Provisioning and Administering Oracle Integration and ... · • Use integrations to design,...

Oracle® CloudProvisioning and Administering OracleIntegration and Oracle Integration for SaaS,Generation 2

F20750-57August 2020

Oracle Cloud Provisioning and Administering Oracle Integration and Oracle Integration for SaaS, Generation2,

F20750-57

Copyright © 2019, 2020, Oracle and/or its affiliates.

Primary Author: Oracle Corporation

This software and related documentation are provided under a license agreement containing restrictions onuse and disclosure and are protected by intellectual property laws. Except as expressly permitted in yourlicense agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license,transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverseengineering, disassembly, or decompilation of this software, unless required by law for interoperability, isprohibited.

The information contained herein is subject to change without notice and is not warranted to be error-free. Ifyou find any errors, please report them to us in writing.

If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it onbehalf of the U.S. Government, then the following notice is applicable:

U.S. GOVERNMENT END USERS: Oracle programs (including any operating system, integrated software,any programs embedded, installed or activated on delivered hardware, and modifications of such programs)and Oracle computer documentation or other Oracle data delivered to or accessed by U.S. Governmentend users are "commercial computer software" or "commercial computer software documentation" pursuantto the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such,the use, reproduction, duplication, release, display, disclosure, modification, preparation of derivative works,and/or adaptation of i) Oracle programs (including any operating system, integrated software, any programsembedded, installed or activated on delivered hardware, and modifications of such programs), ii) Oraclecomputer documentation and/or iii) other Oracle data, is subject to the rights and limitations specified in thelicense contained in the applicable contract. The terms governing the U.S. Government’s use of Oracle cloudservices are defined by the applicable contract for such services. No other rights are granted to the U.S.Government.

This software or hardware is developed for general use in a variety of information management applications.It is not developed or intended for use in any inherently dangerous applications, including applications thatmay create a risk of personal injury. If you use this software or hardware in dangerous applications, then youshall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure itssafe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of thissoftware or hardware in dangerous applications.

Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks oftheir respective owners.

Intel and Intel Inside are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks areused under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Epyc,and the AMD logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registeredtrademark of The Open Group.

This software or hardware and documentation may provide access to or information about content, products,and services from third parties. Oracle Corporation and its affiliates are not responsible for and expresslydisclaim all warranties of any kind with respect to third-party content, products, and services unless otherwiseset forth in an applicable agreement between you and Oracle. Oracle Corporation and its affiliates will notbe responsible for any loss, costs, or damages incurred due to your access to or use of third-party content,products, or services, except as set forth in an applicable agreement between you and Oracle.

Contents

Preface

Audience vi

Documentation Accessibility vi

Related Resources vi

Conventions vii

1 Overview of Oracle Integration Generation 2

Availability 1-1

Restrictions 1-2

Service Limits 1-3

Oracle Integration Editions 1-8

Oracle Integration for Oracle SaaS 1-9

2 Before You Begin with Oracle Integration Generation 2

Can I Create an Oracle Integration Generation 2 Instance? 2-1

Can I Create an Oracle Integration for Oracle SaaS Generation 2 Instance? 2-1

Understanding Administrator Responsibilities 2-2

Signing in to the Console 2-3

Creating an Oracle Cloud Infrastructure Compartment 2-4

3 Setting Up Users and Groups in Oracle Integration Generation 2

Understanding Oracle Integration Federation 3-1

Configuring the Ability to Create and Delete Compartments 3-2

Configuring Access to Create and Manage Instances in One Console 3-3

Creating an Oracle Cloud Infrastructure Group to Manage Instances 3-3

Creating an Oracle Cloud Infrastructure Policy to Manage Instances 3-4

Creating an IDCS Group to Manage Instances 3-6

Mapping the IDCS and Oracle Cloud Infrastructure Groups 3-7

Creating IDCS Users to Manage Instances 3-8

Assigning the Entitlement Role to Enable Instance Creation 3-9

iii

Configuring Read Only Access to One Console 3-10

Creating an Oracle Cloud Infrastructure Group for Read Only Access 3-11

Creating an Oracle Cloud Infrastructure Policy for Read Only Access 3-11

Adding and Assigning Oracle Cloud Infrastructure Users for Read Only Access 3-13

Configuring Access to Oracle Integration Instances 3-14

Creating an IDCS Group for Oracle Integration Access 3-15

Creating IDCS Users for Oracle Integration Access 3-15

Creating an Oracle Cloud Infrastructure Group for Oracle Integration Access(Optional) 3-15

Mapping the IDCS and Oracle Cloud Infrastructure Groups for OracleIntegration Access (Optional) 3-16

Creating an Oracle Cloud Infrastructure Policy for Oracle Integration Access(Optional) 3-16

Assigning Service Roles for Oracle Integration Access 3-17

Oracle Integration Service Roles 3-18

Configuring Multiple Identity Stripes for Oracle Integration Generation 2 3-19

Defining a Stripe Naming Convention 3-20

Creating an IDCS group for secondary stripe users 3-21

Creating an OAuth client in the secondary stripe 3-22

Creating an Oracle Cloud Infrastructure group for secondary stripe users 3-24

Creating the federation and its group mapping 3-25

Creating an Oracle Cloud Infrastructure policy for federated users to createinstances 3-27

Creating Oracle Integration instances in the secondary stripe compartment 3-28

4 Creating and Editing Oracle Integration Generation 2 Instances

Creating an Oracle Integration Instance 4-1

Choosing a License Type 4-5

Choosing a Message Pack Number 4-5

Accessing an Oracle Integration Instance 4-6

Editing the Edition, License Type, and Message Packs of an Instance 4-7

Viewing Instance Details 4-9

Stopping and Starting an Oracle Integration Instance 4-10

Moving an Instance to a Different Compartment 4-12

Deleting an Instance 4-13

Upgrade to Oracle Integration Generation 2 4-13

Subscribe to Regions Before Upgrading 4-18

Creating an Access Token to Provision an Instance with the CLI or REST API 4-20

Generating the Access Token 4-21

Creating the Application 4-22

iv

5 Managing Oracle Integration Generation 2 Instances

Configure the Instance Object Storage Bucket 5-1

Export and Import Design-Time Metadata Between Instances 5-2

Create an Export Job 5-2

Create an Import Job 5-5

Manage Integrations and Errors 5-7

Upload an SSL Certificate 5-7

Manage Integration and Process Instance History 5-9

Set Instance Quotas on Compartments 5-9

6 Monitoring Oracle Integration Generation 2 Instances

Viewing Message Metrics 6-1

Monitoring Billable Messages 6-2

About Integrations Usage 6-5

About Process Usage 6-10

A Oracle Integration Generation 2 Reference

Manually Federating Your Tenancy A-1

Is my Tenancy Federated Between Oracle Cloud Infrastructure IAM and OracleIdentity Cloud Service? A-1

Getting Required Information from Oracle Identity Cloud Service A-2

Adding Oracle Identity Cloud Service as an Identity Provider A-4

Automating with Events A-5

Integration Instance Event Types A-5

Integration Instance Event Example A-7

IAM Policy Details for Oracle Integration A-7

v

Preface

Provisioning and Administering Oracle Integration and Oracle Integration for SaaS,Generation 2 describes how to create and administer Oracle Integration from theOracle Cloud Infrastructure Console.

Topics:

• Audience

• Documentation Accessibility

• Related Resources

• Conventions

AudienceProvisioning and Administering Oracle Integration and Oracle Integration for SaaS,Generation 2 is intended for users who want to create and manage Oracle Integrationinstances in Oracle Cloud Infrastructure Console.

Documentation AccessibilityFor information about Oracle's commitment to accessibility, visit the OracleAccessibility Program website at http://www.oracle.com/pls/topic/lookup?ctx=acc&id=docacc.

Access to Oracle Support

Oracle customers that have purchased support have access to electronic supportthrough My Oracle Support. For information, visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=info or visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs if you are hearing impaired.

Related ResourcesFor more information, see these Oracle resources:

• Oracle Integration documentation in the Oracle Cloud Library on the Oracle HelpCenter.

• Oracle Cloud at http://cloud.oracle.com.

Preface

vi

http://www.oracle.com/pls/topic/lookup?ctx=acc&id=docacc

http://www.oracle.com/pls/topic/lookup?ctx=acc&id=docacc

http://www.oracle.com/pls/topic/lookup?ctx=acc&id=info

http://www.oracle.com/pls/topic/lookup?ctx=acc&id=info

http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs

http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs

http://cloud.oracle.com

ConventionsThe following text conventions are used in this document.

Convention Meaning

boldface Boldface type indicates graphical user interface elements associatedwith an action, or terms defined in text or the glossary.

italic Italic type indicates book titles, emphasis, or placeholder variables forwhich you supply particular values.

monospace Monospace type indicates commands within a paragraph, URLs, codein examples, text that appears on the screen, or text that you enter.

Preface

vii

1Overview of Oracle Integration Generation2

Oracle Integration is a fully managed service that allows you to integrate yourapplications, automate processes, gain insight into your business processes, andcreate visual applications.

With Oracle Integration, you can:

• Use integrations to design, monitor, and manage connections between yourapplications, selecting from our portfolio of 60+ pre-built adapters to connect withOracle and third-party applications.

• Create process applications to automate and manage your business work flows,whether structured or dynamic.

• Model and extract meaningful business metrics in real time and gain insight intoyour business processes using dashboards.

• Develop visual applications.

• Create integrations that use B2B e-commerce that support the EDI X12 businessprotocol.

• Use the embedded SFTP-compliant repository for storing and retrieving files inOracle Integration.

Oracle Integration is available in two editions: standard or enterprise. See OracleIntegration Editions.

Oracle SaaS customers can use Oracle Integration for SaaS, which gives youthe features and benefits of Oracle Integration with a focus on SaaS. See OracleIntegration for Oracle SaaS.

AvailabilityOracle Integration Generation 2 is currently available in the regions listed below.

Questions about your Oracle Integration availability?

• See Can I Create an Oracle Integration Generation 2 Instance?

• For Oracle SaaS administrators, see Can I Create an Oracle Integration for OracleSaaS Generation 2 Instance?

Geography Region Location Region Key

APAC India South (Hyderabad) HYD

APAC India West (Mumbai) BOM

APAC South Korea Central (Seoul) ICN

APAC South Korea North (Chuncheon) YNY

1-1

Geography Region Location Region Key

APAC Australia East (Sydney) SYD

APAC Australia Southeast (Melbourne) MEL

APAC Japan East (Tokyo) NRT

APAC Japan Central (Osaka) KIX

EMEA Netherlands Northwest (Amsterdam) AMS

EMEA Germany Central (Frankfurt) FRA

EMEA Switzerland North (Zurich) ZRH

EMEA Saudi Arabia West (Jeddah) JED

EMEA UK South (London) LHR

EMEA UK Gov South (London) LTN

EMEA UK Gov West (Newport) BRS

LAD Brazil East (Sao Paulo) GRU

North America US East (Ashburn) IAD

North America US West (Phoenix) PHX

North America US West (San Jose) SJC

North America Canada Southeast (Toronto) YYZ

North America Canada Southeast (Montreal) YUL

RestrictionsNote the following current restrictions when creating and using Oracle Integration.

• You can create Oracle Integration Generation 2 instances in any Oracle dataregion listed in Availability.

• You can create Oracle Integration for Oracle SaaS Generation 2 instances in anyOracle data region if you created a new Oracle Cloud account on or after February11, 2020.

• Email notifications from Processes work correctly. However, it's not possible to seta custom “from” sender (that is, the from address is the default).

• Visual Builder business rules (including server-side validations, triggers, objectfunctions, and declarative workflow) are disabled in Oracle Integration Generation2 environments. You'll see a message on the Business Rules tab for businessobjects indicating that business rules can't be configured.

Chapter 1Restrictions

1-2

Service LimitsReview the following service limits for Oracle Integration Generation 2 resources. Aservice limit is the quota or allowance set on a resource.

Oracle Cloud Infrastructure Console Service Limits

Resource Service Limit

Integration instance count 200 instances per region.

Oracle Integration Components Service Limits

• Adapters

• Integrations

• Processes

• File Server

Table 1-1 Adapters


File Adapter - file size 10 MB.

Note:

The size of CSV filesincreases when translatedinto a message. Therefore,the file size must be lessthan 10 MB, so that theafter-translation messagesize does not exceed 10MB.

FTP Adapter - file size For invoke configurationsRead File operation:

• 1 GB when used without a schema (with aconnectivity agent).

• 10 MB when using a schema for transformation.

Write File operation:

• 1 GB when used without a schema (with aconnectivity agent).

• 10 MB when using a schema for transformation.

Download File operation: 1 GB.

Chapter 1Service Limits

1-3

Table 1-1 (Cont.) Adapters


REST Adapter For trigger configurations• XML document size for schema generation: 3 MB.

See REST Adapter Capabilities.• Incoming message size (without attachment): 10

MB. Messages with attachments, for example,multipart/mixed and multipart/form-data, are notsubject to this constraint.

• Incoming JSON attachments size: 1 GB.• Incoming structured message payload size (any

content-type header containing JSON, XML, HTML,YAML, or YML): 10 MB.

• Incoming content as raw bytes (application/octet-stream as content type): 1 GB.

• Specifying the response payload format: JSONsample files of up to 100 KB in size are supported.

For invoke configurations• XML document size for data definition generation: 3

MB. See REST Adapter Capabilities.• Attachment size in outbound requests: 1 GB. These

attachments can be multipart/mixed, multipart/form-data, or application/octet-stream.

• Outgoing structured message payload size (anycontent-type header containing JSON, XML, HTML,YAML, or YML): 10 MB.

• Outgoing unstructured message payload size(multipart/form-data and binary/octet-stream): 1 GB.

• Specifying the request payload format: JSONsample files of up to 100 KB in size are supported.


1-4



REST-Based Adapters (Adaptersthat expose REST endpoints onthe inbound or adapters invokingexternal REST endpoints. Forexample, Oracle Commerce CloudAdapter, Oracle Field ServiceAdapter, etc.)

For trigger configurations (wherever applicable)• XML document size for schema generation: 3 MB.

See REST Adapter Capabilities.• Incoming message size (without attachment): 10

MB. Messages with attachments, for example,multipart/mixed and multipart/form-data, are notsubject to this constraint.

• Incoming JSON attachments size: 1 GB.• Incoming structured message payload size (any

content-type header containing JSON, XML, HTML,YAML, or YML): 10 MB.

• Incoming content as raw bytes (application/octet-stream as content type): 1 GB.

• Specifying the response payload format: JSONsample files of up to 100 KB in size are supported.

For invoke configurations (wherever applicable)• XML document size for data definition generation: 3

MB. See REST Adapter Capabilities.• Attachment size in outbound requests: 1 GB. These

attachments can be multipart/mixed, multipart/form-data, or application/octet-stream.

• Outgoing structured message payload size (anycontent-type header containing JSON, XML, HTML,YAML, or YML): 10 MB.

• Outgoing unstructured message payload size(multipart/form-data and binary/octet-stream): 1 GB.

• Specifying the request payload format: JSONsample files of up to 100 KB in size are supported.

