For partners that build or integrate commercially available applications and service solutions with the Oracle Cloud Platform
For partners that provide implementation or managed services around Oracle Cloud Applications
Since your inbound or outbound data files are transmitted over the internet and often times contain company sensitive information and financial transactions like journal entries, invoices, payments and bank records, data encryption is a critical and essential element in implementing your integrations with Oracle ERP Cloud. You can secure data files between Oracle ERP Cloud R11+ and your on-premise/PaaS applications or systems. This is supported through ERP integration service that supports 100+ interfaces across Financials, Project Portfolio Management, Procurement and Supply Chain Management.
The following diagram illustrates the import integration flow (also known as File-Based Data Import - FBDI). Please refer this post for more details.
The following diagram illustrates the export process (extracting data out from ERP Cloud). Please refer this post for more details.
Oracle ERP Cloud supports Pretty Good Privacy (PGP) unsigned encryption with 1024 key size. There are two types of encryption keys:
1. Oracle ERP Cloud Key
2. Customer Key
The public key is used by the customer to encrypt the data file and respective private key is used by import bulk data process to decrypt the data file before starting load and import process. The file stored in content server (UCM) remains encrypted.
ERP Cloud uses customer's public key to encrypt the extracted file and uploads to UCM. Customer uses their private key to decrypt the file in on-premise or PaaS systems.
Certificates establish keys for the encryption and decryption of data that Oracle Cloud applications exchange with other applications. The Oracle Fusion Applications Security Console is an easy-to-use administrative interface that you access by selecting Tools - Security Console on the home page or from the Navigator. Use the Certificates page in the Security Console functional area to manage PGP certificates.
This is a Security Console Screen:
From the Certificates page, select the Generate option. In a Generate page, select the certificate format PGP, and enter values appropriate for the format.
For a PGP certificate, these values include:
Once the key is generated, customer must export the public key to encrypt the FBDI data file.
Follow these steps to export public key:
The customer public key will be used by ERP Cloud to encrypt outbound file. Customer will decrypt this file using their private key. Follow these steps to import customer's public key:
The Certificates page displays a record for the imported certificate, with the Private Key cell unchecked.
Please refer this post on automating bulk import process. This post will document additional information to encrypt the file only.
When enabled, ERP Cloud will decrypt the inbound data file using cloud private key before starting load and import process. These are the following steps to enable encryption in your import process
Encrypt inbound data (zip) file using Oracle ERP Cloud public key. Use "gpg" utility in Linux system to encrypt the file as follows:
Import ERP Cloud public key (one-time configuration) using the following command
gpg --import <MY_ERP_KEY_pub.asc> ###Verify the imported key using this command gpg --list-keys |
Once public key is imported, use the following command to encrypt your inbound data file:
gpg --cipher-algo=AES -r=<alias> --encrypt <my_data_file>.zip
|
The encrypted file will be renamed as <my_data_file>.zip.gpg.
In importBulkData payload, provide the following job options
Options |
Value |
FileEncryption | PGPUNSIGNED |
FA_ALIAS |
ERP Cloud Key Alias Name |
CUSTOMER_ALIAS |
Customer Key Alias Name |
Example in your importBulkData request payload: <typ:jobOptions>FileEncryption=PGPUNSIGNED,FA_ALIAS=<ERP_CLOUD_KEY>,CUSTOMER_ALIAS=<CUSTOMER_KEY></typ:jobOptions>
Note: Alias names are defined when you generate ERP Cloud key or import customer key.
The following sample payload illustrates the Journal import process request payload:
<soapenv:Body> |
Please refer this post on automating bulk export process. When enabled, ERP Cloud will encrypt extracted data file using customer’s public key and upload it to UCM. These are the following steps to enable encryption in import process
In exportBulkData payload, provide the following job options
Options |
Value |
FileEncryption | PGPUNSIGNED |
FA_ALIAS |
ERP Cloud Key Alias Name |
CUSTOMER_ALIAS |
Customer Key Alias Name |
Example in your exportBulkData request payload: <typ:jobOptions>FileEncryption=PGPUNSIGNED,FA_ALIAS=<ERP_CLOUD_KEY>,CUSTOMER_ALIAS=<CUSTOMER_KEY></typ:jobOptions>
Note: Alias names are defined when you generate ERP Cloud key or import customer key.
The following sample payload illustrates the export process request payload:
<soap:Body> </ns1:exportBulkData> |
Decrypt the output file using customer private key. To decrypt outbound data file:
First you must import customer’s private key as follows:
gpg --allow-secret-key-import --import <my_private.asc> ###Verify the imported key using this command gpg --list-keys |
Once customer’s private key is imported, use the following command to decrypt your outbound data file:
gpg --decrypt <EncryptedFileName> > <DecryptedFileName> |
This post provides detailed information on how to protect both inbound and outbound data file. This is in addition to SSL and Oracle Web Service Manager (OWSM) message protection policy over the internet.
Hi All,
I am looking for some inputs around the best practice to create custom roles (with specific Privileges to access Web / REST Services) for the integration user account created in Oracle ERP Cloud.
Thanks in advance.
Regards,
Nagesh.
Hi,
Does anyone have a full list of the object attachment service entities and user keys? We are trying to migrate from ebus to ERP cloud but struggling with attachments.
Caroline
Hello Experts,
Item EFF's Are Not Updated Using ItemServiceV2 Service. We followed note: 2540771.1 to update the Item EFF. The service runs fine but when we check the value from front end UI, there is no change. Kindly find the request and response payload in attachment. Also find the Item EFF screen from Oracle ERP in attachment.
Kindly review and let us know the issue with the payload.
Submit your questions for the ERP / SCM - R12 Security Deep Dive for ERP Customers with Pre-Upgrade Effort session to have them answered during the live event. Post your questions by posting a new comment to this topic.
Please submit your questions by Tuesday, January 31, 2017.
We are looking at activating 3 languages (french, spanish, arabic) in our Oracle Cloud environments (Financials, SCM, HCM) and would like to hear about some of the challenges and experiences with multiple languages. Especially as it relates to system performance, report development, integration, conversion, etc....). Any information or document on experience would be appreciated.