Oracle FA - Credential Store Framework (CSF) Key Registration with Oracle Integration Cloud for Business Events

The purpose of this entry is to provide information regarding registering CSF keys and configuring connectivity between the Fusion based ERP application and Oracle OIC!

As discussed in prior entries, Cloud ERP provides business events which can be subscribed to by Oracle Integration. To enable the trust between OIC and ERP, in a FA-based SaaS instance, the outbound call of a webservice uses a OWSM security policy which retrieves the credentials for the call from a CSF Key.

Credential Store Framework (CSF) keys are credentials that use basic authentication (username and password) to certify the access of users and system components. Once the registration process is completed then the CSF keys will help to trigger the business events and call-backs from ERP to OIC, and after catching the event in OIC, we can apply our business logic and perform any other action, such as calling an external API, sending an email, writing the output to a database, and more.

For this to work we must create a local IDCS account with admin privileges in OIC, and use that ID in the CSF key configuration. We must note that Oracle now also has a token based alternative, but that will be covered in another entry.

To generate the CSF key, follow the below steps:

a. Login into the OIC instance with the user credentials and navigate to the Integration home page.

b. Click on the username from the top right corner of the OIC page and select About.

c. The CSF Key will be generated by appending the identity domain and OIC admin. The format for the csf key generation is mentioned in the below table.

Format: <Identity Domain><Service Instance>

Now, follow the step by step process to configure CSF key:

a. Navigate to Oracle ERP SOA Composer to configure CSF key from the below mentioned url.

b. SOA Composer URL - https://<erphostname>/soa/composer

c. Login to the cloud application with your Oracle Cloud ERP user credentials

Note that you will need the following two roles, to perform the following actions:

SOA_OPERATOR_ROLE_JOB

SOA_DESIGNER_ROLE_JOB

d. Once the login is successful then click on the Manage Security from the right side of the page. Then click on the Manage Security and another popup will be open to provide the Manage Credentials details. Please refer to the below table to provide the Manage Credentials details.

Once the details are provided then click on the Register button to complete configuring the CSF KEY.

#	Element	Description	value
1	csf-key	Specify the csf key as extracted from the section before.	<Identity Domain><Service Instance>
2	User Name	Enter the OIC admin user name	Local account we talked about earlier.
3	Password	Enter the password for accessing OIC application	<PASSWORD>
4	Confirm Password	Renter the same password for second time	<PASSWORD>

Now it's time to verify the configuration has been done successfully.

Once the CSF Key configuration is completed then the CSF Key verification should be done.

a. Access the below mentioned FA Cloud instance by executing the following URL in a browser.

NOTE – Access the Event Subscription URL from IE, Firefox or Edge Browsers. Do not use Google Chrome browser

 
b. Event Subscription URL – https://<erphostname>/ soa-infra/PublicEvent/subscriptions

If the event subscription url doesn’t work from the browser, then use the same URL in Postman to test it.

In the basic authentication section in Postman, pass the credentials for the local user and run the endpoint.

With this, OIC will now be able to listen to business events from ERP. One additional point to note, if you ever change the password for the account used for this setup, this trust will be broken. Also, rather than using the "update" option when changing the password and following these steps, you have to "register" again, because the changes won't take effect due to caching.

Oracle Integration Cloud (OIC) - Introduction and Best Practices

As more customers adopt the Oracle Cloud Infrastructure (OCI) platform, and also the Fusion applications, such as ERP and HCM, the usage and prominence of the Oracle Integration Cloud (OIC) platform will continue to grow. OIC is a middleware, much like other competitors in the market, such as the Azure integration options, Biztalk, Boomi, and such. The competitive advantage of OIC, as it relates to the Oracle space, particularly for Cloud tools, is how the OIC product managers work closely with the FA development teams, and ensure that the adapters provided inside OIC for ERP, HCM, etc. stay up to date and are tested as quarterly patches are rolled out for both OIC and FA. In short, there's technical stack harmony when you use OIC to integrate with Oracle Cloud, not to mention that if you want to subscribe to business events from ERP, if you are looking to do event driven integrations that are real time, then OIC is your only option, since other tools cannot subscribe to these business events. In terms of adapters in OIC, the ERP and HCM adapters provide for reduced complexity when integrating with those systems. With the adapters, for example, you can subscribe to events, but also integrate via FBDI or HDL files without having to orchestrate calling many different jobs, and the adapters will instead handle a lot of the complexity on your behalf.

OIC is currently in it's third generation (Gen3), although a lot of customers are still using Gen2, and it has grown quite a bit in terms of capabilities over the last few years, particularly in terms of it's service limits. Previously OIC did not handle large files very well, or large payloads for API patterns, and although it still has limitations in this space, great strides have been made, and it can satisfy a lot of requirements that you may throw at it. As you utilize OIC, before implementing a design pattern, carefully review the service limits here, as you don't want to spend many cycles developing integrations that will fail when being load tested, or performance tested later on.