Salesforce Adapter - batch file size 8 MB (10,000 records). See Process Large Data SetsAsynchronously with Different Bulk Operations.

SAP Ariba Adapter See SAP Ariba Adapter Restrictions.

SOAP Adapter For trigger configurations• Structured payload (XML) size in Request and

Response: 10 MB.

For invoke configurations• Structured payload (XML) size in Request and

Response: 10 MB.• MTOM attachment (binary and non-binary content)

size in Request and Response: 1 GB.

SOAP-Based Adapters (Adaptersthat expose SOAP endpoints onthe inbound or adapters invokingexternal SOAP endpoints. Forexample, Oracle Logistics Adapter)

For trigger configurations (wherever applicable)• Structured payload (XML) size in Request and

Response: 10 MB.

For invoke configurations (wherever applicable)• Structured payload (XML) size in Request and

Response: 10 MB.• MTOM attachment (binary and non-binary content)

size in Request and Response: 1 GB.


1-5



Database Adapters (OracleDatabase Adapter, IBM DB2Adapter, Microsoft SQL ServerAdapter, MySQL Adapter, OracleAutonomous Data WarehouseAdapter, Oracle AutonomousTransaction Processing Adapter, andOracle Database Cloud ServiceAdapter)

For trigger configurations• Polling Operation: 10 MB with schema

transformation.

For invoke configurations• Stored Procedure/Operation on Table/Run PureSQL

Statement Operations: 10 MB with schematransformation for all the outbound operations.

Apache Kafka Adapter For invoke configurations• Produce/Consume Message Operations: 10 MB

with schema transformation for all the outboundoperations.

JMS Adapters (Oracle WebLogicJMS Adapter and IBM MQ SeriesJMS Adapter)

For trigger configurations• Consume Message Operation: 10 MB with schema

transformation.

For invoke configurations• Produce Message Operation: 10 MB with schema

transformation.

Oracle CPQ Cloud Adapter -response payload

10 MB.

Table 1-2 Integrations


Connectivity agent - memory A minimum of 8 GB memory with 4 GB of heapsize dedicated to the on-premise agent's Java VirtualMachine (JVM). To include any other processes on thehost besides the agent, increase the physical memory toa value greater than 8 GB.

Connectivity agent - messagepayload

10 MB, through the use of compression.

All connectivity-agent-enabled adapters• 10 MB as request.• 10 MB as response.

SOAP and REST adapters configured withconnectivity agent• 10 MB (structured XML/JSON document) as

request.• 10 MB (structured XML/JSON document) as

response from private SOAP/REST endpoints.• 1 GB for attachments as part of a request.• 1 GB for attachments as part of a response from

private SOAP/REST endpoints.

Stage File action (in orchestratedintegrations) - file size

Read Entire File operation: 10 MB. For files greater than10 MB, use the Read File in Segments operation.

Encrypt File operation: 1 GB.

Decrypt File operation: 1 GB.


1-6

Table 1-2 (Cont.) Integrations


Oracle Integration Messaging -message size

10 MB.

Encode and Decode File AttachmentContent (mapper)

The functions encodeReferenceToBase64(Stringreference) anddecodeBase64ToReference(Stringbase64Content) have a file size limit of 10 MB.

Activity stream size 100 MB.The maximum size for payloads inside the activitystream is 512 KB, at which time the payloads aretruncated.

Activity stream logs - file size 10 MB.

Notification action - attachments size • 1 MB for Oracle Integration.• 2 MB for Oracle Integration Generation 2.Both the email body and attachment are considered incalculating the total size.

Number of concurrent instances ofgiven scheduled integration

1 scheduled, 1 run now.

Number of concurrent instances ofscheduled integration

2 per node.

While loop iterations 5000.

Tracking variable - value 100 characters. If the value is greater than the limit, it'struncated.

Schedule parameter - value 256 characters.

Integration properties - value 256 characters.

Integration/Connection - name 50 characters on the UI; 200 characters in the database.

Integration/Connection - packagename

50 characters on the UI; 200 characters in the database.

Integration/Connection - version 10 characters on the UI; 50 characters in the database.

Integration/Connection - description 1024 characters on the UI; 2000 characters in thedatabase.

Table 1-3 Processes


Email attachment size 2 MB.

Document attachment size (Nativeas well as via Oracle Content andExperience)

15 MB.

Maximum payload size in REST APIs • 10 MB, for any content-type header containingJSON, XML, HTML, YAML, or YML.

• 20 MB for other content types.

Maximum number of times a givenactivity can execute per instance (viadirect or indirect loops) in a singleprocess instance

1000.


1-7

Table 1-4 File Server


Storage 500 GB.

Oracle Integration EditionsOracle Integration is available in two editions: Standard and Enterprise.

Either edition gives you the power to integrate your Software as a Service (SaaS)applications and your on‑premises applications. Enterprise edition enables you to alsodesign, automate, and manage your business processes in the cloud.

Regardless of which edition you choose, Oracle handles cloud and databasemanagement, backup, restore, and other administrative tasks for you.

Here’s a side-by-side comparison of what’s licensed in each edition.

Chapter 1Oracle Integration Editions

1-8

Oracle Integration for Oracle SaaSOracle Integration for Oracle SaaS, a streamlined version of Oracle Integration, givesyou the features and benefits of Oracle Integration with a focus on SaaS.

Here are the key differences between Oracle Integration for Oracle SaaS and OracleIntegration:

• Purpose-built for connecting and extending Oracle SaaS. Specifically, everyintegration you create must have an endpoint in an Oracle Cloud SaaSapplication, every Visual Builder application you create must use at least onebusiness object or API call from an Oracle Cloud SaaS application, and everyprocess application you create must include at least one business object or APIcall from an Oracle Cloud SaaS application.

• Flexibility for hourly bursting. Oracle Integration for Oracle SaaS is offered asa monthly subscription in packs of one million messages per month, which keepscosts predictable even when you have unpredictable hourly volumes. Usage isreported monthly instead of hourly.

• Provisioning. Creating an instance for Oracle Integration for Oracle SaaS isslightly different from creating an instance for Oracle Integration, and Bring YourOwn License (BYOL) is not available in Oracle Integration for Oracle SaaS.Differences in provisioning are noted in Creating an Oracle Integration Instance.

Chapter 1Oracle Integration for Oracle SaaS

1-9

2Before You Begin with Oracle IntegrationGeneration 2

Get started with Oracle Integration on Oracle Cloud Infrastructure.

Topics:

• Can I Create an Oracle Integration Generation 2 Instance?

• Can I Create an Oracle Integration for Oracle SaaS Generation 2 Instance?

• Understanding Administrator Responsibilities

• Signing in to the Console

• Creating an Oracle Cloud Infrastructure Compartment

Can I Create an Oracle Integration Generation 2 Instance?Oracle Integration Generation 2 refers to Oracle Integration running natively on theOracle Cloud Generation 2 Infrastructure.

Note:

Interested in Oracle Integration for Oracle SaaS Generation 2 instead, asdescribed in Oracle Integration for Oracle SaaS? See Can I Create anOracle Integration for Oracle SaaS Generation 2 Instance?

You can create Oracle Integration Generation 2 instances in any Oracle data regionlisted in Availability.

• For Oracle Integration Generation 2, follow the instructions in this current guide.

• Otherwise, see Ready, Set Up, Go in Administering Oracle Integration.

Can I Create an Oracle Integration for Oracle SaaSGeneration 2 Instance?

Oracle Integration for Oracle SaaS Generation 2 refers to Oracle Integration for OracleSaaS running natively on the Oracle Cloud Generation 2 Infrastructure.

2-1

Note:

Interested in Oracle Integration Generation 2 instead (not SaaS-specific)?See Can I Create an Oracle Integration Generation 2 Instance? Forinformation on differences, see Oracle Integration for Oracle SaaS.

Was your Oracle cloud account created on or after February 11, 2020?

• If yes, follow the instructions in this current guide to create an Oracle Integrationfor Oracle SaaS Generation 2 instance.

• If no, see Ready, Set Up, Go and Oracle Integration for Oracle SaaS inAdministering Oracle Integration to create an Oracle Integration for Oracle SaaSinstance.

Understanding Administrator ResponsibilitiesThis guide is directed to administrators provisioning, creating, and configuring OracleIntegration instances and identities on Oracle Cloud Infrastructure.

Provisioning and administering Oracle Integration typically involves the followingresponsibilities. Note that these tasks could be done by the same person (the accountowner) or by different people.

Use Case Description See

An account owner createsan Oracle Integration instance(trial)

This super administratorcreates and manages thetenancy. The account owneris automatically assigned allpermissions.

Typically, the accountowner grants permission toadministrators to create anddelete compartments, thenhands off tasks to otheradministrators. However, withfull administration privileges,account owners can proceedto creating Oracle Integrationinstances.

Configuring the Abilityto Create and DeleteCompartments

Creating and Editing OracleIntegration Generation 2Instances

An account owner delegatesto other administrators whocreate and manage OracleIntegration instances (typical)

Instance creators requireboth IDCS and OracleCloud Infrastructure mappedidentities. They must alsobe assigned the administratorentitlement role to createinstances.

Configuring Access to Createand Manage Instances in OneConsole

An administrator configuresread only access for selectedusers to view a list of OracleIntegration instances (audit)

These users require an OracleCloud Infrastructure identityonly.

Configuring Read Only Accessto One Console

Chapter 2Understanding Administrator Responsibilities

2-2

Use Case Description See

An administrator configuresuser identities to navigate toand use Oracle Integration(most service users)

These users require an IDCSidentity only.

Configuring Access to OracleIntegration Instances

Signing in to the ConsoleSign in to the Oracle Cloud Console as a user federated through Oracle Identity CloudService. A federated environment enables business partners to integrate in the identitymanagement realm by providing a mechanism for users to share identity informationacross respective security domains.

1. Use the link provided to you to sign in to your cloud account.

The Sign In screen is displayed, where you enter your cloud account name, whichis your tenant name.

2. If needed, enter your cloud tenant, and click Continue.

Identity options are displayed.

• The left side displays federated sign in (Oracle Integration is federated withOracle Identity Cloud Service).

• The right side displays native Identity and Access Management (IAM) optionsstandard to Oracle Cloud Infrastructure.

Note:

If no federated sign in options are displayed on the left, your tenancyrequires manual federation. Sign in as an administrator using nativeIAM credentials and complete federation, including group mapping. SeeUnderstanding Oracle Integration Federation and Manually FederatingYour Tenancy.

Chapter 2Signing in to the Console

2-3

3. Under Single Sign-On (SSO) options, note the identity provider selected in theIdentity Provider field and click Continue.

The Oracle Identity Cloud Service sign in screen is shown.

4. Enter the user name and password provided in the welcome email, and click SignIn.

One Console is shown. Want to learn more about One Console? See the OracleCloud Infrastructure Blog.

5. Click in the top left corner. Scroll to explore the categories and options, usingthe left scroll bar as needed.

• From the Solutions and Platform category, select Application Integration,then Integration. Use this landing page to access, create, and manage OracleIntegration instances.

• From the Governance and Administration category, select Identity. UseIdentity links to create compartments if needed, and perform tasks related toidentity management.

Creating an Oracle Cloud Infrastructure CompartmentOracle Integration instances use the Oracle Cloud Infrastructure as their underlyinginfrastructure. To create an Oracle Integration instance, you must first create acompartment, unless you want to create the instance in the root compartment.

See Managing Compartments.

You can create a new compartment or use an existing compartment.

You must have permission to create and delete compartments. See Configuring theAbility to Create and Delete Compartments.

Chapter 2Creating an Oracle Cloud Infrastructure Compartment

2-4

https://blogs.oracle.com/cloud-infrastructure/console-experience-enhancements-unite-iaas%2c-paas%2c-and-saas

https://blogs.oracle.com/cloud-infrastructure/console-experience-enhancements-unite-iaas%2c-paas%2c-and-saas

1. Go to the

menu.

2. Under Governance and Administration, select Identity, then Compartments.

A list of the compartments in your tenancy is displayed.

3. Select the compartment in which you want to create your instance or create a newcompartment.To create a new compartment:

a. Click Create Compartment to create the compartment to use for creating aninstance.

b. Enter the following:

• Name: Enter a name that is unique across all compartments in yourtenancy (maximum 100 characters, including letters, numbers, periods,hyphens, and underscores). For example, enter a name such asOICCompartment.

• Description: Enter a description for this compartment.

• Tags: Enter tags to organize and list resources based on your businessneeds. See Managing Tags and Tag Namespaces.

c. Click Create Compartment.

Return to the navigation pane.

Chapter 2Creating an Oracle Cloud Infrastructure Compartment

2-5

3Setting Up Users and Groups in OracleIntegration Generation 2

Configure users and groups in Oracle Cloud Infrastructure and Oracle Identity CloudService, and grant them the right level of access. Note that read only users can beassigned to an Oracle Cloud Infrastructure group only and not to an IDCS group.

Topics:

• Understanding Oracle Integration Federation

• Configuring the Ability to Create and Delete Compartments

• Configuring Access to Create and Manage Instances in One Console

• Configuring Read Only Access to One Console

• Configuring Access to Oracle Integration Instances

• Configuring Multiple Identity Stripes for Oracle Integration Generation 2

Understanding Oracle Integration FederationOracle Integration requires that Oracle Cloud Infrastructure Identity and AccessManagement (IAM) be federated with Oracle Identity Cloud Service (IDCS) for yourtenancy.

User federation refers to linking a user's identity and attributes across multiple identitymanagement systems. Oracle Integration federation means that identities are linkedin IDCS and Oracle Cloud Infrastructure Identity and Access Management (IAM). AllOracle Integration accounts include IDCS.

Whether your tenancy needs federation depends on several factors, such as whenyour cloud account was created and the Oracle Integration version you're provisioning.Your tenancy may be:

• Already fully federated: Nearly all accounts fall into this category. You'll followstandard steps to set up users and groups, as described in Setting Up Users andGroups in Oracle Integration Generation 2.

• Mostly federated: If you have an older account that was created beforeDecember 21, 2018, you may need to complete a final federation step. You'llfollow steps to set up users and groups, as described in Setting Up Usersand Groups in Oracle Integration Generation 2. At the mapping step (Mappingthe IDCS and Oracle Cloud Infrastructure Groups), you'll be asked to enterinformation.

• Needing federation: If you’re configuring Oracle Integration with a governmentSKU in a commercial data center, you'll likely need to perform manual federationsteps as part of setting up users and groups. See Manually Federating YourTenancy.

3-1

Not sure about your federation? See Is my Tenancy Federated Between Oracle CloudInfrastructure IAM and Oracle Identity Cloud Service?

About Federation

Oracle Integration uses both Oracle Cloud Infrastructure Identity and AccessManagement (IAM) and Oracle Identity Cloud Service (IDCS).

• Manage permissions using policies in Oracle Cloud Infrastructure's IAM service.

• Create and manage users in Oracle Identity Cloud Service. By default, mosttenancies are federated with Oracle Identity Cloud Service. For more informationabout Oracle Identity Cloud Service, see Understanding Administrator Roles inAdministering Oracle Identity Cloud Service.

