OCI Migration Prep - Domain Branding

sshew-Oracle

Domain Branding with Akamai

Learn more about Responsys' Move to the Oracle Cloud Infrastructure (OCI)

Oracle Responsys uses Akamai as our networking partner for DNS and HTTP/HTTPS routing for our Oracle Cloud Infrastructure (OCI) deployments. Whether as a result of Oracle DYN's Shutdown or as part of the required OCI migration preparation, you will need to acquire a new SSL certificate based on Akamai's environment and re-delegate your branded domains/sub-domains to Akamai's DNS name severs.  

For most accounts, this process of switching to Akamai for your Domain Branding is very similar to your original Domain Branding efforts. Our in-application guidance panels will facilitate your efforts for both the SSL Certificate process and the domain delegation process through a three-step process.

Step 1: Convert to Branded Domains (if not yet done)

Step 2: Download CSR and Upload SSL Certificate

The first in-application guidance panel presented reminds you to acquire a new SSL certificate for each Response Handler URL (on per Brand object). The call-to-action will direct you to our standard Manage SSL Certificates admin page, where you may download a new Certificate Signing Request (CSR) for each branded Response Handler URL via the "Add SSL" action. 

Please add a new SSL certificate only for the Response Handler Domains that currently have an SSL certificate listed in the Manage SSL Certificates page.

1. Please contact Support if you have uploaded the correct number of new SSL certificates and do not see a "Completed" status for the SSL certificate in-application guidance panel; we can help update the status so you can proceed with the Re-delegate Domains in-application guidance panel.
2. This also applies to "Secondary Account" SSL Certificates used by your AFTM account.
3. For Response Handler Domains that currently do not have an SSL certificate listed in the Manage SSL Certificates page, you may add the SSL certificate after you complete the Re-delegate Domain in-application panel.

Notes on Certificate Types:

-- Organization Validated (OV) and Extended Validation (EV) are the SSL certificate types accepted by Akamai.

-- What distinguishes OV & EV certificates are the extra layers and steps of validation required to obtain them.

-- For both EV & OV certificates CAs must verify the domain owner as well as several details related to the affiliated business including name, type, status, and physical address.

-- With an EV certificate there are nine additional steps are required including verifying a businesses’ public phone number, length of time in business, registration number and jurisdiction, as well as a domain fraud check, contact blacklist check and a telephone call to authenticate the employment status of the requestor.

-- The SSL certificate pieces must be decoded in X.509 basic format into 3 pieces (minimum), main.cer, intermediate.cer and root.cer and uploaded in the interface in Interact.

Add SSL

CSR Input Guidance

Please keep the following guidance in mind while completing the CSR input fields. Akamai has strict rules for allowed values.

• CSR Domain (CN): Please provide the exact domain / sub-domain name for the SSL certificate, and populate this field with only lowercase values.
• CSR Country (C): Please input a 2-character ISO value. Allowed values are available at https://www.iban.com/country-codes
• CSR State or Province Name (ST) = Please completely spell out the state or province's name. Do not include special characters.
• CSR Locality Name (L) = Please completely spell out the Locality's name; no abbreviations. Do not include special characters.
• CSR Organization Name (O): Please provide your company's name. Do not include special characters.
• CSR Organizational Unit Name (OU): Please enter a space character. This value cannot be empty.
• CSR Email Address: Please enter a valid email address. Please only use lowercase characters, and do not use special characters.
• CSR Address: Please provide a valid full street address, if requested. Do not use special characters.
• CSR Phone: Please include a valid phone number, if requested. Do include the numeric country code. Enter only numbers; no special characters.

Adding a new SSL

Click the "Add SSL" button to generate a new Certificate Signing Request (CSR)

1. This CSR is based on Akamai's environment. Please use it to acquire a new SSL certificate from your vendor of choice.
   1. For those with multiple Brand objects in a single Responsys account, please complete the SSL certificate process for all Brands currently using Domain Branding.
   2. Please acquire either an EV or an OV SSL certificate.
2. Once the new SSL certificate is installed and uploaded, the next in-application guidance panel will become available. 
3. Note: If you have AFTM enabled for your account, you will may see a separate in-application guidance panel prompting you to provide a new SSL certificate for the branded Response Handler of the "secondary account". The call-to-action will take you to the Secondary Account Manage SSL Certificates admin page.
   1. Else, if your Admin menus have a section for "Secondary account settings", please proceed to the "SSL certificates manage" page and upload new SSL certificate(s) to update your existing SSL certificates.
   2. Please do not upload an SSL certificate for the given branded Secondary Account Response Handler Domain if it does not currently have an SSL certificate listed.

