Call Web Services from Autonomous Database

Describes options for calling Web Services from Autonomous Database.

There are a number of options for calling Web Services from Autonomous Database, including the following:

• Use DBMS_CLOUD REST APIs: The DBMS_CLOUD.SEND_REQUEST function begins an HTTP request, gets the response, and ends the response. This function provides a workflow for sending a cloud REST API request with arguments and the function returns a response code and payload. See SEND_REQUEST Function and Procedure for more information.

• Use Oracle APEX: You can interact with both SOAP and RESTful style web services from APEX in your Autonomous Database instance. See Use Web Services with Oracle APEX for more information.

• Use UTL_HTTP to submit a request to a public site: See Submit an HTTP Request to a Public Host for more information.

• Use UTL_HTTP to submit a request to a private site: See Submit an HTTP Request to a Private Host for more information.

See PL/SQL Packages Notes for Autonomous Database for information on restrictions for UTL_HTTP on Autonomous Database.

Topics

• Submit an HTTP Request to a Public Host
  Provides details for using UTL_HTTP to submit an HTTP request on a public host.
• Submit an HTTP Request to a Private Host
  Describes the steps to use UTL_HTTP to submit an HTTP request on a private host.
• Submit an HTTP Request to Private Site with a Proxy
  When your Autonomous Database instance is on a private endpoint you can use a proxy to submit HTTP requests with UTL_HTTP.
• Use Credential Objects to Set HTTP Authentication
  Describes how to pass a credential objects to UTL_HTTP.SET_CREDENTIAL procedure.

Submit an HTTP Request to a Public Host

Provides details for using UTL_HTTP to submit an HTTP request on a public host.

For example, to submit an HTTP request for a public host www.example.com, create an Access Control List for the host:

BEGIN
   DBMS_NETWORK_ACL_ADMIN.APPEND_HOST_ACE(
         host => 'www.example.com',
         ace =>  xs$ace_type( privilege_list => xs$name_list('http'),
                              principal_name => 'ADMIN',
                              principal_type => xs_acl.ptype_db));
END;

Then submit the HTTP request:

SELECT UTL_HTTP.REQUEST(url => 'https://www.example.com/') FROM dual;

Note:

If your Autonomous Database instance is on a private endpoint and you want your UTL_HTTP calls to public hosts to be subject to your private endpoint VCN's egress rules, set the ROUTE_OUTBOUND_CONNECTIONS database property to PRIVATE_ENDPOINT.

See Enhanced Security for Outbound Connections with Private Endpoints for more information.

See PL/SQL Packages Notes for Autonomous Database for information on restrictions for UTL_HTTP on Autonomous Database.

Submit an HTTP Request to a Private Host

Describes the steps to use UTL_HTTP to submit an HTTP request on a private host.

To submit a request to a target host on a private endpoint, the target host must be accessible from the source database's Oracle Cloud Infrastructure VCN. For example, you can connect to the target host when:

• Both the source database and the target host are in the same Oracle Cloud Infrastructure VCN.

• The source database and the target host are in different Oracle Cloud Infrastructure VCNs that are paired.

• The target host is an on-premises network that is connected to the source database's Oracle Cloud Infrastructure VCN using FastConnect or VPN.

Note:

Making UTL_HTTP calls to a private host is only supported in commercial regions and US Government regions.

This feature is enabled by default in all commercial regions.

This feature is enabled by default in US Government regions for newly provisioned databases.

For existing US Government databases on a private endpoint, if you want to make UTL_HTTP from an Autonomous Database to a target in a US Government region, please file a Service Request at Oracle Cloud Support and request to enable the private endpoint in government regions database linking feature.