For background information on federation with Oracle Identity Cloud Service, seeFederating with Identity Providers and Federating with Oracle Identity Cloud Service.

Configuring the Ability to Create and Delete CompartmentsAs the account owner, extend permission to selected administrators to create or deletecompartments.

1. Click in the top left corner.

2. From the Governance and Administration category, choose Identity, thenFederation.The Federation screen is shown, and includes the identity provider, calledOracleIdentityCloudService. This is the default federation between the Oracle

Chapter 3Configuring the Ability to Create and Delete Compartments

3-2

https://docs.cloud.oracle.com/en-us/iaas/Content/Identity/Concepts/federation.htm

https://docs.cloud.oracle.com/en-us/iaas/Content/Identity/Tasks/federatingIDCS.htm

Identity Cloud Service stripe and the OCI tenancy in a cloud account. Note thatthis screen may show more than the default identity provider.

3. Select the OracleIdentityCloudService link to view the default Oracle IdentityCloud Service identity federation.

4. Select Groups from the Resources options.

5. Locate a group with the entry OCI_Administrators (IDCS group) in the GroupName column and Administrators in the OCI Mapped Group column.This mapping represents the highest level permissions for the tenancy. Membersof either group are assigned these permissions.

Note:

Alternately, you can select the Administrators OCI group if you decideto create an OCI only user, and not a federated user.

6. Add administrators you want to grant permission to create and deletecompartments. Select OCI_Administrators to add an administrator to the IDCSgroup or click Administrators to add one to the Oracle Cloud Infrastructure group.You can select either the IDCS or Oracle Cloud Infrastructure group.

Configuring Access to Create and Manage Instances in OneConsole

Create users and grant them permission to create and manage Oracle Integrationinstances.

Follow these main steps:

1. Creating an Oracle Cloud Infrastructure Group to Manage Instances

2. Creating an Oracle Cloud Infrastructure Policy to Manage Instances

3. Creating an IDCS Group to Manage Instances

4. Mapping the IDCS and Oracle Cloud Infrastructure Groups

5. Creating IDCS Users to Manage Instances

6. Assigning the Entitlement Role to Enable Instance Creation

Creating an Oracle Cloud Infrastructure Group to Manage InstancesCreate an instance administrator group in OCI IAM and map it to your previouslycreated IDCS group.


2. From the Governance and Administration category, choose Identity, thenGroups.

The Groups screen is shown.

3. Click Create Group.

Chapter 3Configuring Access to Create and Manage Instances in One Console

3-3

4. In the Create Group screen, assign a name to the group that differentiates it fromthe IDCS group (for example, oci-integration-admins), and enter a description.

5. Click Create.

Creating an Oracle Cloud Infrastructure Policy to Manage InstancesCreate a policy to grant permission to provision and manage Oracle Integrationinstances within a specified tenancy or compartment.

To create and assign a policy to the Oracle Cloud Infrastructure group:

1. From the navigation pane, select Identity, then Policies.

2. Click Create Policy.

3. In the Create Policy window, enter a name (for example,IntegrationGroupPolicy) and a description.

4. Complete the policy's Statement field, entering your Oracle Cloud Infrastructuregroup name and compartment name or tenancy.

• Policy: allow group oci-integration-admins to manage integration-instance in compartment OICCompartment

• Syntax: Allow group <group_name> to <verb> <resource-type> incompartment <compartment-name>

Syntax: Allow group <group_name> to <verb> <resource-type> intenancy

A statement gives a group a certain type of access to certain resourcesin a particular compartment or tenancy. This policy statement allows the oci-


3-4

integration-admins group to manage (create, delete, edit, move, and view)the integration-instance in compartment OICCompartment. The manage verbprovides the highest level of permissions to a resource. Depending on yourenvironment, you might create separate groups for different permissions, such asa group with the read verb only.

Want to learn more about policies? See How Policies Work and Policy Reference,or click Help in the window.

• When defining policy statements, you can specify either verbs (as used inthese steps) or permissions (typically used by power users).

• The Read and Manage verbs are most applicable to Oracle Integration. TheManage verb has the most permissions (create, delete, edit, move, and view).

Verb Access

read Includes permission to view Oracle Integration instances and their details.

manage Includes all permissions for the Oracle Integration instance.

5. Click Create.


3-5

https://docs.cloud.oracle.com/iaas/Content/Identity/Concepts/policies.htm

https://docs.cloud.oracle.com/iaas/Content/Identity/Reference/policyreference.htm

The policy statement is validated and syntax errors are displayed.

Creating an IDCS Group to Manage InstancesYou can create Oracle Identity Cloud Service groups for later mapping them to OracleCloud Infrastructure Identity and Access Management identities.


2. From the Governance and Administration category, choose Identity, thenFederation.

The Federation screen is shown, and includes the identity provider, calledOracleIdentityCloudService. This is the default federation between the OracleIdentity Cloud Service stripe and the OCI tenancy in a cloud account.



5. Click Create IDCS Group.

6. Enter a name (for example, idcs-integration-admins).


3-6

7. Click Create.

Mapping the IDCS and Oracle Cloud Infrastructure GroupsMap your instance administrator group in OCI IAM to your previously created IDCSgroup.

1. From Identity options, choose Federation.

2. On the Federation page, select the OracleIdentityCloudService link.

3. From the Resources options, choose Group Mapping.

4. Click Edit Mapping.

5. In the Edit Identity Provider dialog, click Add Mapping at the bottom.

a. If the following dialog appears prompting you to provide credentials, enterthis information from the COMPUTEBAREMETAL IDCS application in yourIDCS account. This dialog indicates that your tenancy is mostly federated andrequires only this final step. See Understanding Oracle Integration Federation.(If you aren't able to locate this information, file a service request to get helpfrom Oracle Support.)

b. Click Continue.


3-7

6. Select your IDCS group in the Identity Provider Group field and your OracleCloud Infrastructure group in the OCI Group field.

7. Click Submit.

Creating IDCS Users to Manage InstancesYou can create Oracle Identity Cloud Service users to add to Oracle CloudInfrastructure Identity and Access Management groups for specific access. It isrecommended to grant permissions to groups instead of directly to users, to simplifyaccess and permission management.

1. From Identity options, choose Federation.

2. On the Federation page, select the OracleIdentityCloudService link to view thedefault Oracle Identity Cloud Service federation.

3. Click Create IDCS User.

4. Complete the fields to identify the user. In the Groups field, select the IDCS groupyou want this user to belong to.


3-8

5. Click Create.

A message is displayed that the user was created. Optionally, click the EmailPassword Instructions button to email a change password link to the new user.

The new user is displayed in the table of users. Notice that the user's federationwas automatically triggered if the user was added to a federated IDCS group, andis displayed in the OCI Synched User column.

Assigning the Entitlement Role to Enable Instance CreationAdministrators must be assigned the Entitlement service role to create OracleIntegration instances.

Note:

It's a best practice to assign the entittlement service role to a selected grouprather than individual users.

1. From the OracleIdentityCloudService federation screen, select Groups from theResources options.

2. From the table, select an IDCS group to grant them access to create OracleIntegration instances.

3. On the Group Details page, click the Manage Service Roles button.


3-9

4. On the Manage Service Roles screen, locate your integration service(INTEGRATIONCAUTO for Oracle Integration or INTEGRATIONSUB for OracleIntegration for SaaS). At the far right, click , and choose Manage serviceaccess.

5. From the Manage Roles options, check the appropriate service role.

• For Oracle Integration, select AUTONOMOUS-INTEGRATIONCLOUD_ENTITLEMENT_ADMINISTRATOR.

• For Oracle Integration for Oracle SaaS, selectINTEGRATION_FOR_SAAS_ENTITLEMENT_ADMINISTRATOR.

6. Click Save Role Selections, then Apply Service Role Settings.

The Entitlements Granted dialog is shown.

7. Click Close.

Configuring Read Only Access to One ConsoleCreate users and grant them a read only console view to see a list of instances. Notethat these service users do not need Oracle Identity Cloud Service identities.


1. Creating an Oracle Cloud Infrastructure Group for Read Only Access

2. Creating an Oracle Cloud Infrastructure Policy for Read Only Access

3. Adding and Assigning Oracle Cloud Infrastructure Users for Read Only Access

Chapter 3Configuring Read Only Access to One Console

3-10

Creating an Oracle Cloud Infrastructure Group for Read Only AccessCreate an Oracle Cloud Infrastructure group for read only access to the console.




4. In the Create Group screen, enter a name (for example, oci-integration-viewers) and a description.

5. Click Create.

Creating an Oracle Cloud Infrastructure Policy for Read Only AccessCreate a policy to grant a group of users read only permission to Oracle Integrationinstances within a specified compartment or tenancy.



3. In the Create Policy window, enter a name (for example, ViewersGroupPolicy)and a description.

4. Complete the policy's Statement field, entering your Oracle Cloud Infrastructuregroup name and compartment name.

• Policy: allow group oci-integration-viewers to read integration-instance in compartment OICCompartment


3-11


Syntax: Allow group <group_name> to <verb> <resource-type> intenancy

This policy statement allows the oci-integration-viewers group to read theintegration-instance in compartment OICCompartment. The read verb providesread only access to a resource.


5. Add an additional policy to allow members of the IAM group to view messagemetrics, as described in Viewing Message Metrics.

Under Policy Statements, click + to add another statement. Complete thepolicy's Statement field, entering your Oracle Cloud Infrastructure group nameand compartment name or tenancy.

• Policy: allow group oci-integration-admins to read metrics incompartment OICPMCompartment


6. Click Create.


3-12




Adding and Assigning Oracle Cloud Infrastructure Users for Read OnlyAccess

After creating a view only group and adding its policy, add users for read only accessto Oracle Integration instances.

1. Add an Oracle Cloud Infrastructure user.

a. Click in the top left corner.

b. From the Governance and Administration category, choose Identity, thenUsers.

c. Click Create User.

d. Complete the fields to identify the user.

e. Click Create.

2. Assign the user to the read only group.

a. Select Groups from the Identity options.

b. Select the read only group you created (for example, oci-integration-viewers).

c. Click Add User to Group.

d. In the Add User to Group dialog, select the user you created and click Add.

3. Create the user's password.

a. From the Group Members table on the Group Details screen, select the useryou added.


3-13

b. Click Create/Reset Password. The Create/Reset Password dialog isdisplayed with a one-time password listed.

c. Click Copy, then Close.

4. Provide read only users the information they need to sign in.

a. Copy the password in an email to the user.

b. Instruct the read only user to sign in using the right-most (non-federated) signin fields.

c. Upon signing in, the user will be prompted to enter a new password.

d. View Oracle Integration instances.

Read only users can view Oracle Integration instances by selectingApplication Integration, and then Integration in the navigation pane.

Configuring Access to Oracle Integration InstancesCreate users and grant them service roles (such as ServiceAdministrator andServiceDeveloper) for using an Oracle Integration instance.

Note:

This step is applicable only after an Oracle Integration instance has beencreated. See Creating an Oracle Integration Instance.


1. Creating an IDCS Group for Oracle Integration Access

2. Creating IDCS Users for Oracle Integration Access

3. Assigning Service Roles for Oracle Integration Access

Chapter 3Configuring Access to Oracle Integration Instances

3-14

Optionally, follow these main steps to grant these users read only access to OneConsole:

1. Creating an Oracle Cloud Infrastructure Group for Oracle Integration Access(Optional)

2. Mapping the IDCS and Oracle Cloud Infrastructure Groups for Oracle IntegrationAccess (Optional)

3. Creating an Oracle Cloud Infrastructure Policy for Oracle Integration Access(Optional)

Creating an IDCS Group for Oracle Integration AccessCreate an Oracle Identity Cloud Service group for Oracle Integration access..





5. Click Create IDCS Group.

6. Enter a name (for example, idcs-integration-users).

7. Click Create.

Creating IDCS Users for Oracle Integration AccessYou can create Oracle Identity Cloud Service users for mapping them to Oracle CloudInfrastructure Identity and Access Management identities.

1. Select Users from the Resources options.

2. Click Create IDCS User.

3. Complete the fields to identify the user. In the Groups field, select the IDCS groupyou created (for example, idcs-integration-users).

4. Click Create.

A message is displayed that the user was created. Optionally, click the EmailPassword Instructions button to email a change password link to the new user.

The new user is displayed in the table of users.

Creating an Oracle Cloud Infrastructure Group for Oracle IntegrationAccess (Optional)

Create a group in Oracle Cloud Infrastructure to map it to your previously createdIDCS group.

Follow this step and its two subsequent steps only if you want to grant these usersread only access to One Console. See Configuring Access to Oracle IntegrationInstances.


3-15



The Groups screen is shown.


4. In the Create Group screen, assign a name to the group that differentiates it fromthe IDCS group (for example, oci-integration-users), and enter a description.

5. Click Create.

Mapping the IDCS and Oracle Cloud Infrastructure Groups for OracleIntegration Access (Optional)

Map your Oracle Cloud Infrastructure user group to your previously created IDCSgroup.



3. On the Federation page, select the OracleIdentityCloudService link.

4. From the Resources options, choose Group Mapping.

5. Click Edit Mapping.

6. In the Edit Identity Provider dialog, click Add Mapping at the bottom.

7. Select your IDCS group in the Identity Provider Group field (for example, idcs-integration-users) and your Oracle Cloud Infrastructure group in the OCI Groupfield (for example, oci-integration-users).

8. Click Submit.

Creating an Oracle Cloud Infrastructure Policy for Oracle IntegrationAccess (Optional)

Create a policy to grant a group of users read only permission to Oracle Integrationinstances within a specified compartment.


2. From the Governance and Administration category, select Identity, thenPolicies.

3. In the Compartment field, select your compartment.


5. In the Create Policy window, enter a name (for example, UsersGroupPolicy) and adescription.

6. Complete the policy's Statement field, entering your Oracle Cloud Infrastructuregroup name and compartment name..


3-16

• Policy: allow group oci-integration-users to read integration-instance in compartment OICCompartment


This policy statement allows the oci-integration-users group to read theintegration-instance in compartment OICCompartment. The read verb providesread only access to a resource.


7. Click Create.


Assigning Service Roles for Oracle Integration AccessAfter an Oracle Integration instance has been created, assign instance roles to groupsof users in Oracle Identity Cloud Service to allow them to work with the features of theOracle Integration instance.

Note:

It's a best practice to assign Oracle Integration instance roles to selectedgroups rather than users.

1. On the Identity Provider Details page, select Groups from the Resources options.

2. From the table, select an IDCS group to grant them access.

3. On the Group Details page, click the Manage Service Roles button.

4. On the Manage Service Roles page, locate your integration service(INTEGRATIONCAUTO for Oracle Integration, INTEGRATIONSUB for OracleIntegration for SaaS). At the far right, click , and choose Manage instanceaccess.

The Manage Access screen lists instances. Note that you must assign roles foreach instance individually.

• Instance names follow this format: displayname-tenancyid-regionid

• Instance URLs follow this format: https://displayname-tenancyid-regionid.integration.ocp.oraclecloud.com/ic/home/

5. From the Manage Access options, select instance roles for the group under one ormore specified instances.

Want to learn more about specific Oracle Integration roles? See OracleIntegration Service Roles.

