Skip navigation

Introduction

 

Application architecture is maturing from traditional monolith to SOA to micro services and now to Serverless Architecture which breaks application into small functions doing specific task, running in server infrastructure which is owned and managed by service provider allowing us to focus on core business logic. In this new cloud computing model, we as application developer are responsible for writing our business logic as functions and submitting it to the cloud provider for its execution in scalable and highly available manner. More about Serverless Architecture can be read on wonderful article here .

 

In this article, we will see how we can manage access to functions implemented as AWS Lambda and using Oracle Identity Cloud Service and use them in a Single Page Serverless Application.  Oracle Identity Cloud Service provides a fully integrated cloud service which deliver all the core identity and access management capabilities including user onboarding and access management, integration with on premise AD/OAM,  Identity Federation and Single-Sign-On, Open-ID Connect based authentication, Security using OAuth2, multi-factor authentication and social logins. More about IDCS can be found here.

 

Single Page Serverless Application Pattern

 

To emphasize more on the concept and the integration pattern, the use case considered in this blog is kept very simple like a traditional Hello World application. Here is what we will accomplish with the help of this use case:

  1. We will create 2 Lambda functions - Lambda-Manager and Lambda-Employee.
  2. These Lambdas will be front-ended by AWS API Gateway.
  3. A single page Web Application served from AWS S3 will call AWS API Gateway APIs to trigger Lambda to perform specific action implemented.

 

The following diagram depicts a general Serverless application pattern

pattern-1.PNG

 

Secure Your Lambda


We want to enable role based access to our Lambda functions, so that -

  1. The function Lambda-Manager is only accessible by users with manager role
  2. The function Lambda-Employee is only accessible by users with employee role.

 

Let's see how to do it with Oracle Identity Cloud Service. The general pattern uses Oracle Identity Cloud Service(IDCS) Open-ID Connect Authentication feature to authenticate the user and get the access-token which will be used while calling AWS API Gateway API. AWS API Gateway uses Custom Authorizer to implement the authorization logic which will verify the access-token and call IDCS Rest API to get more information about user to decide if he is allowed to access the Lambda function or not. The following diagram presents and overview of this implementation

pattern-2.PNG

 

Request and Response flow is -

  1. User access web-page in browser which is served from AWS S3.
  2. User is redirected to IDCS login page and asked for login credentials.
  3. User provides username/password, gets authenticated at IDCS and return back with access-token.
  4. Browser Java-Script makes a call to API with access-token.
  5. API Gateway using custom authorizer as authorization mechanism calls authorizer function (implemented as another Lambda function) passing access-token.
  6. Authorizer function validate access-token by verifying signature as first level validation.
  7. Authorizer function call IDCS Rest API to get more information about the user represented by access-token.
  8. If the user belong to Group - Manager and requested function is Lambda-Manager(identified by API Gateway API), authorizer create a IAM Allow policy to allow access to Lambda-Manager else create IAM Deny policy and return.
  9. API Gateway evaluate the return policy, if its Allow Policy calls the Lambda else return with HTTP 403.

 

Set-up and Configuration

 

Here are set-up and configuration steps required to implement above flow (Focusing only on security aspects).

  • After deploying your Lambda function, define API in AWS API Gateway to call your Lambda function.
  • Deploy authorizer Lambda which implements the authorization logic. Authorizer Lambda can implement custom authorization logic as per your application. We will implement this authorization based on user's Group membership in Identity Cloud Service with following validation
    1. First step is to validate the access token by verifying the signature of the access token. There are various libraries available for JWT, you can use one. You will require signing certificate of your IDCS tenancy which you can acquire using Signing Certificate JWK Rest Endpoint.
    2. If access-token is valid, you can retrieve the Group Membership using IDCS UserInfo Rest Endpoint.
    3. Depending on Group Membership, create and return IAM Allow or IAM Deny Policy.
  • Create "Custom Authorizer" for your APIs

          API-1.PNG

  • Configure the custom authorizer to use the authorizer Lambda created in step #2 with Identity token source as "method.request.header.Authorization". This will allow us to pass access-token in Authorization Header while calling API

