Oracle Cloud Infrastructure Documentation

Configure a Customer-Managed Custom Endpoint

If you want to use your own load balancer, you can create a customer-managed custom endpoint. However, be aware that, with this option, you are responsible for keeping your certificate up to date. If you let your certificate expire, any applications that use the custom endpoint will fail.

Perform the following steps to create a customer-managed custom endpoint for your instance.

  1. Complete prerequisites.
  2. Create the customer-managed custom endpoint.
  3. Complete post-configuration tasks.

Prerequisites for Configuring a Customer-Managed Custom Endpoint

To configure a customer-managed custom endpoint, complete the following prerequisites:
  1. Create your Oracle Integration instance.
    Note

    • You add a custom endpoint when editing an instance, not during creation, so you must create the instance as a prerequisite.
    • You must have direct access to your Oracle Integration instance.
  2. Choose a vanity URL or custom hostname for your Oracle Integration instance.
  3. Register the hostname with either the Oracle Cloud Infrastructure DNS or your DNS provider.
  4. Obtain an SSL certificate from a certificate authority (CA) for your hostname. If you use a hostname certificate whose CA isn't in the Oracle Integration trust store, you must also upload the certificate to your Oracle Integration instance; otherwise, an exception is thrown in the scenarios the instance calls itself.
  5. Front-end your instance with a load balancer, such as Oracle Cloud Infrastructure Load Balancer, to validate and terminate SSL for you custom hostname.
    Note

    If you use Oracle Cloud Infrastructure Load Balancer, you must set up a NAT gateway in the VCN/subnet where you plan to create your load balancer.
    Task Settings to use Associated documentation
    In the VCN/subnet where you will create your load balancer, add a routing rule for the Oracle Integration public IP address
    • Target Type: Select NAT gateway.
    • Destination CIDR Block: Oracle Integration_public_IP/32

      You can get the Oracle Integration IP address via nslookup command.

    • Compartment: Select the compartment where your Oracle Integration instance is located.
    • Target: Your NAT gateway
    		VCN Route Tables
    Set up a load balancer
    • Visibility type: Select Public.
    • Bandwidth: Select Flexible and set the minimum and maximum bandwidth to 10 Mbps.
    		Creating a Load Balancer
    Configure a listener
    • Protocol: Select HTTPS.
    • Port: Enter 443.
    • Use SSL: Select this option.
    • Certificate resource: Select Load balancer managed certificate or Certificate service managed certificate and upload your custom hostname certificate.
    		Listeners for Load Balancers
    Create a backend set
    • Use SSL: Select this option.
    • Certificate resource: Select Load balancer managed certificate and upload the Oracle Integration certificate and certificate chain obtained through the browser.
    		Backend Sets for Load Balancers
    Add Oracle Integration as a backend server
    • IP address: Enter the Oracle Integration IP address you used in the routing rule.
    • Certificate resource: Select Load balancer managed certificate and upload the Oracle Integration certificate and certificate chain obtained through the browser.
    		Backend Servers for Load Balancers
    Update the health check policies
    • Protocol: Select TCP.
    • Port: Enter 443.
    		Editing a Load Balancer's Health Check Policies
    Add the certificate and certificate chain for your custom hostname
    • Select Choose SSL certificate file, and upload the certificate provided by your certificate provider.
    • Select Choose CA certificate file, and upload the certificate chain provided by your certificate provider.
    • Select Specify private key, and upload the private key file.
    		SSL Certificates for Load Balancers
    Set up logging N/A Logging for Load Balancers
    Add the load balancer to the Oracle Integration allowlist N/A Configure an Allowlist for Your Instance
    If you want to create other policies to protect the endpoint (for example, DDOS, smuggling, or restricting traffic for geo-political reasons), manage the policies in the load balancer N/A Details for Load Balancing (information on writing policies to control access to the Load Balancer service)

Create the Customer-Managed Custom Endpoint

After completing the prerequisites, perform the following steps to configure a custom endpoint:

  1. If you're not already on the Integration instances page, open it.
    1. Open the Oracle Cloud Infrastructure Console.
    2. Open the navigation menu and click Developer Services. Under Application Integration, click Integration.
  2. Open your instance.
  3. On the left, under Resources, click Custom Endpoint.
  4. Click Create custom endpoint.
  5. Select Customer Managed.
  6. Enter your custom host name for the instance.
  7. Click Create.

After configuring your custom endpoint, you must complete some post-configuration tasks, like pointing your custom host IP record to your load balancer.

Post-Configuration Tasks for a Customer-Managed Custom Endpoint

After configuring your custom endpoint, perform the following post-configuration tasks:

  • Modify your custom hostname IP record to point to your load balancer. If you use a CNAME record, you must enter the FQDN for your load balancer's public IP address.
  • If you're using three-legged OAuth with third-party identity providers (such as Google, Facebook, etc.), update the redirect URL in your identity provider (IdP) application with the custom hostname. If the custom hostname for your Oracle Integration instance is mycustom.example.org, your redirect URL must be, for example, https://mycustom.example.org/icsapis/agent/oauth/callback.

    After updating the redirect URL in the IdP application, you must reacquire the access token by providing consent on the connection page.

  • If you created integration flows prior to mapping a custom endpoint to your instance, they will continue to work without any issues. However, if you want to update your integrations to use the custom endpoint:
    • For triggers, deactivate and re-activate those integrations to regenerate the WSDLs.
    • For parent-child integrations, edit the existing connection to replace the hostname with the custom host; test and save the connection; then reactivate the integration.
Note

If you're using the Oracle NetSuite Adapter, the adapter's TBA Authorization Flow security policy won't work with custom endpoints for Oracle Integration.