• For Oracle Integration:


3-17



• For Oracle Integration for SaaS:

6. Click Save Instance Settings, then Apply Service Role Settings.

Oracle Integration Service RolesOracle Integration predefined roles govern access to various Oracle Integrationfeatures.

You can assign one or more of these predefined roles to Oracle Integration users andgroups: ServiceAdministrator, ServiceDeveloper, ServiceMonitor, ServiceDeployer,ServiceUser, ServiceInvoker, and ServiceViewer. The following table lists thepredefined roles available in Oracle Integration, and the general tasks that usersassigned the roles can perform.

Oracle Integration Description

ServiceAdministrator A user with the ServiceAdministrator role is a super user whocan manage and administer the features provisioned in an OracleIntegration instance.

ServiceDeveloper A user with the ServiceDeveloper role can develop the artifactsspecific to the features provisioned in an Oracle Integrationinstance. For example, in Integrations the user can createintegrations, and in Processes the user can create processapplications and decision models.


3-18

Oracle Integration Description

ServiceMonitor A user with the ServiceMonitor role can monitor the featuresprovisioned in an Oracle Integration instance. For example, the usercan view instances and metrics, find out response times, and trackwhether instance creation completed successfully or failed.

This role provides privileges for users with limited knowledge ofOracle Integration, but with high-level knowledge of monitoringit. This user role does not grant permissions to change anything.

ServiceDeployer A user with the ServiceDeployer role can publish the artifactsdeveloped in a feature.

This role is not applicable for the Integrations feature.

ServiceUser A user with the ServiceUser role has privileges to utilize only thebasic functionality of a feature such as access to the staged andpublished applications.

For example, in Integrations the user can navigate to resourcepages (such as integrations and connections) and view details, butcan’t edit or modify anything. The user can also run integrations andstart process applications.

ServiceInvoker A user with the ServiceInvoker role can invoke any integration flowin an Oracle Integration instance that is exposed through SOAP/REST APIs or a scheduled integration. See Run an IntegrationFlow. A user with ServiceInvoker role cannot:• Navigate to the Oracle Integration user interface or perform any

administrative actions in the user interface.• Invoke any of the documented Oracle Integration REST APIs.

See About the REST APIs.

ServiceViewer A user with the ServiceViewer role can navigate to all Integrationresource pages (for example, integrations, connections, lookups,libraries, and so on) and view details. The user cannot edit anyresources or navigate to the administrative setting pages.

In Oracle Integration, when you assign a role to a user, the user is granted thatrole for all Oracle Integration features provisioned on an instance. For example,when you assign the ServiceDeveloper role to a user for an instance provisionedwith the Integrations, Processes, and Visual Builder feature set, the user getsdeveloper permissions on each of these features. Further, each role grants differentprivileges for different features to the same user. Depending on the feature the useris accessing, the user can perform different tasks. For example, a user assigned theServiceDeveloper role can develop process applications in Processes, whereas thesame user can design integrations in Integrations. Note that not all Oracle Integrationpredefined roles are available in all features. For example, the ServiceMonitor role isnot available in Visual Builder.

Configuring Multiple Identity Stripes for Oracle IntegrationGeneration 2

For Oracle Integration Generation 2, the primary (primordial) stripe is automaticallyfederated using preconfigured groups. However, you can create separateenvironments for a single cloud service or application (for example, create oneenvironment for development and one for production), where each environment hasa different identity and security requirements. Implementing one or more secondary

Chapter 3Configuring Multiple Identity Stripes for Oracle Integration Generation 2

3-19

https://docs.oracle.com/en/cloud/paas/integration-cloud/rest-api/op-ic-api-integration-v1-integrations-id-schedule-jobs-post.html

https://docs.oracle.com/en/cloud/paas/integration-cloud/rest-api/op-ic-api-integration-v1-integrations-id-schedule-jobs-post.html

https://docs.oracle.com/en/cloud/paas/integration-cloud/rest-api/index.html

stripes enables you to create and manage multiple instances of Oracle Identity CloudService to protect your applications and Oracle Cloud services.

You can manually federate one or more secondary stripes with Oracle CloudInfrastructure using SAML IDP federation in which multiple Oracle Identity CloudService stripes are associated with the same cloud account. Note that the accountowner administers both primary and secondary stripes, but identities within the stripesare isolated from each other.

For benefits to using multiple Oracle Identity Cloud Service instances, see AboutMultiple Instances.

Note:

By default, a tenancy is limited to three (3) identity providers. (See ServiceLimits.) To increase the limit for your tenancy, see Requesting a ServiceLimit. You MUST increase the limit BEFORE starting to create the federation(step 4 below).

Configuring multiple identity stripes

Note:

It's important that the procedures contained in the steps below be followed intheir exact order.

First, define a naming convention for the striping, as described in Defining a StripeNaming Convention. Then follow the steps below to manually federate a secondarystripe for your cloud account. You must be the account owner.

1. Creating an IDCS group for secondary stripe users

2. Creating an OAuth client in the secondary stripe

3. Creating an Oracle Cloud Infrastructure group for secondary stripe users

4. Creating the federation and its group mapping

5. Creating an Oracle Cloud Infrastructure policy for federated users to createinstances

6. Creating Oracle Integration instances in the secondary stripe compartment

Defining a Stripe Naming ConventionAs a best practice, define a <stripename> for all the entities you'll create specific tothe stripe. Uniquely identifying configurations associated with a stripe is important,especially when multiple stripes are configured.

In the sections that follow, you'll use <stripename> in these entities:


3-20

https://www.oracle.com/pls/topic/lookup?ctx=cloud&id=UAIDS-GUID-3CCBB902-7728-4C30-8FA2-6B637B25B744

https://www.oracle.com/pls/topic/lookup?ctx=cloud&id=UAIDS-GUID-3CCBB902-7728-4C30-8FA2-6B637B25B744

https://docs.cloud.oracle.com/en-us/iaas/Content/General/Concepts/servicelimits.htm#Limits

https://docs.cloud.oracle.com/en-us/iaas/Content/General/Concepts/servicelimits.htm#Limits

https://docs.cloud.oracle.com/en-us/iaas/Content/General/Concepts/servicelimits.htm#Requesti

https://docs.cloud.oracle.com/en-us/iaas/Content/General/Concepts/servicelimits.htm#Requesti

Entity Naming convention

IDCS group <stripename>_administrators

OCI group oci_<stripename>_administrators

Compartment <stripename>_compartment

Identity Provider <stripename>_service

Policy <stripename>_adminpolicy

Policy Statement allow group oci_<stripename>_administrators tomanage integration-instances in compartment<stripename>_compartment

Creating an IDCS group for secondary stripe usersIn IDCS, create a group in the secondary stripe and add users from the secondarystripe to the group.

1. Add a group in the secondary stripe, and name it <stripename>_administrators.See Defining a Stripe Naming Convention. For example, name itstripe2_administrators. Click Finish.

For more information, see Create Groups in Administering Oracle Identity CloudService.

These administrators will be granted permission to create Oracle Integrationinstances. This IDCS group will be mapped with an Oracle Cloud Infrastructuregroup.

2. Add users from the secondary stripe to the group.


3-21

Creating an OAuth client in the secondary stripeCreate an IDCS confidential application that uses OAuth client credentials andis assigned the IDCS domain administrator role. You must create a confidentialapplication per secondary stripe.

1. As an IDCS administrator, sign in to the secondary IDCS admin console.

2. Add a confidential application.

a. Navigate to the Applications tab.

b. Click Add.

c. Choose Confidential Application.

d. Name the application Client_Credentials_For_SAML_Federation.

e. Click Next.


3-22

3. Configure client settings.

a. Click Configure this application as a client now.

b. Under Authorization, select Client Credentials.

c. Under Grant the client access to Identity Cloud Service Admin APIs, clickAdd and select the app role Identity Domain Administrator.


3-23

d. Click Next twice.

4. Click Finish. Once the application is created, note its client id and client secret.You’ll need this information in upcoming steps for federation.

5. Click Activate and confirm activating the application.

Creating an Oracle Cloud Infrastructure group for secondary stripeusers

This group is needed because the OCI SAML IDP federation requires group mappingfor federating users from the federated IDP (IDCS), and OCI native group membershipis required for defining and granting OCI permissions (policies) for federated users.

1. In the Oracle Cloud Infrastructure console, choose Identity, then Groups.

This Oracle Cloud Infrastructure group will be mapped with the IDCS group youcreated.

2. Create a group and name it oci_<stripename>_administrators. For example,name it oci_stripe2_administrators.


3-24

Creating the federation and its group mappingNow that you have the IDCS and OCI groups created and client information needed,create the IDCS identity provider and map the groups.

1. Sign in to the Oracle Cloud Infrastructure console. Select the identity domain ofthe primordial stripe (identitycloudservice) and enter its user credentials.

Keep in mind that group mapping for a secondary stripe uses the primordial stripeuser sign in. This is important, since adding multiple stripes adds multiple optionsto this dropdown.

2. Select Identity, then Federation.

3. Click Add Identity Provider.


3-25

4. In the screen displayed, complete the fields as shown below.

Field Entry

Name <stripename>_service

Description Federation with IDCS secondarystripe

Type Oracle Identity Cloud Service

Oracle Identity Cloud Service Base URL Enter this URL using the format:

https://idcs-xxxx.identity.oraclecloud.com

Replace the <idcs-xxxx> domain part withyour secondary IDCS stripe.

Client ID/Client Secret Enter this information that you created in thesecondary stripe and noted during Creatingan OAuth client in the secondary stripesteps.

Force Authentication Select this option

5. Click Continue.

6. Map the IDCS secondary stripe and OCI groups you previously created.

Map the IDCS secondary stripe group (created in Creating an IDCS group forsecondary stripe users) and the OCI group (created in Creating an Oracle CloudInfrastructure group for secondary stripe users).

7. Click Add Provider.

The secondary stripe federation is complete. Notice that the group mapping isdisplayed.


3-26

Creating an Oracle Cloud Infrastructure policy for federated users tocreate instances

With the federation done, set up Oracle Cloud Infrastructure policies that allowfederated users from the secondary IDCS stripe to create Oracle Integration instances.As a common pattern, the policy is scoped to a compartment.

1. Create a compartment where Oracle Integration instances for the secondary IDCSstripe can be created. Name the compartment <stripename>_compartment.

For example, create a compartment named stripe2_compartment.

2. Create a policy that will allow federated users to create Oracle Integrationinstances in the compartment. Name the policy <stripename>_adminpolicy (forexample, stripe2_adminpolicy).

• Policy: allow group oci_stripe2_administrators to manageintegration-instances in compartment stripe2_compartment

• Syntax: Allow group <stripename>_administrators to<verb> <resource-type>in compartment<stripename>_compartment


3-27

This policy allows a user who is a member of the group in the policy to createan Oracle Integration instance (integration-instance) in the compartment namedstripe2_compartment.

Creating Oracle Integration instances in the secondary stripecompartment

With federation and Oracle Cloud Infrastructure policies defined, federated userscan sign into the Oracle Cloud Infrastructure console and create Oracle Integrationinstances as shown.

1. Sign-in as a federated user from the secondary stripe.

Users will need to select the secondary stripe in the Identity Provider field (idcs-secondary-stripe-service, in this case).


3-28

2. Authorized administrators can ceate Oracle Integration instances in the specifiedcompartment (idcs-secondary-stripe-compartment, in this case).


3-29

4Creating and Editing Oracle IntegrationGeneration 2 Instances

Create and edit Oracle Integration Generation 2 instances in the Oracle CloudInfrastructure Console.

Topics:

• Creating an Oracle Integration Instance

• Accessing an Oracle Integration Instance

• Editing the Edition, License Type, and Message Packs of an Instance

• Viewing Instance Details

• Stopping and Starting an Oracle Integration Instance

• Moving an Instance to a Different Compartment

• Deleting an Instance

• Upgrade to Oracle Integration Generation 2

Creating an Oracle Integration InstanceCreate an Oracle Integration instance in a selected compartment.

Note:

You must sign in as a federated user that has been configured to createan instance. If you attempt to provision as a nonfederated user, you areprompted to enter an access token, which is not supported. See ConfiguringAccess to Create and Manage Instances in One Console and Signing in tothe Console.

Note:

The steps in this section apply to Oracle Integration Generation 2 and OracleIntegration for SaaS Generation 2. Differences in instance creation arenoted. For more information about the SaaS version, see Oracle Integrationfor Oracle SaaS.

1. In the upper corner, note your selected region.

Once created, instances are visible only in the region in which they were created.For information about regions, see Regions and Availability Domains.

4-1


3. Under the Solutions and Platform category, select Application Integration >Integration.

4. From the Compartment list, click through the hierarchy of compartments andselect the one in which to create the instance. You may need to expand the + iconto find the compartment to use. Compartments can contain other compartments. Itmay take several minutes for the new compartment to appear after the policy hasbeen created.

Chapter 4Creating an Oracle Integration Instance

4-2

Note:

Do NOT select the root or ManagedCompartmentForPaaS compartmentin which to create your instance.

The page is refreshed to show any existing instances in that compartment.

5. Click Create Integration Instance.

6. Enter the following details, and click Create:

Field Description

Display Name Enter the display name for the instance. Note that thedisplay name becomes part of the URL for accessing theinstance.

Edition • Standard: This option provides you with a license touse Integrations, which enables you to integrate SaaSand on-premises applications.

• Enterprise: This option provides you with a licenseto use Integrations and Processes, which enables youto integrate SaaS and on-premises applications andautomate business processes.

See Oracle Integration Editions to see what's licensed ineach edition.

Visual Builder is available with either option.

License Type Note: If you are provisioning Oracle Integration for SaaS,this field is not shown.

• Select to create a new Oracle Integration license inthe cloud. This provides you with packages of 5Kmessages per hour.

• Select to bring an existing Oracle Fusion Middlewarelicense to the cloud for use with Oracle Integration.This provides you with packages of 20K messagesper hour. This option is also known as bring your ownlicense (BYOL).


4-3

Field Description

Message Packs The message pack options available for selection arebased on the version of Oracle Integration instance youare creating.• For Oracle Integration: Select the number of message

packs. The total number of messages available perpack is based on the License Type option youselected. You can select up to 3 message packsif you bring an existing Oracle Fusion Middlewarelicense to the cloud. You can select up to 12 messagepacks if you create a new Oracle Integration license inthe cloud.

• For Oracle Integration for SaaS: Select the numberof message packs to use per month. Each messagepack consists of one million messages. You canselect up to 43 message packs.

Access Token If this field is displayed, you are creating an instance asa non-federated user. Sign in as a federated user andrestart creating an instance.

Show Advanced Options Tags: Enter a key and optional value. Tags enable you totrack resources within your tenancy. See Resource Tags.


• For Oracle Integration for SaaS:


4-4

https://docs.cloud.oracle.com/iaas/Content/General/Concepts/resourcetags.htm

Instance creation takes some time. If you attempt to click the instance name andreceive a 401: Authorization failed or a 404: Not Found error, but followed allthe correct steps, instance creation has not completed. Wait a few more minutes.