               API-2.PNG

  • On the IDCS side, create Groups as "SPA-Manager" and "SPA-Employee"
  • Create users and assign them to one of the above Groups.
  • Create Application in IDCS to define resource for your API Gateway's APIs
  • Create a public client in IDCS and add scope for your API resources defined above.
  • In the single page app, you validate if the user is already logged in or not by checking for access-token. If access-token is not present, redirect the user to IDCS authorizer URL at
    • https://[IDCS Tenant URL]/oauth2/v1/authorize?client_id=[Client-ID]&response_type=token&redirect_uri=[URL where you want to redirect after login]&scope=[API Gateway API URI configured as scope in client] openid groups";

               code-snip-1.PNG

  • After successful login, user will be redirected to the "redirect_uri" with the access-token which can be used to call your API. The token is set to the HTTP Authorizer header

     code-snip-2.PNG

This is all you have to do to enable user authentication and access control in your Serverless Application implemented using AWS Lambda using Oracle Identity Cloud Service. You can extend this to enable social login, multi-factor authentication as well as federated login using your on premise enterprise directory.

 

Reference

1. Oracle Identity Cloud Service

2. Oracle Identity Cloud Service - Rest API

3. AWS Lambda

4. AWS API Gateway Custom Authorizer

Oracle Internet of Things Cloud Service collect data stream from connected device and enable business users with wealth of information at real time to take key strategic decisions. To further maximize the value of bytes collected from remote devices, device data can be filtered, processed and merged with other existing and available enterprise information, analyzed and presented as useful reports to help business users.

 

As database acts as repository for any enterprise’s information, following presents primary motivators for integration between IOTCS and Database Cloud Service –

  1. Moving device data from IOTCS to DBCS for historical data analysis.
  2. Enable enterprise applications to enrich existing enterprise data and features by leveraging device data.
  3. Maximize the value of data from IOTCS by analyzing it with existing enterprise data.

 

Although this pattern can be applied and implemented to solve multiple business scenarios, few are listed below –

 

1. Surveillance Device Monitoring in Smart City – Alerts are generated when malfunctioning in the camera installed in various part of the city is detected. IOTCS capture this data, filter them to find valuable events, enriches them with the location of the device and stream it out to enterprise database. Enterprise application uses the device data with other enterprise data to analyze and display various metrics like how many time in last year this camera went off, what is the make and model of this camera, technician who repaired it last and when, maintenance and operational cost etc.

 

2. Fleet Monitoring and Alert Management for School Vehicle - Location Monitoring device installed in the vehicle send location data to IOTCS which will send it to enterprise database used by school management application. On receiving the data, enterprise application identity students who will be picked-up/dropped at the next stop and send their parent a mobile alert. Location data from IOTCS in enterprise database can also act as location archive for proof of historical events like child arrive at school on date D at time T.

 

3. Manufacturing device Monitoring – IOTCS will collect data from manufacturing device, filter/clean data for relevant information and enrich them with other contextual information before sending it to enterprise assets database. Enterprise application uses the device data with other assets information to present metrics like how old is the device, comparison with benchmarks, availability of similar device, supplier information, automated ordering of new device etc.


4. Smart Home Solution – Smart Container sends alert for refill to IOTCS to be streamed out to customer database holding customer settings for the smart container. Enterprise application combine data received from IOTCS and existing data in the database to identity commodity associated, customer preference for order, vendor information to which order is places etc and places a order automatically.

 

Technical Architecture

im-1.jpg

 

Key Cloud Services Involved

 

  1. Internet of Things Cloud Services – Oracle’s platform for Internet of Things offered as cloud services, connect, collect, analyze and forward device data.
  2. Java Cloud Service – SAAS Extension – J2EE container in Oracle Cloud used to host J2EE applications.
  3. Database Cloud Services – Database in Oracle Cloud to save enterprise data.

 

Key components

 

  1. Devices – Physical devices with sensors collecting specific attributes and sending them to Oracle’s Internet of Things Cloud Services.
  2. IOT Cloud Service – IOTCS will collect, filter and forward data to enterprise application.
  3. Enterprise Application – Deployed on JCS-SX, enterprise application expose rest-endpoint which will be used by IOTCS to push data to this application for processing. It processes and saves data to the enterprise database. Enterprise Application can use the saved device data for multiple modules like historical reporting and analysis.
  4. Database Cloud Service – Act as enterprise database.