After uploading new SSL certificates for all your domains/sub-domain, the "Update SSL certificate panel" will have a completed status, and the "Re-delegate domains" panel will enable for your next tasks.

IMPORTANT: If you have uploaded new SSL certificates for all your domains/sub-domains and the "Update SSL certificate panel" is not marked as "Completed", please submit a My Oracle Support SR.

Step 3: Re-delegate Branded Domains to Akamai

The second in-application guidance panel reminds you to re-delegate all of your branded domains/sub-domains to Akamai's name servers. 

Clicking on the call-to-action displays a fly-out panel from the right side of our application. Each of your currently configured branded domains/sub-domains are listed; this includes your ShortURL domains/sub-domains and your AFTM domain.

IMPORTANT: Depending on how your parent domain is managed, the the delegation steps will be different. Please ensure you follow the right process as if you don't follow the right steps, you will not be able to complete the process successfully!

If Your Parent Domain Is Managed by Akamai

If you are currently an Akamai customer and your parent branded domain is also managed in Akamai, you may encounter an error with the "Confirm delegation" action. These steps will help you resolve the error and re-delegate your branded sub-domain to Akamai.

Parent domain not managed by Akamai? See next section below for more information.

Please perform these steps for each branded sub-domain listed that is also managed by Akamai. The instructions are separated out into sections for each of the major tasks.

IMPORTANT: Please perform these steps during a collaborative working session between your Akamai IT team member(s) and Responsys account administrator users. The ownership of each subsequent step often switches from a Responsys user to an Akamai user and back again, and many of the steps must occur in real time one after the other.

Start here:

1. Do not start by delegating your branded sub-domain to Akamai's nameservers. That step will come later.
2. The assumed starting state is the branded sub-domain's existing NS delegation has multiple entries pointing to one of the following combinations
   1. Oracle DYN using *.dynect.net nameservers
   2. Oracle Responsys's nameservers: ns1.responsys.net and ns2.responsys.net

Enable subzone creation rights

Akamai requires your approval to enable their subzone creation feature. This is a the first of two approvals Akamai requires, and provides a general approval of the feature in your Akamai account.

1. Please login to Akamai's UI and follow steps 1-5 of Akamai's online help to "Enable subzone creation rights"
   1. Enable cross-account subzone delegation: https://techdocs.akamai.com/edge-dns/docs/enable-subzone-deleg

Creating the subzone in Akamai

These steps allow Oracle Responsys to manage your branded (vanity) sub-domain in the Responsys Akamai environment by the creation and population of a "subzone" for the given branded sub-domain.

1. Return to the Responsys UI and open the "Re-delegate domain" in-application guidance panel.
2. Click on the "Confirm re-delegation" button. It is OK if the delegation status is not confirmed.
   1. This will create a subzone request in Akamai for the branded sub-domain. Approval of the subzone request allows Oracle Responsys to manage the sub-domain within Responsys' Akamai account.
   2. As part of the request is a pending zone creation in Oracle Responsys' Akamai account for the branded sub-domain. The next step's completion will update the status from pending to approved and make the zone available for population by Oracle Responsys.
3. Please login to Akamai's UI and approve the sub-zone request allowing Oracle Responsys to manage the branded sub-domain.
   1. The call to action in Akamai is "approve subzone request", and grants Oracle Responsys permission to manage only the given branded sub-domain.
   2. Please complete steps 6-7 in Akamai's online help for "Enable subzone creation rights" : https://techdocs.akamai.com/edge-dns/docs/enable-subzone-deleg
4. Back in Responsys, click on the "Confirm re-delegation" button.
   1. This will populate the zone in Akamai for the branded sub-domain

Verify the zone and DNS entries in Responsys' Akamai account

1. Before proceeding with the re-delegation, ensure the given sub-domain has a zone and proper DNS entries in the Oracle Responsys Akamai account by executing the following dig command.
   1. dig in any @a1-31.akam.net yourVanitySubDomain
   2. If you do not have access to the command line "dig" command, please feel free to perform a dig query using an online web-based dig tool. A web search for "online dig" returns several online tools.
2. Look for the following dig query results. Do not re-delegate your vanity sub-domain to Akamai's nameservers until you see these results.
   1. An SOA record exists directed to Akamai and Oracle
   2. If your sub-domain is used as a Response Handler, ensure the returned DNS entries includes at least an A record pointing to the legacy Responsys environment.
   3. If your sub-domain is used for From addresses, ensure the returned DNS entries includes at least an MX record (mail transfer) and TXT record with SPF (sender policy framework) information.