7. When instance creation completes successfully, the instance shows as Active inthe State column.

Choosing a License TypeSelect a license type for your Oracle Integration instance.

Note: Choosing a license type applies when provisioning Oracle Integration only. Itdoesn't apply to Oracle Integration for SaaS.

• Select to create a new Oracle Integration license in the cloud. This provides youwith packages of 5K messages per hour.

• Select to bring an existing Oracle Fusion Middleware license to the cloud for usewith Oracle Integration. This provides you with packages of 20K messages perhour. This option is also known as bring your own license (BYOL).

Choosing a Message Pack NumberWhen creating or editing an instance, specify the number of messages to use.

The message pack options available for selection are based on the version of OracleIntegration instance you are creating or editing.

• For Oracle Integration: Select the number of message packs. The total number ofmessages available per pack is based on the License Type option you selected.You can select up to 3 message packs if you bring an existing Oracle Fusion


4-5

Middleware license to the cloud. You can select up to 12 message packs if youcreate a new Oracle Integration license in the cloud.

• For Oracle Integration for SaaS: Select the number of message packs to use permonth. Each message pack consists of one million messages. You can select upto 43 message packs.

Accessing an Oracle Integration InstanceNavigate to an Oracle Integration instance in One Console to open it.

Note:

The steps described in this section assume that you have view permissionto the compartment containing one or more Oracle Integration instances.For users without view (or greater) permission to the console, a URL to theOracle Integration instance should be provided by the administrator.

Note:

A user who creates an instance automatically has the ServiceAdministratorrole assigned. All other users must have the appropriate role assigned foraccess. See Assigning Service Roles for Oracle Integration Access.


2. Under the Solutions and Platform category, select Application Integration >Integration.

3. If needed, select a compartment in the Compartment field.

The page is refreshed to show any existing instances in that compartment. Ifneeded, select another region. Note that instances are visible only in the region inwhich they were created.

4. At the far right, click , and select Service Console to access the OracleIntegration login page.

If a message appears that access was denied, or the home page flashes, youdon't have access to the Oracle Integration instance. See Assigning Service Rolesfor Oracle Integration Access.

At this point, you are ready to:

Chapter 4Accessing an Oracle Integration Instance

4-6

• Learn about the features and capabilities of Oracle Integration. See OracleIntegration.

• Assign service roles to users (such as Developer or Administrator) to allowthem to work with the features of Oracle Integration. See Assigning ServiceRoles for Oracle Integration Access.

Editing the Edition, License Type, and Message Packs of anInstance

You can edit the edition, license type, and number of message packs of an OracleIntegration Generation 2 instance. For Oracle Integration for SaaS Generation 2instances, you can edit the edition and number of message packs.

1. In the Name column, click the instance to edit.

The Edit Integration Instance dialog is displayed.

• For Oracle Integration installations:

• For Oracle Integration for SaaS installations:

Chapter 4Editing the Edition, License Type, and Message Packs of an Instance

4-7

http://www.oracle.com/pls/topic/lookup?ctx=cloud&id=integration-suite-get-started


2. Click Edit.

3. Update appropriate fields:

Field Description

Edition • Standard: Update to the Integrationfeature set. This option enables youto integrate SaaS and on-premisesapplications.

• Enterprise: Update to the Integrationand Process feature set. This optionenables you to integrate SaaS andon-premises applications and automatebusiness processes.

License Type Note: If you are provisioning OracleIntegration for SaaS, this field is not shown.

• Update to create a new OracleIntegration license in the cloud. Thisprovides you with packages of 5Kmessages per hour.

• Update to bring an existing OracleFusion Middleware license to the cloudfor use with Oracle Integration. Thisprovides you with packages of 20Kmessages per hour. This option is alsoknown as Bring Your Own License(BYOL).

Chapter 4Editing the Edition, License Type, and Message Packs of an Instance

4-8

Field Description

Message Packs The message pack options available forselection are based on the version of OracleIntegration you are installing.• For Oracle Integration installations: Edit

the number of message packs. Thetotal number of messages available perpack is based on the License Typeoption you selected. You can selectup to 3 message packs if you bringan existing Oracle Fusion Middlewarelicense to the cloud. You can select upto 12 message packs if you create anew Oracle Integration license in thecloud.

• For Oracle Integration for SaaSinstallations: Edit the number ofmessage packs to use per month. Eachmessage pack consists of one millionmessages. You can select up to 43message packs.

Viewing Instance DetailsYou can view details about a provisioned instance and perform tasks such asaccessing the instance login page to design integrations and processes, editing aninstance, adding tags, deleting instances, and viewing instance life cycle activity.

• Click a specific instance name in the Oracle Cloud Infrastructure Console. TheDetails page is displayed. The word Active is displayed beneath the green circleto indicate that this instance is running. If you are viewing an Oracle Integration forSaaS instance, the License Type field is not displayed.

The following table describes the key information shown on the instance detailspage:

Chapter 4Viewing Instance Details

4-9

Field Description

Integration Instance Information tab • Creation date• Last updated date (for example, the last

time started)• Edition (standard or enterprise)• OCID value that uniquely identifies the

instance• License type (either a new cloud license

or an existing license brought over fromOracle Fusion Middleware). If you areviewing an Oracle Integration for SaaSinstance, the License Type field is notdisplayed.

• Number of message packs and thequantity of messages in each pack

Service Console Click to access the login page. See OracleIntegration.Note: You can also access the login pagefrom the main Oracle Cloud InfrastructureConsole page for Oracle Integration. At the

far right, click for the specific instance, andselect Service Console.

Edit Click to edit your settings. See Editing theEdition, License Type, and Message Packsof an Instance.

Move Instance Click to move the instance to a differentcompartment. This action can take sometime to complete. See Moving an Instanceto a Different Compartment.

Add Tags Click to add tags to the instance. You canuse tags to search for and categorize yourinstances in your tenancy. See ResourceTags.

Delete Click to delete the instance. See Deleting anInstance.

Work Requests Lists instance life cycle activity, such asinstance creation time, instance stop andstart times, and so on.

Tags tab Displays any tags associated with theinstance. Click Add Tags to add a tag.

Stopping and Starting an Oracle Integration InstanceYou can stop and start Oracle Integration Generation 2 instances. After a stop requestis initiated, the instance goes into a pausing state. During the pausing state, no newintegrations and processes are started. In-flight integrations and processes continueuntil they either complete or reach a checkpoint. When the integrations and processesare no longer running, the instance goes into a completely paused state. During

Chapter 4Stopping and Starting an Oracle Integration Instance

4-10





this state, Oracle Integration design time, settings, and monitoring capabilities areunavailable.

Note:

• Oracle recommends that you do not stop instances running in aproduction environment.

• The start and stop functionality is the same in Oracle Integration andOracle Integration Generation 2.

1. Start or stop an instance in either of two ways:

a. On the Integration Instances page, go to the end of the row for the specificinstance, and click . Note that an active instance is identified as Active andan inactive/stopped instance is identified as Inactive in the State column.

b. On the details page of a specific instance, select

.

2. Select the action to perform:

a. To stop your instance, select Stop, then select Stop again when prompted toconfirm your selection.

The instance state changes to Updating during the pausing process. Whencomplete, the state changes to Inactive in the State column.

This action causes the following to occur:

• For Oracle Integration users, billing is paused for the duration that theinstance is paused. For Oracle Integration for SaaS users, billing is notimpacted by pausing an instance.

• Integration endpoints are paused.

• Process instances are paused.

• Runtime is paused.

• Scheduled integrations do not execute.

• Database purging continues to run.

• REST APIs are unavailable for use. If you attempt to use the APIs whileyour instance is in a paused state, you receive a 409 error.

• Design time is not available for use. If you access the Oracle CloudInfrastructure Console, it displays a page indicating the stopped state andasks you to start the instance for the console to become available.

b. To resume your instance, select Start, then select Start again when promptedto confirm your selection.

The instance state changes to Updating during the resumption. Whencomplete, the state changes to Active in the State column.

Chapter 4Stopping and Starting an Oracle Integration Instance

4-11

Note:

You can use the REST APIs to stop and start an instance. See OracleIntegration API. Oracle Integration APIs are available in the left navigationpane.

Moving an Instance to a Different CompartmentYou can move an instance to a different compartment.

Note:

Moving an instance can potentially change who has access to the instance.For example, if user A has the manage or read permission for onecompartment and you move the instance to another compartment, theylose access. Ensure that the user has the necessary permissions for thecompartment to which to move the instance.

Note:

Moving an instance affects access within One Console only (view or managepermissions). Access to an Oracle Integration instance does not change.

You can move an instance in either of two ways:

From the main Oracle Cloud Infrastructure Console page for Oracle Integration.

1. Identify the instance to move.

2. At the far right, click , and select Move Instance.

From the details page for an existing Oracle Integration instance.

1. Click a specific instance name in the Oracle Cloud Infrastructure Console. TheDetails page is displayed.

2. Click Move Instance.

3. Select the compartment to which to move the instance, then click MoveResource.The move can take several minutes to complete. When done, the instance isdisplayed in the new compartment.

Chapter 4Moving an Instance to a Different Compartment

4-12

https://docs.cloud.oracle.com/en-us/iaas/api/#/en/integration/20190131/


Deleting an InstanceYou can delete an Oracle Integration instance.

Note:

Deleting an Oracle Integration instance cannot be undone.

You can delete an instance in either of two ways:

From the main Oracle Cloud Infrastructure Console page for Oracle Integration.

1. Identify the instance to delete.

2. At the far right, click , and select Delete.

From the details page for an existing Oracle Integration instance.

1. Click the instance name in the Oracle Cloud Infrastructure Console that you wantto delete.

2. Click Delete.

3. Click Yes when prompted to confirm your selection.

Upgrade to Oracle Integration Generation 2Take advantage of this free, automated upgrade for Oracle Integration instances. Afterthis upgrade, expect faster performance, greater reliability, and our latest features.

Note:

Upgrade scheduling is available to instance administrators only.

What is Oracle Integration Generation 2?

Oracle Integration Generation 2 is the next generation of our Oracle Integrationplatform. This upgrade delivers improved performance and reliability as well assignificant improvements in provisioning and other lifecycle management activities bymore deeply leveraging the power of Oracle Cloud Infrastructure.

Chapter 4Deleting an Instance

4-13

What is the upgrade process and how will it impact my service?

This is a planned maintenance event and will include scheduled downtime during theupgrade process. Your Oracle Integration Generation 2 instance will use the sameURL and integration endpoints.

The upgrade process will take several hours, during which inflight integrationprocessing will be paused and user logins will be disabled. Upon completion, yourservice will be fully restored using the same instance URL and access credentials.Each Oracle Integration instance will be separately upgraded. You have the option ofscheduling different instances for different upgrade windows.

Two weeks after the upgrade of your first Oracle Integration instance, options to createnew Oracle Integration (PSM) instances will no longer be available in your tenancy, asthey're no longer needed.

When will my instance be upgraded?

1. Watch for a notification.

You'll receive an Oracle Cloud Infrastructure notification and see a banner on yourOracle Integration Home page, telling you that your instance will be upgraded. Thebanner includes two links: one to a Schedule Upgrade page and another to theupgrade documentation.

2. Click the Review the details of your upgrade link and follow the upgrade steps.

What MUST I do before the upgrade?

Perform these steps before the upgrade starts:

1. Ensure that you are subscribed to the same Oracle Cloud Infrastructure region asthe Oracle Integration instance you intend to upgrade.

If you received a notification email indicating that your Oracle Cloud Infrastructuretenancy is not subscribed to all necessary regions, subscribe to all regions byfollowing these quick steps in Subscribe to Regions Before Upgrading.

2. If needed, select a different upgrade window.

The Upgrade Window field shows the date and time during which the instanceis currently scheduled for upgrade. You can select a different window, based onavailability. Unless you make a change, the current window displayed in yourinstance will be used for the upgrade.

3. Specify the new OCID of the compartment to be used.

By default, the cloud tenancy's root compartment is used for the upgraded OracleIntegration Generation 2 instance and its OCID is listed in the CompartmentOCID field. However, we recommend that you create a new compartment in theroot compartment and enter its OCID for the Oracle Integration instance in Gen 2.

Chapter 4Upgrade to Oracle Integration Generation 2

4-14

To create a new compartment in the OCI console, see Creating an Oracle CloudInfrastructure Compartment.

4. After making a change, click the Update button.

5. Update email authentication settings for SPF and DKIM, as needed.

See the What do I need to know about email authentication in OracleIntegration Generation 2? item below.

6. If needed, allowlist your IP addresses.

See the What do I need to know about IP addresses in Oracle IntegrationGeneration 2? item below.

If needed, schedule upgrades for other instances.

If your account includes multiple Oracle Integration instances, note that each instanceneeds to be individually upgraded. This means you can choose to first upgradeyour development and test instances, and later upgrade your production instances.However, if you leave the default settings, the instances are upgraded in the defaultorder as specified on the Schedule Upgrade page. If you want your non productioninstances to be upgraded before production, you MUST go to the Oracle IntegrationHome page and change the upgrade windows to reflect the upgrade order youwant.

Note the upgrade window lock dates

• Three weeks before the selected upgrade, the upgrade window selection becomeslocked and you can make NO further changes.

• One week before the upgrade, you can NO LONGER perform lifecycleoperations on the Oracle Integration instance, such as scale up or down, andstart or stop.

What happens during the upgrade?

During the upgrade window, the Oracle Integration instance will be unavailable. Allactivity in the Oracle Integration instance, including design time and runtime, willbe stopped. Users who attempt to sign in will see a message that the instance istemporarily unavailable. All metadata and in-flight instance data are moved to the newinstance.

What do I need to do after the upgrade?

Complete these steps.

1. Access your Oracle Integration Generation 2 instance using your existing OracleIdentity Cloud Service (IDCS) credentials.

2. Test your upgraded instance.

Once the upgrade is complete, perform regression testing. If you find issues, opena service request. For example, verify that your instance is running, endpoints arebeing reached, and so on.


4-15

3. Create Oracle Cloud Infrastructure users and groups to enable Oracle CloudInfrastructure Console access.

Oracle Identity Cloud Service identities are retained during upgrade, so youcan continue using your Oracle Identity Cloud Service users and groups foraccessing the Oracle Integration console and running integrations. But you'llneed to configure policies in Oracle Cloud Infrastructure, create Oracle CloudInfrastructure groups, and map Oracle Cloud Infrastructure groups to OracleIdentity Cloud Service groups.

See Setting Up Users and Groups in Provisioning and Administering OracleIntegration and Oracle Integration for SaaS, Generation 2.

What do I need to know about IP addresses in Oracle Integration Generation 2?

The endpoint URLs and the Oracle Identity Cloud Service application associatedwith your instance remain the same. You access the Oracle Integration Generation2 instance in much the same way as the original instance.

However, the ingress and egress IP addresses are different. So if you previouslyallowlisted (explicitly allowed identified entities access) the IP addresses of yourOracle Integration instances, you must allowlist the new IP addresses for OracleIntegration Generation 2. Once the upgrade window becomes locked, Oracle providesthe new IP addresses to organizations that allowlist.

