Thursday, April 25, 2024

Mastering Oracle Cloud: Step-by-Step Guide to Provision Your OIC Instance

 Oracle Integration Cloud Service is a complete, secure, but lightweight integration solution that enables you to connect your applications in the cloud. It simplifies connectivity between your applications, and can connect both your applications that live in the cloud and your applications that still live on premises. It is a PaaS offering from Oracle and thus users who needs access to access to OIC must reside in IDCS(which is now the identity domain). In this post, we are going to explain, how we can provision an OIC instance from scratch when we have identity domain in place.

OIC


We will now provision an OIC instance in OCI console. Go to Developer Services




Click on Integration





We have successfully provisioned OIC instance. Now, in order to login, we need a user which has to be validated by IAM(Identity Domains) and it should have proper role assigned to it.

Go to Identity Domains, select the required domain and create a new user


Once the user is created, go to the Oracle Cloud Services under Identity domains and choose the OIC instance which was created earlier.


Click on the name and navigate to "Application roles".




Click on Assign.

That's it. Using this user, we should be able to login to the OIC Console.

OIC Home page


I hope this post will help someone. Till, then keep learning cloud.

Tuesday, April 23, 2024

Strengthen Your Cloud Security: Exploring OCI Vulnerability Scanning Services

  In Oracle Cloud Infrastructure (OCI), vulnerability scanning services are offered to help ensure the security of your infrastructure. The OCI vulnerability scanning service is designed to scan virtual cloud networks (VCNs) and identify vulnerabilities in the cloud infrastructure

OCI Vulnerability Scanning Services

In this post, we are going to explain, once a CVE is detected, then what is the approach we can take to mitigate those CVE risks. But before we do so, i would suggest we go through the official Oracle Documentations VSS.

You can access the vulnerability scanning service in OCI through the OCI console. Here's a brief guide on how to do it:

Log in to the OCI Console.
Open the "Security" menu.
Click on "Security Advisor".
Navigate to "Vulnerability Scanning".

Now, let us go through the remediation steps. You might get the CVEs as listed below



If we click on "View Details", we might see the below information for cause and remediation.



The errata details can be found in the link which is considered to be as the database for CVEs.



Server was already having the version 4.5.0-36.el7_9.5

 Command to check:

rpm -qa|grep libvirt



Thus, we came to conclusion that the CVEs are being reported for the existing package which is there in the server and in order to mitigate them, we need to upgrade the version to 5.

Steps:

Steps:-

1.       cd /etc/yum.repos.d

2.       took the backup of file public-yum-ol7.repo

3.       took the backup of boot volume

4.       in the file public-yum-ol7.repo, enabled the flag as 1 for section


y    yum update

1.       Reboot the server

2.       Disable and enable VSS

3.       Verify the Scanning report

4.       Check with the application team for sanity before moving it to next higher instances

y

These are the many ways through which we can mitigate the CVEs being reported by VSS in OCI. I hope this post will help someone. Till then, happy learning cloud.











Monday, April 8, 2024

Cross-Platform Efficiency: Mastering Federation of Azure AD with OCI Identity Domains for SSO Solution

 By federating Azure AD with OCI Identity domains(more on OCI Identity Domains), businesses can centralize user authentication, simplifying access management and reducing administrative overhead. This robust integration enables a single sign-on (SSO) experience, allowing users to securely access resources across both platforms with a single set of credentials. With enhanced security measures and simplified user provisioning, organizations can ensure compliance with regulatory standards while fostering a seamless user experience. Now, with all new tenancies, Oracle has introduced identity domains as a single domain for storing all the users, groups credentials and so the navigations have also changed a bit. Also, the point to be noted that in the background, it is the same IDCS solution running.

SSO between OCI and Azure


Here, OCI act as a service provider (SP) and Microsoft Azure act as an Identity Provider (IdP). The Service Provider (OCI) creates a SAML request and forwards the user and the SAML request to the Identity Provider (Azure AD). Once the user is authenticated, the IdP sends back a SAML response with an assertion to the Service Provider's Assertion Consumer Service endpoint. 

Note: Azure AD  is now Microsoft Entra ID.