 

System Interactions


  1. Device sends data to IOT Cloud Service.
  2. IOT Cloud Service capture the stream of data, filter/clean the data, enrich the data with contextual information made available at device registration and pushes data to REST Endpoint deployed on JCS-SX.
  3. REST Endpoint process the data and call DBCS REST Endpoint to store data along with other enterprise data into the Database Cloud service.
  4. Enterprise Application deployed in JCS-SX fetches data from DBCS to create various metrics and reports for business users

 

Conclusion


Oracle’s Internet of Things Cloud Service provides integration options that can be leveraged to maximize the value of your device data and to provide useful insight of your IOT deployment.

To know more about Oracle Internet of Things Cloud Service, visit

https://cloud.oracle.com/iot

 

** The views expressed in this post are my own and do not necessarily reflect the views of Oracle. ** 

Introduction

 

Smart devices continuously sending data every second to your Internet of Things Infrastructure and you are as a business user not able to find out any useful insight from this enormous amount of data. Are you also trapped in this?

Internet of Things is in vogue these days but just capturing the data is not enough if your IOT Infrastructure does not enable you to analyze the data and take business decision. To enable business user act rationally, lot needs to be done on the raw data which is collected from your smart devices and convert them into useful business information. In this blog post, we will see how Oracle Internet of Things Cloud Service collect the data from smart devices and convert them into business information by leveraging Oracle Business Intelligence Cloud Service and enable business users to act pragmatically.


Oracle Internet of Things Cloud Service

 

Typical Oracle IOT deployment consist of IOT enabled Devices, IT Cloud Service and business applications.

 

im-1.jpg

Three core elements of Oracle Internet of Things Cloud Services which glue all different component together are –

  1. Connect – reliable, secure messaging with device
  2. Analyze – incoming data stream at real time and Visualize data with Big Data & BI Cloud Services
  3. Integrate – IOT data with enterprise applications

For more details –

https://cloud.oracle.com/en_US/_downloads/eBook_IoT_File/Oracle_Internet_of_Things_ebook.pdf

 

Technical Architecture


To implement our use-case, our IOT infrastructure connect and push data to Business Intelligence Cloud Service thru Integration capabilities provided out of box in Oracle Internet of Things Cloud Service.


Technical Architecture for the same will look like this -


im-2.jpg

 

Interaction between components is as below –

  1. Devices are connected either directly or thru gateway device to Oracle Internet of Things Cloud Service and continuously sends data over internet.
  2. Oracle Internet of Things Cloud Service capture the device data and provide real time analysis.
  3. Oracle Internet of Things connect to Oracle Business Intelligence Cloud Service and send device data to enabled BICS do the historical data analysis and present business user with key information about the device health and required action to take.

 

Components Involved and Interaction

In order to work with this, you will need account for following

  1. Oracle Internet of Things Cloud Service
  2. Oracle Business Intelligence Cloud Service
  3. Smart Device

 

Let's Do It

 

Let’s first understand steps required to implement the use-case –

im-3.jpg

 

Creating IOT Application

 

1. Open IOT Cloud Service instance and login,

2. In the Dashboard, select the Application tab at the top of the screen

im-4.jpg

3. Click Create Application

im-5.jpg

 

4. Enter details for Name and description

im-6.jpg

5. This will create the application with the given name and will get displayed on the Application Dashboard.

im-7.jpg

 

This completes the IOT application creation in Oracle Internet of Things Cloud Service.


 

Associating Device Model

 

1. Open the Application Dashboard by clicking “Application” at the top and then click on the application created in the last step

im-8.jpg

2. Click on the Device Model available in the left pane and then “Choose Device Model”

im-9.jpg

 

3. Select “HVAC Device Model” and Click Done.

im-10.jpg

 

At this stage, our Application is associated with Device Model which identify the type of devices associated with this Application.


 

Capturing Data Stream

 

In order to enable real time analysis, after associating Device Model with the Application, we need to associate a Data Stream with the application. Here are steps –

 

1. Click on “Data and Exploration” in the left pane and then “Exploration”

im-11.jpg

2. Create new Exploration Source and bind it to required data model. In our case, bind it with the “HVAC device Model”. Add Metadata for additional device data which you want to add to the stream of data.

im-12.jpg

 

Once Exploration Source is created, create the Exploration

 

1. Click “Add”

im-13.jpg

2. Add required Details and Select previously create “Exploration Source”

im-14.jpg

3. Click Confirm.

 

Now we have our IOT Application associated with Device Model and Exploration. Exploration can be used to analyze the data at real time.