Note:

You’ll need to allowlist IP addresses for Oracle Integration Generation 2wherever you previously included IP addresses in the allowable list. Forexample, you’ll need to allowlist in these cases:

• You use Connectivity Agent and have included Oracle Integration IPaddresses in the allowable list.

• You use applications such as Oracle E-Business Suite or Siebel whichhave included Oracle Integration IP addresses in the allowable list wheninvoking Oracle Integration integration flows.

• You’re using Oracle Integration to invoke endpoints hosted on your on-premises/private cloud and have included NAT Gateway IP addresses inthe allowable list.

What do I need to know about email authentication in Oracle IntegrationGeneration 2?

Follow these steps to update email authentication settings for SPF and DKIM, ifneeded.

1. SPF (Sender Policy Framework): Previously, sender verification was supportedby adding the standard record include:spf_c.oraclecloud.com to the domain ofthe from address to include the Oracle Cloud Infrastructure email delivery domain.

In Oracle Integration Generation 2 instances, the SPF record format has changed,and the record must now identify the continent key of the Oracle Integrationinstance. (Also see Configure SPF.)

Use this format for the SPF record for Oracle Integration Generation 2 instances:


4-16

https://docs.cloud.oracle.com/en-us/iaas/Content/Email/Tasks/configurespf.htm

v=spf1 include:<continentkey>.oracleemaildelivery.com ~all

Examples:

• America: v=spf1 include:rp.oracleemaildelivery.com ~all

• Asia/Pacific: v=spf1 include:ap.rp.oracleemaildelivery.com ~all

• Europe: v=spf1 include:eu.rp.oracleemaildelivery.com ~all

2. DKIM (DomainKeys Identified Mail): To configure DKIM keys for OracleIntegration Generation 2 instances, please log a Service Request in My OracleSupport and add the newly created public key to the DNS record of the fromaddress domain. You'll need to provide the following values; otherwise, defaultvalues are used.

• selector name

• key size

After the public-private key pair is generated, the public key will be shared withyou. The private key is used to sign the email sent from Oracle Integration usingthe corresponding from address.

Below are two DNS TXT records added to the domain's DNS zone. They usesample values for illustration purposes; replace their values with actual values.Follow these steps to complete the DKIM configuration process:

a. Add a _domainkey sub-domain under the sending domain itself(_domainkey.oraclecloud.com).

b. Under the _domainkey sub-domain you just added, create a TXT record withthis value:

o=~\;

c. Add a sub-domain under _domainkey with the same name as the selector( default._domainkey.oraclecloud.com). Here default is the selectorname.

d. Under the selector sub-zone you just added, create a single TXT record withthis value (with a space between the k and p assignments, not a hard return):

k=rsa\;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA17OmCozSzQyyBCqjz8Uz9vAdnq62tdYKPUdvVxg3hzOgLUuEtzAP7HrnZ7JUQyg2t+/8O3fU/WWu6QaVjHs+evn9vbQ68pT9dLCtXuZxXQ/87cW9td5m0pRmB6RDtLrpQr2bLiMVP68rDBjc503Q8p8Uy8/EoDQFKuN2qJb2x8auwOSf+g8wNYXBVnnz7Hv5Abf5kzksBUJUt4FF82vLsS2XKVdrPQO+CtBJb5GX693/A4WcVwac+NFJ5jt3PvcnputJiDp4kXlyJrPNrP+JLirl/bwgyuC2O4HUoEo0A9N4HSpDQhwhpNQAoZ3ClRkJyB3ZVpBuXOFuIUHcM0SkeQIDAQAB

For information about email notifications in integrations, see Send Notification EmailsDuring Stages of the Integration with a Notification Action and Sending Service FailureAlerts, System Status Reports, and Integration Error Reports by Notification Emails inUsing Integrations in Oracle Integration.

For information about email notifications in processes, see Enable Email Notificationsin Using Processes in Oracle Integration.

What do I get with Oracle Integration Generation 2?

Make use of these Oracle Integration Generation 2 capabilities:


4-17

• Native integration with the Oracle Cloud Infrastructure Console

• Integration Insight in Oracle Integration for modeling and extracting meaningfulbusiness metrics

• File Server, an embedded SFTP server within Oracle Integration

• Support for Oracle Cloud Infrastructure (OCI) Compartments, for organization andinstance access control

• Oracle Cloud Infrastructure Identity and Access Management (IAM)

• Read/View only access to Oracle Integration instances

• Support for tagging

• Service instance Lifecycle Management (LCM) capabilities, including Terraform,CLIs, APIs, and CI/CD

• Integration with the Oracle Cloud Infrastructure Monitoring service

• Compartment quotas for better control over how resources are consumed

• Event automation based on Oracle Integration state changes using event types,rules, and actions

• Ability to update Oracle Integration instances: Move between compartments,change edition and number of message packs

What do I need to know about lifecycle (LCM) APIs in Oracle IntegrationGeneration 2?

Oracle Integration Generation 2 provides updated lifecycle (LCM) management APIsbuilt for Oracle Cloud Infrastructure for your use. See Oracle Integration API in theOracle Cloud Infrastructure documentation (Oracle Integration CLI). For example, APIshave changed for creating, deleting, and starting and stopping Integration instances.

Subscribe to Regions Before UpgradingOracle has begun upgrading Oracle Integration instances to Oracle IntegrationGeneration 2 instances. However, you may have received a notification emailindicating that your Oracle Cloud Infrastructure tenancy is not subscribed to all thenecessary regions. Follow these steps to quickly subscribe to all regions.

Subscribe to Regions Before Upgrade

Before upgrade, your Oracle Cloud Infrastructure tenancy must be subscribed to eachregion in which an Oracle Integration instance exists. For example, if Ashburn is yourhome region, but you created an Oracle Integration instance in the Phoenix region, thetenancy must be subscribed to the Phoenix region.

1. Locate the region for each of your Oracle Integration instances.

a. From the list of your instances, select each instance.


4-18

https://docs.cloud.oracle.com/en-us/iaas/tools/oci-cli/2.12.3/oci_cli_docs/cmdref/integration.html

b. Click

in the top right corner of the page.

c. Locate the region.


4-19

d. Repeat these steps for all other instances.

2. Subscribe to regions, as needed.

a. Open the console, open the Region menu, and click Manage Regions. Thelist of regions available to your tenancy is displayed. Your home region islabeled.

b. Locate the region you want to subscribe to and click Subscribe. It may takeseveral minutes to activate your tenancy in the new region.

c. Repeat these steps to subscribe to all unsubscribed regions of an OracleIntegration instance. You can manage infrastructure regions. See ManagingRegions.

Creating an Access Token to Provision an Instance with theCLI or REST API

Before you can provision an Oracle Integration instance as a nonfederated userwith the command line interface (CLI) or REST API, you must create an application

Chapter 4Creating an Access Token to Provision an Instance with the CLI or REST API

4-20

https://docs.cloud.oracle.com/en-us/iaas/Content/Identity/Tasks/managingregions.htm

https://docs.cloud.oracle.com/en-us/iaas/Content/Identity/Tasks/managingregions.htm

and generate an access token. You specify the access token when provisioning theinstance.

Note:

These instructions are not required when provisioning an instance as afederated user. An access token is only required for nonfederated users.

• Creating the Application

• Generating the Access Token

You can create an instance with the CLI and the REST API. See:

• OCI CLI Command Reference

• Oracle Integration API

Generating the Access TokenBefore you can provision an Oracle Integration instance as a nonfederated user, youmust create an access token.

1. Sign in as the tenant administrator.

2. From the in the upper left corner, select Identity > Federation.

3. Click the OracleIdentityCloudService link.

4. From the

in the upper left, select Applications.

5. Scroll down and click the application you created (for this example, named PSO-AT-Gen-App).

6. Select Customized Scopes.

7. Select Invokes Identity Cloud Service APIs, then specify Identity DomainAdministrator.


4-21

https://docs.cloud.oracle.com/en-us/iaas/tools/oci-cli/2.7.0/oci_cli_docs/cmdref/integration.html


8. Click Download Token and save the file.

The tokens.tok file contains the access token with the attribute nameapp_access_token.

cat tokens.tok {"app_access_token":"eyJ4NXQjUzI. . . . ."}

9. Provide the access token to the nonfederated user to use for provisioning aninstance.

Creating the ApplicationBefore you can provision an Oracle Integration instance as a nonfederated user, youmust first create an application.

1. Sign in as the tenant administrator.

2. From the in the upper left corner, select Identity > Federation.

3. Click the OracleIdentityCloudService link.

4. From the

in the upper left, select Applications.

5. Click Add.

6. Click Confidential Application.

This starts the Add Confidential Application Wizard.

7. Enter a name (for this example, PSO-AT-Gen-App is provided) and optionaldescription, and click Next.

8. Select Configure this application as a client now and provide the followingdetails for client authorization:

• Allowed Grant Types: Resource Owner Client Credentials, JWT Assertion

• Allowed Operations: Introspect

9. Under Grant the client access to Identity Cloud Service Admin APIs, click +Add.

The Add App Role dialog is displayed.

10. Select Identity Domain Administrator, then click Add.


4-22

11. Click Next to access the next page in the wizard.

12. Select Configure this application as a resource server now.

13. Provide the following details, and click Next.

• Access Token Expiration: 3,600 seconds.

• Is Refresh Token Allowed: Select the check box.

• Refresh Token Expiration: 604,800 seconds.

• Primary Audience: For this example, https://pso-at-gen-app.com/ isprovided (the primary recipient where the token is processed).

14. Under Scopes, click Add.

15. In the Scope field, enter a value (for this example, psoatgenapp).

16. In the Display Name field, enter a value.

17. Leave the Requires Consent check box unselected, then click Add.

18. Click Next to go to the next page in the wizard.

19. Select Skip for later, then click Next.

20. Leave Enforce Grants as Authorization unselected, then click Finish.

The application is created..

21. Click Activate, then click to confirm that you want to activate the application.

The application (named PSO-AT-Gen-App for this example) is created and isready to use to generate the access token for the users.


4-23

5Managing Oracle Integration Generation 2Instances

Oracle manages instances, including performing database management, performingbackups, upgrading instances to the next version, installing patches, and more. Youcan perform these management tasks in Oracle Integration.

Topics:

• Manage Integrations and Errors

• Upload an SSL Certificate

• Manage Integration and Process Instance History

• Configure the Instance Object Storage Bucket

• Export and Import Design-Time Metadata Between Instances

• Set Instance Quotas on Compartments

Configure the Instance Object Storage BucketYou must specify the Swift URL location and username and password credentials ofyour existing object storage bucket instance before you can create export and importarchives of design-time metadata on the Import/Export page.

To complete the fields on this page, an object storage bucket instance must alreadyexist. Otherwise, you must create a new instance. See Step 3: Create an ObjectStorage Bucket and Construct the Storage URL (If Not Using the Application MigrationService).

1. On the Home page, select Settings > Storage.

2. Enter the following details.

Element Description

Name Enter the name of the object storage bucket.

5-1

Element Description

Swift URL Enter the object storage bucket Swift URL.For example:

https://swiftobjectstorage.us-ashburn-1.oraclecloud.com/v1/paasdevoic/cloneRepo

See Step 3: Create an Object StorageBucket and Construct the Storage URL(If Not Using the Application MigrationService).

User Specify the object storage bucket username. See Step 2: Create a User and Groupand Add Policies.

Password Specify the password.

3. Click Save. You can now export and import archives of design-time metadata onthe Import/Export page.

Export and Import Design-Time Metadata BetweenInstances

You can export and import archives of integration and process design-time metadatabetween instances. This feature can be useful if you want to move metadata from atest to a production environment, move metadata from an instance in one region toan instance in another region, perform manual archival backups, or automate yourenvironment to archive backups daily to a repository such as Git. You can also exportOracle Integration archives and import them into Oracle Integration Generation 2.

Note:

Ensure that you first configure the Swift URL location and username andpassword credentials of the object storage bucket instance to which to exportan archive of your design-time metadata on the Instance Storage page. SeeConfigure the Instance Object Storage Bucket.

• Create an Export Job

• Create an Import Job

Create an Export JobYou create an export job that consists of an archive file of design-time metadatathat you want to export to the object storage bucket you configured on the InstanceStorage page.

1. On the Home page, select Settings > Import/Export in the navigation pane.

The Import/Export page is displayed with the status of any import and export jobs.

Chapter 5Export and Import Design-Time Metadata Between Instances

5-2

2. Click Export to create a job. A job consists of an archive file of design-timemetadata that you want to export to the object storage bucket you configured onthe Instance Storage page. If you have not configured an object storage bucket,you are prompted to click Configure Now.

3. Complete the following fields.

Element Description

Job Name Enter a unique job name or accept thedefault value.

Export security artifacts Select the check box to export the followingsecurity artifacts with your job:• Security policies• Security credentials (for connections)• Customer certificates• Application role memberships in

Processes.

Description Enter an optional description that describesthe export job.


5-3

4. Click Start Export Job.

A message is displayed in the banner at the top of the page.

Export job has been successfully started.

5. View the status of export job creation and click the refresh icon periodically toview progress. You can click the job name to view more specific job details.

When the export job completes successfully, Completed is displayed in theStatus field.

6. Click

to view details about a job.


5-4

7. If export archive creation does not complete successfully, click to download areport about the export job.

Create an Import JobYou create a job to import the exported archive job from the object storage bucketinstance into the new instance.

1. Sign in to the instance in which to import the exported archive of design-timemetadata.

2. On the Home page, select Settings > Import/Export.

3. Click Import to create a job to import the exported archive job from the objectstorage bucket instance into the new instance.

4. Complete the following fields.

Element Description

Archive Filename Select the archive to import into theinstance.

Import Mode Select the import mode:• Import: Imports all integrations in the

archive. You can also select Activateand Start Schedules to activate allintegrations and start all schedulesduring this same import session orduring a separate session at a latertime. Selecting those options separatelyenables you to first update anyconfiguration properties in the importedintegrations (for example, modify anynecessary configuration or securityproperties on the Connections page foreach integration).

• Activate: Activates all integrationsimported with the Import option duringthe same session or during a separatesession. You can also select StartSchedules to start any integrationschedules.

• Start Schedules: Starts integrationschedules during the same sessionin which you selected Import andActivate or during a separate session.

Import security artifacts Select this check box if you previouslyselected Export security artifacts whencreating your export archive job.

Job Name Enter a unique job name or accept thedefault value.

Description Enter an optional description that describesthe import job.


5-5

5. Click Start Import Job to start the job to import the archive from the objectstorage bucket instance into the new Oracle Integration instance.

A message is displayed in the banner at the top of the page.

Import job has been successfully started.

6. View the status of import job creation and click the refresh icon periodically toview progress.

When the import job completes successfully, Completed is displayed in theStatus field.

7. Click

to view details about the job.


5-6

8. If the import archive is not successful, click to download a report about theimport job.

9. Browse the pages and note that the design-time metadata you exported is nowvisible. For example, for Integrations, look for integrations, connections, lookups,and more. For Processes, look for process applications and decision models.

Note:

Your archive file resides in the object storage bucket until you delete it.