US Government regions include the following:

• Oracle Cloud Infrastructure US Government Cloud with FedRAMP Authorization
• Oracle Cloud Infrastructure US Federal Cloud with DISA Impact Level 5 Authorization

To make a UTL_HTTP request to a target on a private endpoint:

1. Create an Access Control List for the host.

   For example:

   BEGIN
      DBMS_NETWORK_ACL_ADMIN.APPEND_HOST_ACE(
            host => 'www.example.com',
            ace => xs$ace_type( privilege_list => xs$name_list('http'),
                                principal_name => 'ADMIN',
                                principal_type => xs_acl.ptype_db),
                                private_target => TRUE);
   END;
   /

   As shown in this example, when you create an Access Control List for the host specify the private_target parameter with the value TRUE.

   Note:

   If you set ROUTE_OUTBOUND_CONNECTIONS to PRIVATE_ENDPOINT, setting the private_target parameter to TRUE is not required in this API. See Enhanced Security for Outbound Connections with Private Endpoints for more information.

2. Submit the HTTP request:

   SELECT UTL_HTTP.REQUEST(
                   url => 'https://www.example.com/',
                   https_host => 'www.example.com') 
                FROM dual;

See PL/SQL Packages Notes for Autonomous Database for information on restrictions for UTL_HTTP on Autonomous Database.

Submit an HTTP Request to Private Site with a Proxy

When your Autonomous Database instance is on a private endpoint you can use a proxy to submit HTTP requests with UTL_HTTP.

When your Autonomous Database instance is on a private endpoint, to use UTL_HTTP with a target proxy the target proxy must be accessible from the source database's Oracle Cloud Infrastructure VCN.

For example, you can connect using a proxy when:

• Both the source database and the proxy server are in the same Oracle Cloud Infrastructure VCN.

• The source database and the proxy server are in different Oracle Cloud Infrastructure VCNs that are paired.

• The proxy server is an on-premises network that is connected to the source database's Oracle Cloud Infrastructure VCN using FastConnect or VPN.

Note:

Making UTL_HTTP calls to a proxy server on a private endpoint is only supported in commercial regions and US Government regions.

This feature is enabled by default in all commercial regions.

This feature is enabled by default in US Government regions for newly provisioned databases.

For existing US Government databases on a private endpoint, if you want to make UTL_HTTP from an Autonomous Database to a target in a US Government region, please file a Service Request at Oracle Cloud Support and request to enable the private endpoint in government regions database linking feature.

US Government regions include the following:

• Oracle Cloud Infrastructure US Government Cloud with FedRAMP Authorization
• Oracle Cloud Infrastructure US Federal Cloud with DISA Impact Level 5 Authorization

To use a proxy server with UTL_HTTP:

1. Set the HTTP_PROXY ACL on the proxy server.

   For example:

   BEGIN
     DBMS_NETWORK_ACL_ADMIN.APPEND_HOST_ACE(
          host =>'www-proxy-example.com',
          ace  => xs$ace_type(privilege_list => xs$name_list('HTTP_PROXY'),
                              principal_name => 'APPUSER1',
                              principal_type => xs_acl.ptype_db),
                              private_target => TRUE);
   END;
   /

   As shown in this example, when you create an Access Control List for the proxy server specify the private_target parameter with the value TRUE.

   Note:

   If you set ROUTE_OUTBOUND_CONNECTIONS to PRIVATE_ENDPOINT, setting the private_target parameter to TRUE is not required in this API. See Enhanced Security for Outbound Connections with Private Endpoints for more information.
2. Set the HTTP ACL on the remote Web Server.

   For example:

   BEGIN
     DBMS_NETWORK_ACL_ADMIN.APPEND_HOST_ACE(
           host =>'example.com',
           ace => xs$ace_type( privilege_list => xs$name_list('HTTP'),
                               principal_name => 'APPUSER1',
                               principal_type => xs_acl.ptype_db)
   END;
   /

3. Set the wallet and the proxy for UTL_HTTP.

   For example:

   BEGIN
      UTL_HTTP.SET_WALLET('');
      UTL_HTTP.SET_PROXY('www-proxy-example:80');
   END;
   /

4. Submit an HTTP request:

   SELECT UTL_HTTP.REQUEST(    
                       url         => 'https://www.example.com/',
                       https_host  => 'www.example.com')
                FROM dual;