 

Create Integration with Business Intelligence Cloud Service

 

For historical data analysis, integrate the IOT Application with Business Intelligence Cloud Service, using below steps –

 

1. From the Application, Click on “Integration” available in left pane

im-15.jpg

2.Click “+” sign and then choose “Business Intelligence Cloud Service”

im-16.jpg

 

3. Enter Details for BICS and click Create

im-17.jpg

 

     URL – URL for the BICS Instance (https://server-domain.analytics.us2.oraclecloud.com)

     Identity Domain – BICS Identity Domain

     Username – BICS user

     Password – Password for the BICS user

 

4. Newly create integration will look like this, please note that this is not yet associated with any data stream

im-18.jpg

5. Select and Edit this Integration to add data stream by providing details for BICS Table Name, Message Format and Annotations

im-19.jpg

6. Once done, you will see Integration is fully configured and marked green

im-20.jpg

 

At this point we have our IOT application configured to listen to HVAC device, collect the data stream show real time analysis and forward it to BICS for historical analysis.


 

Register Device with IOT Cloud Service

 

Each device with communicate with Oracle IOT cloud Service must be registered and activated before any data messages can be transmitted. To register a device with IoT –

 

1. From the top menu, click on Devices tab

im-21.jpg

2. Click Registration on the left hand pane

im-22.jpg

3.On the Device Registration screen, click Register Single Device.

im-23.jpg

4. Enter details and click Register

im-24.jpg

5. Please make a note of Device ID and Shared Secret which you will need later to activate the device. Click Finish

im-25.jpg

 

The Device is now registered with Oracle IOT Cloud Service. With the Device ID and Shared Secret, you can activate the device. Once activated, device can communicate with the IoT Cloud Service and send data to IoT Cloud Service.


Moving Data to BICS

 

Once you have the Integration set-up in your IOT application with BICS, moving data to BICS is simple.

1. Go to your Integration and click on “Sync Now” button

im-26.jpg

 

This will sync data in given table name (while configuring stream in the BICS Integration) in BICS database


 

Analyzing Data in BICS

 

Once you sync data from IOTCS to BICS, you can see the data in BICS and analyze it to provide useful information to the business user. For the sake if simplicity, I am going to show max value of some attribute for each device.

 

To view data in BICS

1. Login to the BICS Analytics App and click on Modeler

im-27.jpg

2. In the Database pane, you will find the table named “HVAC_MESSAGES” which was given when configuring the stream with the BICS Integration.

im-28.jpg

 

3. Click “Lock and Edit” at the right to edit the model.


4. Click on the “HVAC_MESSGES” table and then click “Add to Model”. Select “Add as Fact and Dimension Tables”

im-29.jpg

5. Give names to Fact and Dimension Table and click “Add”

im-30.jpg

 

6. Click on “Analyses” on the Top menu

im-31.jpg

 

7. Click on Create Analysis on right and select the Model. This will open a new window to analyze the data. In the “Criteria” tab, select the data

 

im-32.jpg

 

 

 

 

 

 

8. Click on the gear icon on the OUTPUTTEMP field and Edit the Column Formula as MAX(“IOT_HVAC_FACT”,”OUTPUTEMP”) for maximum temperature of the given device.

im-33.jpg

9. Click on the “Result” tab to see the tabular data –

im-34.jpg

10.  Create Vertical Bar Graph to represent the above data

im-35.jpg

11. Graphical representation of the data will come as


im-36.jpg

12. Save the Analysis by clicking “Save” Icon at right and saving in the Shared Folder

im-37.jpg

 

Providing analysis to Business User

 

Reports can be provided to business users by creating Dashboard and including required data into them. To create Dashboard to display IOT data –

 

1. Click on “DashBoards” in BICS Analytics App

im-38.jpg

2. Click on Create Dashboard button on the right and provide details

im-39.jpg

3. Dashboard Editor will open and you can add the previously created analysis by finding it in “Catalog” and dragging it in main frame

im-40.jpg

4. Click Save Icon to save the Dashboard.

5. This Dashboard can be shared and viewed to view the information about HVAC devices which is collected from IOTCS

im-41.jpg

 

 

Conclusion

 

Analysis of data collected from your smart devices and its availability to business users is critical aspect out of any Internet of Things Deployment and Oracle Cloud PaaS Services work together to maximize your investment in this area. Real time and historical analysis of data comes out of the box with Oracle’s Internet of Things Cloud Service, enable users to take critical and timely business decisions.