Manage Integrations and ErrorsYou can manage integration and process errors in Oracle Integration.

Activate the service in Oracle Integration when the integration is ready to go live andyou can deactivate an active Integration. You can modify or clone the integration.Delete an integration that is no longer needed. See Manage Integrations in UsingIntegrations in Oracle Integration.

You can manage errors from the Errors pages in Oracle Integration at the integrationlevel, connection level, or specific integration instance level. See Manage Errors inUsing Integrations in Oracle Integration.

Upload an SSL CertificateCertificates are used to validate outbound SSL connections. If you make an SSLconnection in which the root certificate does not exist in Oracle Integration, anexception is thrown. In that case, you must upload the appropriate certificate. Acertificate enables Oracle Integration to connect with external services. If the externalendpoint requires a specific certificate, request the certificate and then upload it intoOracle Integration.

For Process, use this page to manage runtime security certificates for messageprotection. Upload, update, or delete certificates as needed. In Process applications,certificates are used to validate external web service connections for an applicationwhen message security is applied. If an external endpoint requires a specificcertificate, request the certificate and upload it into Oracle Integration. An expiredcertificate results in a process instance error.

To upload an SSL certificate:

1. In the left navigation pane, click Home > Settings > Certificates.All certificates currently uploaded to the truststore are displayed in the Certificates dialog. The

link enables you to filter by name, certificate expiration date, status, type, category,and installation method (user-installed or system-installed). Certificates installedby the system cannot be deleted.

Chapter 5Manage Integrations and Errors

5-7

2. Click Upload at the top of the page.The Upload Certificate dialog box is displayed.

3. Enter an alias name and optional description.

4. In the Type field, select the certificate type. Each certificate type enables OracleIntegration to connect with external services.

• X.509 (SSL transport)

• SAML (Authentication & Authorization)

• PGP (Encryption & Decryption)

X.509 (SSL transport)

1. Select a certificate category.

a. Trust: Use this option to upload a trust certificate.

i. Click Browse, then select the trust file (for example, .cer or .crt) toupload.

b. Identity: Use this option to upload a certificate for two-way SSLcommunication.

i. Click Browse, then select the keystore file (.jks) to upload.

ii. Enter the comma-separated list of passwords corresponding to keyaliases.

iii. Enter the password of the keystore being imported.

c. Click Upload.

SAML (Authentication & Authorization)

1. Note that Message Protection is automatically selected as the only availablecertificate category and cannot be deselected. Use this option to upload a keystorecertificate with SAML token support. Create, read, update, and delete (CRUD)operations are supported with this type of certificate.

2. Click Browse, then select the certificate file (.cer or .crt) to upload.

3. Click Upload.

Chapter 5Upload an SSL Certificate

5-8

PGP (Encryption & Decryption)

1. Select a certificate category. Pretty Good Privacy (PGP) provides cryptographicprivacy and authentication for communication. PGP is used for signing, encrypting,and decrypting files. You can select the private key to use for encryption ordecryption when configuring the stage file action.

a. Private: Uses a private key of the target location to decrypt the file.

i. Click Browse, then select the PGP file to upload.

ii. Enter the PGP private key password.

b. Public: Uses a public key of the target location to encrypt the file.

i. Click Browse, then select the PGP file to upload.

ii. In the ASCII-Armor Encryption Format field, select Yes or No. Yesshows the format of the encrypted message in ASCII armor. ASCIIarmor is a binary-to-textual encoding converter. ASCII armor formatsencrypted messaging in ASCII. This enables messages to be sent ina standard messaging format. This selection impacts the visibility ofmessage content. No causes the message to be sent in binary format.

iii. From the Cipher Algorithm list, select the algorithm to use. Symmetric-key algorithms for cryptography use the same cryptographic keys for bothencryption of plain text and decryption of cipher text.

c. Click Upload.

Manage Integration and Process Instance HistoryYou can determine when to purge the data in your database. You can also viewthe notification and quiesced thresholds for your database and the percentage of thedatabase that has been used.

Process instance history is automatically purged periodically, based on settings inOracle Integration. See Archive and Purge Data in Using Processes in OracleIntegration.

For integration instance data, set retention and purging settings. See Purging andRetaining Data in the Database in Using Integrations in Oracle Integration.

Set Instance Quotas on CompartmentsYou can set limits on the number of Oracle Integration Generation 2 instances that canbe created in a compartment.



3. In the Create Policy window, enter a name (for example, instanceCreationQuota)and a description.

Chapter 5Manage Integration and Process Instance History

5-9

4. Complete the Policy Statements field. As an example, to set a quota limit of10 instances for the compartment named MyCompartment, enter the followingstatement:

Set integration quota instance-count to 10 in compartment MyCompartment

Where:

• integration: Is the family name for Oracle Integration.

• instance-count: Is the quota name.

5. Click Create.

The policy statement is validated and any syntax errors are displayed.

Chapter 5Set Instance Quotas on Compartments

5-10

6Monitoring Oracle Integration Generation 2Instances

Monitor your Oracle Integration instance and its features.

Monitor Features:

• Monitor Integrations in Using Integrations in Oracle Integration

• Monitor Processes in Using Processes in Oracle Integration

• Gain Business Insight in Using Integration Insight in Oracle Integration

Topics:

• Viewing Message Metrics

• Monitoring Billable Messages

Viewing Message MetricsYou can view charts that show the total number of Integration message requestsreceived, message requests that succeeded, and message requests that failed foreach instance in Oracle Integration.

1. Ensure you have permission to view message metrics for the compartment.

• If you are an administrator with manage access, you can automatically viewmessage metrics for the compartment. For manage access, you must bepart of an Oracle Cloud Infrastructure group assigned a manage policy. SeeCreating an Oracle Cloud Infrastructure Group to Manage Instances.

• If you are an administrator with read only access, you must be part ofan Oracle Cloud Infrastructure group assigned a read metrics policy. SeeCreating an Oracle Cloud Infrastructure Policy for Read Only Access.For example, see the following policy statement:

– Policy: allow group oci-integration-admins to read metrics incompartment OICPMCompartment

– Syntax: Allow group <group_name> to <verb> <resource-type> incompartment <compartment-name>

2. Select an instance in the Oracle Cloud Infrastructure Console.

The metrics page is displayed.

Charts showing the number of message requests the instance has received, thenumber of message requests that completed successfully, and the number ofmessage requests that did not complete successfully are displayed.

6-1

3. Change the message metrics displayed for each chart, if needed. Metric countsoccur every five minutes.

Start Time and End Time are selected at the top of each chart. Change thesevalues to select a different time period.

Change the Interval and Statistic fields for each chart to change the metricsdisplayed.

4. Click Options on the top right of each chart to navigate to the Metrics Explorerto create custom dashboards and alerts. For more information about monitoring inOracle Cloud Infrastructure, see Viewing Default Metric Charts.

Monitoring Billable MessagesAs an administrator, you can monitor the number of billable messages consumed in aselected Oracle Integration or Oracle Integration for SaaS instance.

Oracle Integration consumption models

The type of license you choose determines how message packs are defined andmetered. The Usage Metrics page is different for Oracle Integration versus OracleIntegration for SaaS.


– BYOL: For Bring Your Own License users, one message pack is defined as20,000 messages per hour. You can select up to 3 message packs if you bringan existing Oracle Fusion Middleware license to the cloud.

Chapter 6Monitoring Billable Messages

6-2

https://docs.cloud.oracle.com/iaas/Content/Monitoring/Tasks/viewingcharts.htm?Highlight=Monitoring%20Metrics

– Non-BYOL: For these license types, one message pack is defined as 5,000messages per hour. You can select up to 12 message packs if you create anew Oracle Integration license in the cloud.

• For Oracle Integration for SaaS, usage is tracked on a monthly basis in packsof one million messages per month, which keeps costs predictable even when youhave unpredictable hourly volumes. Usage is reported monthly instead of hourly.You can select up to 43 message packs.

Oracle Integration features included

Usage metrics cover these features:

• Integration

For information on how Integration billable messages are calculated, see AboutIntegrations Usage.

• Process

For information on how Process billable messages are calculated, see AboutProcess Usage.

• Integration Insight

Each business transaction in Integration Insight counts as one message.

Note:

The billable messages shown in the chart do not include Visual Builderusage metrics.

Viewing usage metrics

1. On the Home page, select Monitoring in the navigation pane, then UsageMetrics.

The Usage Metrics page is displayed.

Note:

Data metrics are displayed using UTC standard time.

• For Oracle IntegrationThe Usage Metrics page shows the total messages used during each hour ofa selected day. In the example illustration below, the blue Configured 5K lineshows that the Oracle Integration instance was configured for 5,000 messagesper hour during provisioning. Values below the configured usage are shown inlight pink and values above it are shown in dark pink.

– To view messages consumed on a different date, select a date using theView calendar.

– Hover the cursor over an hour time period to view its approximatemessage consumption.


6-3

– Click in the upper right of the screen to expand a table that lists eachhour and its billable messages for the selected day.

• For Oracle Integration for SaaSThe Usage Metrics page for SaaS shows the total messages used during eachmonth. In the example illustration below, the blue Configured 5M line showsthat the Oracle Integration for SaaS instance was configured for 5 millionmessages per month during provisioning. Values below the configured usageare shown in light pink and values above it are shown in dark pink.

– To view messages consumed during a different timeframe, select anothertimeframe using the View calendar.

– Hover the cursor over a month time period to view its approximatemessage consumption.

– Click in the upper right of the screen to expand a table that lists eachmonth and its billable messages.

2. Export usage metrics to a CSV file, if needed.

a. Click Export.


6-4

b. In the Export Usage Metrics dialog, select a start date and end date and clickExport.

Each hour is depicted as a record. A maximum of 1000 hours of information(shown as lines in the CSV file) can be exported.

c. Use your browser's download list to access the CSV file.

The exported file shows columns for the date, configured messages, and totalmessages consumed.

3. If needed, change the Oracle Integration instance's configured message packs.See Editing the Edition, License Type, and Message Packs of an Instance.

About Integrations UsageWhen creating Oracle Integration instances, administrators specify the number ofmessage packs they plan to use for per instance.

Rules for tracking Integration billed messages

Follow these rules to determine how message consumption is calculated.

Number Rule Description

1 Trigger Each trigger activity counts as at least one message, up to 50KB inbound. If theinbound message payload exceeds 50KB, 1 additional message is counted for eachadditional 50KB.

2 Invoke Invoke requests don't count as messages, but invoke responses over 50KB count.If the message payload exceeds 50KB, 1 additional message is counted for eachadditional 50KB.

3 File For file based scheduled flows where there are incoming files into integrations, eachfile is converted into a billed message (in multiples of 50KB) only when the size isgreater than 50KB.


6-5

Number Rule Description

4 Internal Internal calls within the same Oracle Integration instance aren't counted asmessages. For example, the following aren't counted:

• Process to Integration• Visual Builder to Integration• Integration to IntegrationCalling another Oracle Integration instance does incur messages in the target OracleIntegration instance, and, depending on the response size, may also incur messagesin the calling Oracle Integration instance.

Integration Usage Examples

This table shows by example how message billing is calculated and the rules thatapply.

IntegrationType

Scenario/Flow Billing Message Calculation Rules ThatApply

Sync/Async(Trigger)

1. Eloqua inbound with40KB payload.

2. Data transformation.

3. External invoke to pushdata to Sales Cloud.

Payload size is considered attrigger.

ceil(40/50) = 1 message

#1 (Trigger)

Sync/Async(Trigger)

1. REST inbound with120KB payload.


3. External invoke to pushdata to Logfire.

Payload size is considered attrigger.

ceil(120/50) = 3 messages

#1 (Trigger)

Sync/Async(Trigger)

1. SOAP inbound with 70KBpayload.

2. Download files in a loop.

3. 3 files downloaded ofsizes 20KB, 170KB, and40KB, respectively.

4. Data transformation/enrichment.

5. External invoke to pushdata to an externalsystem via REST.

Payload size is consideredat trigger. Any subsequentresponse greater than 50KB isalso tracked. In this scenario,only files greater than 50KBare considered.

ceil(70/50) + ceil(170/50) = 2+4 = 6 messages

#1 (Trigger)

#3 (File)


6-6

IntegrationType


Sync/Async(Trigger)

1. Database adapter pullingin 20KB data and 2 rows.

2. For each row, 1 outboundREST invoke is made,which results in 20KBdata for each invoke.

3. Data enrichment/transformation.

4. FTP to an externallocation.

Payload size is consideredat trigger. Any subsequentresponse greater than 50KB isalso tracked.

ceil (20/50) = 1 message

#1 (Trigger)

Sync/Async(Trigger)

1. SOAP inbound with 10KBpayload.

2. Download files in a loop.Two files downloaded ofsizes 20KB and 70KB,respectively.

3. External invoke to getfurther data via RESTadapter. Returns 100KBdata.


Payload size is consideredat trigger. Any subsequentresponse greater than 50KB isalso tracked.

ceil(10/50)+ ceil (70/50) +ceil(100/50) = 1+2+2 = 5messages

#1 (Trigger)

#2 (Invoke)

#3 (File)

Sync/Async(Trigger)

1. Simple REST GETrequest with templateparameters withoutpayload.

2. Call to Oracle ServiceCloud to get contactdetails. Returns aresponse of 40KB.

3. Return the contact data.

Payload size is consideredat trigger. Any subsequentresponse greater than 50KB isalso tracked. Since the triggeris just a GET request withno payload, it's considered 1billed message.

1 message

#1 (Trigger)

Scheduledflow

1. Scheduled trigger.

2. Download files in a loop.Three files downloaded ofsizes 20KB, 170KB, and40KB, respectively.


4. External invoke to transferdata which results in 10bytes of response.

Each invoke/file is consideredin multiples of 50KB whenresponse data is more than50KB.


#3 (File)


6-7

IntegrationType


Scheduledflow


2. Database adapter pullingin 30KB data and 10rows.




Not counted.

None

Scheduledflow


2. External SOAP invoke toget data via BIP reports.Returns 130KB data.






#3 (File)

Scheduledflow


2. Download files in a loop.Two files downloaded ofsizes 20KB and 40KB,respectively.





#2 (Invoke)

Scheduledflow


2. External invoke to getdata via REST adapter.Returns 10KB data.


4. External REST invoke totransfer data which resultsin 500 bytes of response.


Not counted.

#4 (Internal)

None counted


6-8

IntegrationType


ChildIntegrationflow

1. A parent Integration flowcalls a child Integrationflow via REST in a loop.

2. The child Integrationflow sends a notificationemail with the informationpassed from a parentflow.

3. Child flow executioncompletes.

Integration child flow invoke iswaived from metering.

Not counted. Note that theparent may count.

#4 (Internal)

None counted

ChildIntegrationflow

1. Parent Integration flowdownloads a CSV filevia the FTP adapter. TheCSV contains 5 rows.

2. Each row in the CSV filecalls a child Integrationchild flow.

a. The child Integrationflow reads a orderidpassed as an input.

b. Invokes a request toOracle Service Cloudto get data about theorder. Each invokereturns 70KB data.

c. Data transformationin child flow.

d. Pushes the data viaan FTP adapter towrite it to a file.

e. Child executioncompletes.