Notes for setting a proxy server with UTL_HTTP.SET_PROXY:

• DBMS_CLOUD requests do not honor the proxy server you set with UTL_HTTP.SET_PROXY. This includes DBMS_CLOUD.SEND_REQUEST and all object storage access for DBMS_CLOUD external tables that you define with DBMS_CLOUD.CREATE_EXTERNAL_TABLE, DBMS_CLOUD.CREATE_EXTERNAL_PART_TABLE, or DBMS_CLOUD.CREATE_HYBRID_PART_TABLE.

• APEX_WEB_REQUEST requests do not honor the proxy server you set with UTL_HTTP.SET_PROXY.

See PL/SQL Packages Notes for Autonomous Database for information on restrictions for UTL_HTTP on Autonomous Database.

Use Credential Objects to Set HTTP Authentication

Describes how to pass a credential objects to UTL_HTTP.SET_CREDENTIAL procedure.

The UTL_HTTP.SET_CREDENTIAL procedure sets HTTP authentication information in the HTTP request header. The Web server needs this information to authorize the request.

The UTL_HTTP.SET_CREDENTIAL procedure enables you to pass credential objects to set HTTP authentication. Credential objects are schema objects, hence they can be accessed only by privileged users and enable you to configure schema-level privileges to access control the credentials. Passing credential objects is an appropriate and secure way to store and manage username/password/keys to be used for authentication.

The UTL_HTTP.SET_CREDENTIAL procedure is a secure and convenient alternative to UTL_HTTP.SET_AUTHENTICATION procedure.

Example

...
UTL_HTTP.SET_AUTHENTICATION (l_http_request, 'web_app_user', 'xxxxxxxxxxxx');
...

As shown in the example above, when you invoke SET_AUTHENTICATION procedure, you must pass the username/password in clear text as part of PL/SQL formal parameters. You might need to embed the username/password into various PL/SQL automation or cron scripts. Passing clear text passwords is a compliance issue that is addressed in UTL_HTTP.SET_CREDENTIAL procedure.

See SET_AUTHENTICATION Procedure and SET_AUTHENTICATION_FROM_WALLET Procedure for more information.

UTL_HTTP.SET_CREDENTIAL Syntax

UTL_HTTP.SET_CREDENTIAL (
    r          IN OUT NOCOPY req,
    credential IN VARCHAR2,
    scheme     IN VARCHAR2 DEFAULT 'Basic',
    for_proxy  IN BOOLEAN  DEFAULT FALSE);

Example to pass a credential object in the SET_CREDENTIAL procedure:

• Create a credential object:

  BEGIN DBMS_CLOUD.CREATE_CREDENTIAL (
      credential_name => 'HTTP_CRED',
      username        => 'web_app_user',
      password        => '<password>' );
  END;

  This creates a credential object which creates a stored username/password pair.

  See CREATE_CREDENTIAL Procedure for more information.

  See Specifying Scheduler Job Credentials for more information.

• Invoke UTL_HTTP.SET_CREDENTIAL procedure:

  DECLARE
        l_http_request  UTL_HTTP.REQ;
      BEGIN 
        l_http_request := UTL_HTTP.BEGIN_REQUEST('https://www.example.com/v1/dwcsdev/NAME/dwcs_small_xt1.csv');
        UTL_HTTP.SET_CREDENTIAL (l_http_request, 'HTTP_CRED','BASIC');
        ...
  END;
  

  This example first creates a request by invoking the BEGIN_REQUEST procedure and sets HTTP authentication information in the HTTP request header by invoking the SET_CREDENTIAL procedure. The Web server needs this information to authorize the request. The value l_http_request is the HTTP request, HTTP_CRED is the credentials name and BASIC is the HTTP authentication scheme.

See UTL_HTTP for more information.

See PL/SQL Packages Notes for Autonomous Database for information on restrictions for UTL_HTTP on Autonomous Database.