OIC can be licensed in several ways, but with the Enterprise License, you will get more than just Integrations, and you also get the Visual Builder web development IDE, to extend your SaaS applications, as well as the Oracle Process Cloud product (although this may no longer be bundled with OIC starting with Gen3). With OIC you need to keep a close eye on your message pack consumption, as that can drive up your cost a bit and also impact performance, if you environment is not sized correctly for your usage.

Below I've consolidated a lot of the best practices we have identified by using OIC over the past 4 years, to execute hundreds of integrations across multiple business units.

If you are planning to use OIC, review these in detail, and also pay attention to the third slide that talks about message pack consumption, as depending on how you implement your integrations, you could be unnecessarily incurring additional cost.

Another recommendation is taking complex business logic out of OIC, and instead use OIC to invoke stored procedures in a database cloud service (via a connectivity agent) or autonomous database (via adapter), because these heavy operations that rely on extensive business logic can be done with PLSQL quite more efficiently, and you can use OIC to control the flow, make external calls, and much more.

In terms of drawbacks, OIC still struggles with large files if you want to deal with them outside of them being an opaque element (meaning you don't understand the contents of the file and it's schema). We have also ran into issues when scheduling too many integrations, even with the maximum allowed number of message packs (but this isn't an area of concern unless you are scheduling hundreds of integrations in the same environment). From a disaster recovery perspective, OIC is highly available within it's region, but if you want to implement HA capabilities across multiple regions, accomplishing this is a bit manual and not as efficient as it could be, the architecture can be seen here, for Gen2.

In summary, OIC is a strong solution that continues to grow, but understanding it's limitations is key in order to implement the most robust integrations on behalf of your business partners.

API Gateways, and Oracle FA, with Examples!

API Gateways have gotten increased exposure over the past few years, as SaaS offerings from major vendors continue to accelerate in usage. SaaS in general provides many benefits to customers, but it does present several challenges relative to integrations and extensions, as you are restricted to public API's provided by the vendor, or native file loading capabilities, if you want to perform inbound and outbound data movement of any kind.

In Oracle FA specifically, the necessity of utilizing the API framework for your real time or near real time needs is paramount, and Oracle does a good job of documenting their API capabilities, which can be seen here for Financials, and just with a few clicks you can browse API support for other FA offerings.

Now, an API Gateway provides a layer between the caller and the target, let's say Oracle FA, where in you can perform several actions that will greatly benefit you at scale. With an API Gateway you get some of the following benefits, which are summarized in the graphic below in bullet #1, also, #2 talks to some of the capabilities that you would not want to perform in the gateway, and instead utilize a middleware tool for.

Let's take Oracle ERP as an example, and let's say you want to publish AP related API's to certain consumers but you want to distinguish the traffic generated among them, and you want to protect ERP from abuse. With the gateway you can create quota policies that will limit the usage of the consumer of the API that is proxied in the gateway, and after the user has utilized their quota, their access will be revoked. Similarly, you can create spike arrest policies that will prevent abnormal behavior from taking place, in the way of excessive amount of calls from a consumer that typically does not have that kind of volume. You can also create security policies that inspect incoming request payloads and look for malicious code, in the proxy execution flow, before the message can damage the target. In terms of usage metrics, you can direct results from the API interactions to an Enterprise Logging tool, such as Splunk, where you can build dashboards that will give you in depth analytics about who is making which calls, and what the errors are, etc. so you can discover trends and proactively resolve issues, and you will not be able to do this by just allowing users to call API's in FA directly, and troubleshooting will be labor intensive.

Let's discuss another use case, around simplifying consumer experience of your services. In ERP, oftentimes you need internal ID's from multiple API call's to ultimately perform an action, or just executing API's in sequence. Examples of this can be creating an AR Invoice for a new customer, creating a new customer, or creating a supplier, where multiple API calls have to be made in sequence to accomplish the task. In order to simplify the process and create developer friendly APIs, you can utilize your gateway to create API chains, where you can create a consolidated proxy endpoint with all the payload elements that the consumer will need to pass, and they can make that one call to create a new supplier, and your gateway will then orchestrate the chain of events to create the header, sites, addresses, locations, etc. without burdening the consumer who likely doesn't understand Oracle ERP. You can also hide away the complexity from the Gateway entirely, and proxy an application driven integration from OIC in the gateway instead (or another middleware), as shown in the below example, this is very useful if the actions in the gateway would require significant business logic or complexities beyond what is recommend as far as Gateway scope (see first graphic). Additionally, you can drive reusability and speed up adoption since consumers will just need to meet your payload requirements and understand their own data, and not build significant technical debt or have significant knowledge of Oracle ERP technically.

The above is exemplified in the following graphic, where the Apigee API Gateway is utilized to hide away the complexity of creating a Customer from the consumer. Here the consumer calls the gateway with a consolidated payload, and the gateway invokes OIC where the various API calls to accomplish the task are performed, without the consumer needing to take on this complexity.