Integration child flow invokesare waived from metering.Any subsequent response ismetered.

Each child = ceil(70/50) = 2messages

Note that the parent maycount.

#2 (Invoke)

Pub/SubFlows

1. Single publisher flow withREST trigger as 30 KBpayload.

2. Single subscriber to theabove which processesdata and sends it to anexternal service.

Pub counts as 1 message.

Sub is waived on trigger.

#1 (Trigger)


6-9

IntegrationType


Pub/SubFlows

1. Single publisher flow withREST trigger as 30KBpayload.

2. Single subscriber to theabove which processesdata.

3. Sub flow calls OSC to geta response back as 70KB.

4. Sub flow completes.

Pub counts as 1 message.

Sub trigger is waived.However, the invoke ismetered when the response isgreater than 50KB. So the subflow in this case counts as 2messages.

#1 (Trigger)

#2 (Invoke)

About Process UsageWhen creating Oracle Integration instances, administrators specify the number ofmessage packs they plan to use for per instance.

Process message metering

Process metering tracks the number of concurrent, unique users interacting within a1 hour interval. Sizing is based on concurrent users, which are converted to messagepacks. One Process user/hour is equivalent to 400 messages/hour.

• If you have 1,000 messages per hour and 10 distinct users, these would countas 1,000 integration messages + (400)*10 users = 5,000, so 1 message pack of5,000 messages per hour.

• Another way to visualize Process sizing: 5,000 message packs per hour equate to12.5 distinct concurrent users performing tasks.

What's counted?

A logged in user is counted for a minimum of one hour when performing any writeoperations that update a task or process instance, which includes:

• Updating or processing tasks (approve/reject a task, add an attachment/comment,re-assign, or request for information)

• Creating process instances

Within each hour of use, a distinct user can perform an unlimited number of writeoperations.

Oracle Integration has a 1 message pack minimum charge per hour to keep thesystem available, even with no usage. Note that you can turn off your OracleIntegration instance for billing purposes, but no instances are processed while theinstance is stopped.

What's NOT counted?

This count doesn’t include:

• Logged in users performing read-only only (query or read) operations.

• Integrations triggered from the process (integrations are waived).


6-10

Process Usage Examples

This table shows by example how message billing is calculated and the rules thatapply.

Scenario Type Scenario Billing Message Calculation

ProcessWorkspace

Between 9am and 10am, 20 employeesaccess Workspace. Within the one hourtimeframe:

• 5 users (user1 through user5) createa total of 100 new process instances.

• 10 other users (user6 throughuser15) process different taskscreated by user1 through user5, andcomplete them.

• The remaining 5 users (user16through user20) only check the taskand process instance status, butdo not perform any update/writeoperations.

The 9am-10 am hour blockreports 15 concurrent users (5created new instances and 10processed tasks).

ProcessWorkspace andmobile app

Between 10 and 11am, 10 users accessWorkspace and 5 access the OracleProcess Mobile app. Within the one hourtimeframe:

• 10 users (user1 through user10)create new process instances andalso approve at least 1 task total.

• 5 users (user11 through user15)log into the mobile app: 3 of themcreate new instances, and the other 2perform only read-only operations.

The 10am-11am hour blockreports 13 concurrent users (10workspace users plus 3 mobileusers performed update/writeoperations, while 2 mobile usersdid not perform any update/writeoperations).

ProcessWorkspace andVisual Builder

Between 11am and 12pm, 5 users accessOracle Integration from a Visual Builderapplication and 5 other users accessWorkspace.

• 2 of the 5 Visual Builder usersaccess Visual Builder, and interactwith a Visual Builder app that inturn triggers execution of an API thatcreates new process instances andprocesses tasks.

• The other 3 Visual Builder usersaccess the Visual Builder app andread and access task and processinstance status.

• The 5 users access Workspace andapprove a minimum of 1 task eachwithin the hour timeframe.

The 11am-12pm hour blockreports 7 concurrent users (2Visual Builder users and 5Workspace users performedupdate/write operations). Thisresult does not include theVisual Builder concurrentuser licenses. Visual Builderconcurrent users are meteredseparately.


6-11

AOracle Integration Generation 2 Reference

See the following reference topics.

Topics:

• Manually Federating Your Tenancy

• Automating with Events

• IAM Policy Details for Oracle Integration

Manually Federating Your TenancyIn certain cases, your tenancy may need user federation between Oracle CloudInfrastructure's IAM and Oracle Identity Cloud Service (IDCS).

Note:

Follow the steps in this section ONLY if your tenancy is not manuallyfederated. See Is my Tenancy Federated Between Oracle CloudInfrastructure IAM and Oracle Identity Cloud Service?

The following Oracle Cloud Infrastructure documentation section also providesinstructions for manually federating with Oracle Identity Cloud Service: Federating withOracle Identity Cloud Service. Its Instructions for Federating with Oracle Identity CloudService section lists four main steps. However, step 1 differs for Oracle Integration:Instead of accessing client ID/secret information from a COMPUTEBAREMETALIDCS application, you'll create an IDCS application to generate this information forfederation, as described in the steps below.

1. Getting Required Information from Oracle Identity Cloud Service

2. Adding Oracle Identity Cloud Service as an Identity Provider

Is my Tenancy Federated Between Oracle Cloud Infrastructure IAMand Oracle Identity Cloud Service?

Oracle Integration requires that Oracle Cloud Infrastructure Identity and AccessManagement (IAM) be federated with Oracle Identity Cloud Service (IDCS) for yourtenancy.



3. On the Federation page, look for an Oracle Identity Cloud Service link.

A-1



The Federation screen is shown. Its Identity Provider Information tab identifiesthe default federation configured between the Oracle Identity Cloud Service stripeand the OCI tenancy in a cloud account. Note that this screen may show morethan the default identity provider.

If you see a console link, your instance is federated. If it's not, perform the steps inManually Federating Your Tenancy.

Getting Required Information from Oracle Identity Cloud ServiceFollow these steps to create and configure an Oracle Identity Cloud Serviceapplication, activate the application, and create an IDCS administrator group.

Note:

Follow the steps in this section only if manual federation is needed.

1. Sign in to Oracle Identity Cloud Service with admin privileges. You must beviewing the admin console.

Use the link, username, and password provided in your account welcome email.

2. Select Applications.

3. Click Add.

4. Select Confidential Application.

Appendix AManually Federating Your Tenancy

A-2

The Add Confidential Application page is displayed.

5. In the Name field under App Details, enter a name (such as Oracle CloudInfrastructure Federation). Click Next.

Client options are displayed.

6. Under Authorization, select Client Credentials.

7. Under Token Issuance Policy, click +Add by App Roles. Select Identity DomainAdministrator. Click Next.

8. Click Next to skip the Resources options.

9. Click Next to skip the Web Tier Policy options.

10. Click Finish.

The application's Client Id and Secret are displayed.

11. Copy the Client Id and Secret for use later (in Adding Oracle Identity CloudService as an Identity Provider). Close the window.

12. Activate the app by selecting Activate in the upper right corner.

13. Create an IDCS group for administrators. Make sure the federated user you planto test federation with is part of that group.

a. Select Groups from the Resources options.


A-3

b. Click Create IDCS Group.

c. Enter a name (for example, idcs-integration-admins).

d. Click Create.

14. Copy the IDCS base url (https://<account>.identity.oraclecloud.com) for usenext in Adding Oracle Identity Cloud Service as an Identity Provider.

Adding Oracle Identity Cloud Service as an Identity ProviderIf your tenancy needs user federation between Oracle Cloud Infrastructure's IAM andOracle Identity Cloud Service (IDCS), complete steps in the console by adding OracleIdentity Cloud Service as an identity provider.

Note:

Follow the steps in this section only if manual federation is needed. You'llneed the information you generated in the steps in Getting RequiredInformation from Oracle Identity Cloud Service.

1. Sign in to the Oracle Cloud Infrastructure console as an IAM user (use the optionson the right side).



4. Click Add Identity Provider and enter data as below. Click Continue.

a. Name: Enter a name, such as oracleidentitycloudservice.

b. Description: Enter a description, such as Federated IDCS stripe.

c. Oracle Identity Cloud Service Base URL: Enter the URL you noted earlier.

d. Client ID: Enter the application's ID you noted earlier.

e. Client Secret: Enter the client secret you noted earlier.

f. Click Continue.


A-4

5. When prompted, map your IDCS group to the OCI administrators group.

Select your IDCS group in the Identity Provider Group field and your OracleCloud Infrastructure group in the OCI Group field.

6. Sign out and sign back in as one of your federated users. On the Federation page,verify that the Oracle Identity Cloud Service link is now shown. See Is my TenancyFederated Between Oracle Cloud Infrastructure IAM and Oracle Identity CloudService?

Automating with EventsYou can create automation based on state changes for your Oracle CloudInfrastructure resources by using event types, rules, and actions.

Oracle Cloud Infrastructure services emit events, which are structured messages thatindicate changes in resources. An Oracle Integration administrator can create rulesto track these events, such as when instances are created, updated, or deleted, andcompartments changed.

For more information, see Overview of Events.

The following Oracle Integration resource emits events:

• Integration Instance

Integration Instance Event TypesThese are the event types that Integration Instances emit:

Friendly Name Event Type

CreateIntegrationInstance

Begin

com.oraclecloud.integration.createintegrationinstance.begin

CreateIntegrationInstance

End

com.oraclecloud.integration.createintegrationinstance.end

Appendix AAutomating with Events

A-5

https://docs.cloud.oracle.com/iaas/Content/Events/Concepts/eventsoverview.htm

Friendly Name Event Type

UpdateIntegrationInstance

Begin

com.oraclecloud.integration.updateintegrationinstance.begin

UpdateIntegrationInstance

End

com.oraclecloud.integration.updateintegrationinstance.end

Start IntegrationInstance

Begincom.oraclecloud.integration.startintegrationinstance.begin

Start IntegrationInstance

Endcom.oraclecloud.integration.startintegrationinstance.end

Stop IntegrationInstance

Begincom.oraclecloud.integration.stopintegrationinstance.begin

Stop IntegrationInstance

Endcom.oraclecloud.integration.stopintegrationinstance.end

Delete IntegrationInstance

Begincom.oraclecloud.integration.deleteintegrationinstance.begin

Delete IntegrationInstance

Endcom.oraclecloud.integration.deleteintegrationinstance.end

ChangeIntegrationInstanceCompartment

Begin

com.oraclecloud.integration.changeintegrationcompartment.begin

ChangeIntegrationInstanceCompartment

End

com.oraclecloud.integration.changeintegrationcompartment.end

Appendix AAutomating with Events

A-6

Integration Instance Event ExampleThis is a reference event for Integration Instances:

{ "eventType": "com.oraclecloud.integration.updateintegrationinstance.begin", "cloudEventsVersion": "0.1", "eventTypeVersion": "2.0", "eventID": "<unique_ID>", "source": "integration", "eventTime": "2019-01-10T21:19:24Z", "contentType": "application/json", "extensions": { "compartmentId": "ocid1.compartment.oc1..<unique_ID>" }, "data": { "compartmentId": "ocid1.compartment.oc1..<unique_ID>", "compartmentName": "example_compartment", "resourceName": "My test resource", "resourceId": "ocid1.integrationinstance.oc1.phx.<unique_ID>", "availabilityDomain": "<availability_domain>", "freeFormTags": { "Department": "Finance" }, "definedTags": { "Operations": { "CostCenter": "42" } }, "additionalDetails": { "integrationInstanceType": "STANDARD", "isByol": "false", "messagePacks": 1 } } }

IAM Policy Details for Oracle IntegrationThis topic covers details for writing policies to control access to Oracle Integration.

Resource Types

These are the resources available for Oracle Integration:

• integration-instance

Supported Variables

The integration-instance resource type can use the following variables.

Appendix AIAM Policy Details for Oracle Integration

A-7

SupportedVariables Variable Variable

Type Description

RequiredVariablesSupplied by theService forEvery Request

target.compartment.id

ENTITY The OCID of the primaryresource for the request.

request.operationSTRING The operation id (for example

'GetUser') for the request.

target.resource.kind

STRING The resource kind name ofthe primary resource for therequest.

AutomaticVariablesSupplied by theSDK for EveryRequest

request.user.idENTITY For user-initiated requests. The

OCID of the calling user.

request.groups.idLIST(ENTITY)

For user-initiated requests. TheOCIDs of the groups ofrequest.user.id.

target.compartment.name

STRING The name of thecompartment specified intarget.compartment.id.

target.tenant.idENTITY The OCID of the target tenant

id.

AdditionalVariables forOracleIntegration

target.integration-instance.id

ENTITY The OCID of the OracleIntegration instance that wascreated.

Details for Verb + Resource-Type Combinations

The following table shows the permissions and API operations covered by each verb.The level of access is cumulative as you go from inspect > read > use > manage.

Verb Permissions APIs Fully Covered APIsPartiallyCovered

INSPECT

• INTEGRATION_INSTANCE_INSPECT

• ListIntegrationInstances• ListWorkRequests

None

READ • Inherits from INSPECT:– INTEGRATION_INSTANCE

_INSPECT• INTEGRATION_INSTANCE_RE

AD

• GetIntegrationInstance• GetWorkRequest

None


A-8

Verb Permissions APIs Fully Covered APIsPartiallyCovered

USE • Inherits from READ:– INTEGRATION_INSTANCE

_INSPECT– INTEGRATION_INSTANCE

_READ• INTEGRATION_INSTANCE_UP

DATE

• UpdateIntegrationInstances• StartIntegrationInstance• StopIntegrationInstance

None

MANAGE

• Inherits from USE:– INTEGRATION_INSTANCE

_INSPECT– INTEGRATION_INSTANCE

_READ– INTEGRATION_INSTANCE

_UPDATE• INTEGRATION_INSTANCE_CR

EATE• INTEGRATION_INSTANCE_DE

LETE• INTEGRATION_INSTANCE_MO

VE

• CreateIntegrationInstance• DeleteIntegrationInstance• ChangeIntegrationCompartment

None

Permissions Required for Each API Operation

API Operation Permissions Required to Use the Operation

ListIntegrationInstancesINTEGRATION_INSTANCE_INSPECT

GetIntegrationInstanceINTEGRATION_INSTANCE_READ

CreateIntegrationInstanceINTEGRATION_INSTANCE_CREATE

DeleteIntegrationInstanceINTEGRATION_INSTANCE_DELETE

UpdateIntegrationInstancesINTEGRATION_INSTANCE_UPDATE

StartIntegrationInstanceINTEGRATION_INSTANCE_UPDATE


A-9

API Operation Permissions Required to Use the Operation

StopIntegrationInstanceINTEGRATION_INSTANCE_UPDATE

ListWorkRequestsINTEGRATION_INSTANCE_INSPECT

GetWorkRequestINTEGRATION_INSTANCE_READ

ChangeIntegrationCompartmentINTEGRATION_INSTANCE_MOVE


A-10

Date post:	08-Aug-2020
Category:	Documents
Upload:	others
View:	1 times
Download:	0 times

Provisioning and Administering Oracle Integration and ... · • Use integrations to design,...

Documents