 

To learn more about Oracle Internet of Things Cloud Services visit –

https://cloud.oracle.com/iot

 

** The views expressed in this post are my own and do not necessarily reflect the views of Oracle. ** 

Tired with SSLHandshake exception when accessing a HTTPS URL from your application deployed in JCS-SX and wondering what is going wrong and how to fix it. Read on, this blogpost will explain this.

 

Let's first understand what's happening - In layman's term -

 

When the application which is deployed in JCS-SX tries to connect to any URL over HTTPS, Server sends its certificate (public key) to the client i.e JCS-SX and  client must authenticate this certificate by checking it against the list of trusted certificate. JCS-SX maintains the list of certificates which it trusts in the store called trustStore.

 

If you want to try what is explained below, you need to have JCS-SX SDK.

Do not have SDK, follow this link - https://docs.oracle.com/cloud/latest/javacs_gs/CSJSU/GUID-B2007CE3-274C-43F9-80CF-E388B5F2C065.htm#CSJSU7165

 

Check for the available trusted certificate in this store - To check for the existing certificates which are trusted by default by your JCS-SX env, use below command

 

javacloud -dc <data-center> -identitydomain <id-domain-name> -serviceinstance <instance-name> -user <user-name> -password <password>  -httpproxy <proxy-server:proxy-port> -list-ssl-certificates

 

This command will list all trusted certificates in the format below ---

 

S.NO        - <S.NO>

Alias       - <Alias - Name>

Expired     - <Expiry status>

Expiring in - <Time for expiry in format - 4 years, 236 days, 14 hours, 54 minutes and 7 seconds>

 

When you see SSLHandshake exception, your server's certificate does not exist in JCS-SX truststore and hence it is not able to validate it. Here is how you can add it in JCS-SX using below command

 

javacloud -dc <data-center> -identitydomain <id-domain-name> -serviceinstance <instance-name> -user <user-name> -password <password>  -httpproxy <proxy-server:proxy-port> -add-ssl-certificates -path <path to certificate file>

 

Response will be like below.

[INFO]    - 1 certificate(s) added.

 

You can check via list-ssl-certificates command for your certificate availability in JCS-SX truststore.

 

 

If you want to revoke trust to specific server's certificate, delete its certificate from the truststore using below command -

 

javacloud -dc <data-center> -identitydomain <id-domain-name> -serviceinstance <instance-name> -user <user-name> -password <password>  -httpproxy <proxy-server:proxy-port> -delete-ssl-certificates -alias <alias-name>

Response will be -

Alias <alias-name> deleted.

If you messed up with your truststore and not sure how to get it right again, JCS-SX comes to your rescue and provide the reset command which you can use to reset the truststore to the default value. Please be aware that it will remove all certificates added and trusted by you.

 

javacloud -dc <data-center> -identitydomain <id-domain-name> -serviceinstance <instance-name> -user <user-name> -password <password>  -httpproxy <proxy-server:proxy-port> -reset-ssl-certificate-store

 

Response will be like below -

This will undo all the certificate management operations you have performed.

Are you sure you want to reset SSL trust-store?(yes/no):yes

[INFO]    - The SSL certificate store is reset.

 

You can download the complete truststore or specific certificates into your local m/c by download-ssl-certificates command as -

 

javacloud -dc <data-center> -identitydomain <id-domain-name> -serviceinstance <instance-name> -user <user-name> -password <password>  -httpproxy <proxy-server:proxy-port> -download-ssl-certificates -output <output-dir>

 

Response will be like below -

[INFO]    - 76 certificates downloaded.

[INFO]    - Downloaded at: <output-dir>

            downloaded_certificates.jks

Please note that downloaded jks file does not have any password.

 

Hope this blogpost will help you configuring and trouble-shooting SSL trust specific issues. Enjoy the Cloud Infra

 

The views expressed in this post are my own and do not necessarily reflect the views of Oracle.