Lastly, in terms of options, Oracle has an API Gateway offering that integrates very well with FA and also the Oracle Integration Cloud, and if you don't have an enterprise wide gateway that you are required to use, this will be your best option, you can read more about it here. However, if you have your own gateway and want to use it to enhance FA in ways similar to those described here, then you can certainly proxy your API's in your gateway of choice, and you will just need to integrate your Gateway with Oracle IDCS to securely do auth with FA, unless you are willing to store basic authentication details in your gateway and bypass IDCS (which is not recommended).

Business Events in Oracle ERP - Is OIC the Only Option?

Event frameworks are popular in the industry for many use cases, particularly when an action occurring in the source system should trigger a real time response to an external system that wants to passively wait to be told that an action can take place. To this end, in the ERP world, Oracle had provided the business events framework in Oracle EBS, and now also in Cloud ERP there's a similar, although quite different alternative.

The event framework in Oracle EBS allowed you to create custom business events that could be invoked by a stored procedure, or trigger after a custom concurrent program executed, etc. and you had complete control around what the logic in the event was, and so much more.

However, in my experience, business events in ERP are nowhere near as useful as they were in Oracle EBS, yet, as they are not very flexible and you cannot customize them in any way. I personally haven't found a use case where with enough scale the events worked as I wanted them to exactly, but the framework continues to grow and evolve, so it will eventually become more viable. For example, I had several use cases around AP payment acks and acks in AR for various reasons, as well as projects when the workflow changes the status of a project, etc., but the events didn't include all the fields the downstream systems wanted to be in the payload (and you can't just add fields, you would have to make a lookahead call after catching the event to an API and merge the additional data into the payload, assuming the API's had those fields), and also if you want source specific data, sometimes you couldnt filter the payload enough with the event wizard in OIC, and you have to parse through a lot of data to get it to what the downstream system wants and not other systems data. We did successfully use events to build an email ack framework to let downstream systems know about the status of their FBDI files, once uploaded to ERP.

The other challenge is that you can only utilize Oracle Integration Cloud (OIC) to subscribe to business events from FA, so if you use another middleware solution like Biztalk or MuleSoft, etc. you won't be able to subscribe to the events framework without using OIC. This does force clients that have invested in Enterprise tools that would otherwise not want to utilize OIC, to jump on it. However, OIC is pretty inexpensive when compared to other competitors, and if you just want to use it for events, you can have OIC catch your event and pass the payload to your middleware of choice and do what you want there, it's not ideal but it's an option, and it doesn't require complex knowledge of OIC. Also, even if event listening was exposed to other consumers, OIC has a competitive advantage because the wizard to configure an integration that listens to an event, and the options it provides, would still be superior than just listening to a raw event.

If using OIC is completely out of the question, then consider building a message aggregation service with your middleware of choice that calls the REST or SOAP API's in FA in some near real time fashion, which are likely to have far more fields in their payloads than the events themselves anyway, allowing for more flexibility. You can have the middleware send the payloads to a topic using Oracle OCI streaming or your own implementation of Kafka, and then have whoever wants the information consume the topic.

Oracle Visual Builder Backend ERP Service Connection - Loading Service Definition Error

Hello everyone,

Today we are going to cover a frequently asked question in Customer Connect, and other places, and it is regarding an error you may encounter when creating a backend connection in Oracle Visual Builder with Oracle ERP Cloud, so that you can inherit the API catalog and use the API's within VBCS.

The error occurs after successfully creating a backend connection, when you go to create a service connection and use "Select from Catalog" to select one of the options below, and then go into the service definition loading screen, and ultimately encounter an error. 

In this post we will cover the creation of a profile option in Oracle Fusion, that will resolve this issue.

First the error:

Select any of them, example highlighted.

Now the solution:

In Setup and Maintenance, open Task list and click Search. Enter 'Manage Profile Options' and click on the link.

Click on + to add a new profile option

Define a new profile option.

Profile Option Code: ORACLE.BC.REST.IGNORECATALOGERRORS
Profile Display Name: REST Describe Catalogue Profile
Application: Application Common Resources
Module: Application Common Resources
Description: If a catalog describe fails for a particular resource, log an error and proceed with other resources.

Save and close when done.

In the next screen in the Profile Option Levels section select Enabled and Updateable check boxes for Site & User. Save and Close

Then
1. Go to Fusion Apps Home page and navigate to Setup and Maintenance. Search for task “Manage Administrator Profile Values”.
2. Click on “Manage Administrator Profile Values” task and search for “ORACLE.BC.REST.IGNORECATALOGERRORS”
(enter this value in “Profile Option Code”).
3. To turn on the feature,(Under Profile Values)
a. Set the user and site level profile option ORACLE.BC.REST.IGNORECATALOGERRORS = "true";

 

You can now retry loading the service definitions in VBCS!