

You can use Secure Copy Protocol (SCP) to securely transfer your database wallet to and from your OCI VM over an encrypted SSH connection. Always keep your private key and wallet files protected.

Upload the Wallet to the OCI VM (local to remote)

scp -i ~/.ssh/my_private.key /path/to/wallet.zip opc@<public_ip>:/home/opc/

Download the Wallet from the OCI VM (remote to local)

scp -i !/.ssh/my_private.key opc@<public_ip>:/home/opc/wallet.zip /path/to/local/

Guidelines

• Use the -i option to specify the SSH private key generated when you provisioned the VM.
• Transfer files only to secure directories such as /home/opc/.
• After copying, set restrictive permissions on the wallet: chmod 600 /home/opc/wallet.zip
• Extract and use the wallet only where needed.
• Delete the wallet files from both the VM and your local machine after verification to prevent unauthorized access.

Security and Cost Control

These practices help prevent unauthorized access and reduce exposure of sensitive data:

• Delete the verification VM once you have confirmed that the private endpoint is functioning correctly. Leaving it running may expose it to unnecessary risk and incur additional charges.
• Securely remove any downloaded credentials, including the database wallet and schema password files, after verification is complete.
• Do not share the private key, wallet files, or access tokens with unauthorized users. Store them in a secure location and limit access to only those who require it.
• Rotate OAuth2 client secrets if they were exposed during testing, following your organization’s security policies.