Go to the OCI Hamburger menu > Identity and Security



Click on Domains and change the below settings first



get the IDCS url



Copy the IDCS url and add /fed/v1/metadata. Open a browser and save the file as XML.

On the Azure Portal now:-

Create an Enterprise Application. Choose the option as Oracle


Choose the option Oracle Cloud Infrastructure Console



Give it a name and Click on Create







Click on Single Sign on and choose the option for SAML







Upload the OCI downloaded metadata xml file



Download the Federation Metadata XML which has to be uploaded to OCI side.

OCI Side:-



Click on Add SAML IdP




Choose the option Upload metadata xml file




Upload the xml file downloaded from Azure Portal




Review and Create



Test the login



Activate the IdP




Edit the IdP policies and add Azure AD




Test the setup.

Note: User has to be present on both OCI IAM and Azure AD

Login to the OCI console and we will get the IdP icon




Click on Azure AD



oci login after federation



Here we are. We have successfully landed to the OCI home page.

This post explains about the integration of Oracle cloud Infrastructure Identity domains with Microsoft Azure AD for a seamless Single Sign on Solution.

I hope, this post will help someone. Till then, enjoy learning cloud.

References:-https://docs.oracle.com/en-us/iaas/Content/Identity/Concepts/federation.htm#top
https://docs.oracle.com/en-us/iaas/Content/Identity/tutorials/azure_ad/lifecycle_azure/02-config-azure-iam-template.htm#config-azure-iam-template

Thursday, April 4, 2024

Secure Your Network: Private DNS in Oracle Cloud Infrastructure

 Private DNS in Oracle Cloud Infrastructure (OCI) refers to a service that enables you to create and manage custom domain names within your virtual cloud network (VCN). With Private DNS, you can define custom domain names and map them to specific resources, such as Compute instances, Load Balancers, or other services within your VCN.

Key features and benefits of Private DNS in OCI include:
Custom Domain Names: You can create your own domain names, such as example.com or subdomain.example.com, tailored to your organization's needs.
Resource Mapping: Private DNS allows you to map these custom domain names to specific resources within your VCN, making it easier to manage and access your services.
Network Isolation: By using Private DNS within your VCN, you can ensure that your domain names remain private and are only accessible within your network, enhancing security and control.
Integration with Oracle Services: Private DNS seamlessly integrates with other Oracle Cloud services, enabling you to easily manage domain names for resources such as Compute instances, Load Balancers, and more.
Automation and Scalability: You can automate the creation and management of domain names using OCI's APIs, CLI, or Terraform, making it easy to scale and manage your infrastructure.
Overall, Private DNS in OCI provides a flexible and secure way to manage domain names and map them to resources within your virtual cloud network, facilitating efficient communication and management of your cloud infrastructure.
Now, the objective of this post is to give an idea on how we can communicate to the resources using their hostnames. As we know, DNS is a feature which translates hostnames to IP addresses. If we have resources in OCI and they don't know the respective hostnames, then the communication can't be established. To mitigate this problem, OCI has the option of Private DNS in OCI.
A small use case here.
When we provision a compute instance, it comes with its own fully qualified domain name example oraclevcn.com. Now, if i need to set it to samappsdba.com, we need to perform some additional steps.
The high level steps
Private DNS Zone – which contain DNS data from the VCN (like IP address)
Private DNS Views – this is collection of Zones, Zone can only belong to a single View.
Private DNS Resolver – you can assign Views to Resolver which will then resolve those DNS queries for you. Remember the order, first custom views, then default and finally from Internet




Once the A record is added and published, we can do the test




[opc@instance-20240328-1959 ~]$ host -t NS samapspdba.com

samapspdba.com name server vcn-dns.oraclevcn.com.

[opc@instance-20240328-1959 ~]$

 

After I delete it the private view

 

@instance-20240328-1959 ~]$ host -t NS samapspdba.com

samapspdba.com name server vcn-dns.oraclevcn.com.

[opc@instance-20240328-1959 ~]$ nslookup www.samapspdba.com

Server:         169.254.169.254

Address:        169.254.169.254#53

 

** server can't find www.samapspdba.com: REFUSED


This is a basic demonstration on how using private DNS feature in OCI, we can customize the hostname. 

I hope this post helps someone.