Oracle Cloud Infrastructure Documentation

Configure an Oracle-Managed Custom Endpoint

If you want Oracle to procure and manage the public certificate for your custom host name, you can create an Oracle-managed custom endpoint.

Perform the following steps to create an Oracle-managed custom endpoint for your instance.

  1. Complete prerequisites.
  2. Create the Oracle-managed customer endpoint.
  3. Complete post-configuration tasks.

Prerequisites for Configuring an Oracle-Managed Custom Endpoint

To configure an Oracle-managed custom endpoint, complete the following prerequisites.

Task Where to perform the task Associated documentation
Create your Oracle Integration instance Oracle Cloud Infrastructure Console Create an Oracle Integration Instance
Note:
  • You add a custom endpoint when editing an instance, not during creation, so you must create the instance as a prerequisite.
  • You must have direct access to your Oracle Integration instance.
Choose a vanity URL or custom hostname for your Oracle Integration instance N/A N/A
Create a public DNS zone Oracle Cloud Infrastructure Console Creating a Public DNS Zone

Note: DNS zones are region-specific. If you have Oracle Integration instances in multiple regions, you must create a DNS zone with a unique subdomain for each region.

Delegate the DNS zone and update the name servers with your registrar Your domain name registrar Delegating a Public DNS Zone

Note: If you created DNS zones for multiple regions, you must perform this task for each DNS zone in their respective subdomain.

Register your Oracle Integration instance hostname with the DNS zone by adding a CNAME record Oracle Cloud Infrastructure Console Adding a Record to a DNS Zone
Create Oracle Cloud Infrastructure Identity and Access Management (IAM) policies to allow your Oracle Integration tenancy to manage the public DNS zone Oracle Cloud Infrastructure Console Create IAM Policies

Create IAM Policies

You must create the following IAM policies to allow your Oracle Integration instance to manage the DNS resources.

  • A policy to grant your Oracle Integration instance to manage dns-zones and dns-records resources in your tenancy:

    ALLOW dynamic-group group-Name TO READ dns-zones IN compartment compartment-name

    ALLOW dynamic-group group-Name TO USE dns-records IN compartment compartment-name WHERE ALL {target.dns-zone.name='dns-zone-name'}

    where:

    • group-Name is the name of the dynamic group that defines the compartment that stores your Oracle Integration instance.
    • compartment-name is the name of the compartment that stores the DNS resources.
    • dns-zone-name is the public DNS zone you created.
    Note

    • The dynamic group is defined in the identity domain in which the Oracle Integration instance was created.
    • The matching rule that defines the dynamic group must point to the Oracle Cloud service client ID for your Oracle Integration instance. For example:

      Matching rule: any {resource.id='Oracle-Cloud-service-client-ID'}

      See Listing Oracle Cloud Services.

  • A generic endorse policy to allow your Oracle Integration instance to manage certificate resources in the Oracle Integration tenancy. This is the endorse part of the cross-tenant policy.

    ENDORSE any-user TO MANAGE certificate-authority-family IN any-tenancy

For more information, see Managing DNS Resources Across Tenancies.

Create the Oracle-Managed Custom Endpoint

After completing the prerequisites, perform the following steps to configure an Oracle-managed custom endpoint:

  1. If you're not already on the Integration instances page, open it.
    1. Open the Oracle Cloud Infrastructure Console.
    2. Open the navigation menu and click Developer Services. Under Application Integration, click Integration.
  2. Open your instance.
  3. On the left, under Resources, click Custom Endpoint.
  4. Click Create custom endpoint.
  5. Select Oracle managed.
  6. Make sure the correct compartment is selected.
  7. Select the DNS zone you created as a prerequisite.
  8. Enter your custom host name for the instance.
  9. Click Create.

After configuring your Oracle-managed custom endpoint, you must complete some post-configuration tasks.

Post-Configuration Tasks for an Oracle-Managed Custom Endpoint

After creating your Oracle-managed custom endpoint, perform the following post-configuration tasks:

  • Modify your custom hostname IP record to point to the Oracle Integration origin. If you use a CNAME record, you must enter the FQDN for your load balancer's public IP address.
  • If you're using three-legged OAuth with third-party identity providers (such as Google, Facebook, etc.), update the redirect URL in your identity provider (IdP) application with the custom hostname. If the custom hostname for your Oracle Integration instance is mycustom.example.org, your redirect URL must be, for example, https://mycustom.example.org/icsapis/agent/oauth/callback.

    After updating the redirect URL in the IdP application, you must reacquire the access token by providing consent on the connection page.

  • If you created integration flows prior to mapping a custom endpoint to your instance, they will continue to work without any issues. However, if you want to update your integrations to use the custom endpoint:
    • For triggers, deactivate and re-activate those integrations to regenerate the WSDLs.
    • For parent-child integrations, edit the existing connection to replace the hostname with the custom host; test and save the connection; then reactivate the integration.
Note

If you're using the Oracle NetSuite Adapter, the adapter's TBA Authorization Flow security policy won't work with custom endpoints for Oracle Integration.