Re-delegate the sub-domain to Akamai

1. In the Akamai UI, please in-place edit the existing NS delegation. The existing NS delegation has multiple entries pointing to one of the following combinations
   1. Oracle Responsys' nameservers: ns1.responsys.net and ns2.responsys.net
   2. Oracle DYN using *.dynect.net nameservers
2. Delegate the branded sub-domain to Akamai by performing an NS delegation to Akamai's nameservers; thereby replacing the NS delegations identified in the prior step.
3. Note: If the Akamai DNS name servers are not listed in the Responsys UI, please delegate your branded sub-domain to the following Akamai nameservers.
   1. a1-31.akam.net.
   2. a12-67.akam.net.
   3. a13-67.akam.net.
   4. a16-65.akam.net.
   5. a2-66.akam.net.
   6. a9-64.akam.net.
4. Return to the Responsys UI and go to the "Re-delegate Domain" panel.
5. You may verify the re-delegation of this sub-domain by clicking the "Validate" button or "Validate all" button.
   1. The desired result is a check mark, error free, next to the given domain/sub-domain. Ideally all are valid.
6. Click on the "Confirm re-delegation" button.
7. If this is the final sub-domain you are re-delegating, the "Re-delegate domain" panel's status will change to "Completed". At this point, you may notice the in-application guidance panels no longer appear on the Responsys home page.

If Your Parent Domain Is Not Managed by Akamai

Please perform these steps for each domain/sub-domain listed in the fly-out panel.

After completing these steps for all listed domains/sub-domains, please click on the "Confirm re-delegation" button to complete this panel. The "Re-delegate Domain" panel's status will change to "Completed" if all is successful. Once "Completed", you may notice the in-application guidance panels no longer appear on the Responsys home page.

1. Please remove the existing NS delegation. The existing NS delegation has multiple entries pointing to one of the following combinations
   1. Oracle DYN using *.dynect.net nameservers
   2. Oracle Responsys's nameservers: ns1.responsys.net and ns2.responsys.net
2. Please perform an NS delegation to Akamai's nameservers, thereby replacing the NS delegations removed in the step above.
3. Note: If the Akamai DNS name servers are not listed in UI, please delegate your branded domains/sub-domains to the following nameservers.
   1. a1-31.akam.net.
   2. a12-67.akam.net.
   3. a13-67.akam.net.
   4. a16-65.akam.net.
   5. a2-66.akam.net.
   6. a9-64.akam.net.
4. You may verify the re-delegation of this domain/sub-domain by clicking the "Validate" button
5. If you are currently an Akamai customer and your parent branded domain is also managed in Akamai, you may encounter an error with the "Confirm re-delegation" action. Please see the "Your Parent Domain Is Managed by Akamai" instructions, in the sub-section above.

ShortURL

Going forward, your Brand's default ShortUL is the domain you NS delegate to Akamai rather than a sub-domain of the delegated branded domain. For the migration, this is the same base domain you originally delegated to our nameservers (ns1.responsys.net, ns2.responsys.net) or DYN's nameservers.

We will continue to listen on the older ShortURL until the in-the-wild links expire.

• For example, you originally NS delegated foo.com to our nameservers and chose the "m" sub-domain for your ShortURL. The fully qualified result was http://m.foo.com/.
• Now, please NS delegate foo.com to Akamai's nameservers. This is now your shortURL show in SMS messages. Your prior shortURL using the "m" sub-domain (m.foo.com) will continue to work for the recently in-the-wild messages until those links expire per your account's configuration.

FREQUENTLY ASKED QUESTIONS

RSYSMovetoOCI_FAQ_Customer.pdf

Athanasia Rizou

Hello,

In case of an instance with no SSL Certificate, what is the process for this migration?

User_IBQYV

Hi there - we are experiencing an issue with step 4A for the "Your Parent Domain Is Managed by Akamai". We are not seeing the subzone request. Have had an SR open for 10 days with no movement on an answer, and really not wanting to lose service on the 15th. Thanks.

JodyMooney-Oracle

https://community.oracle.com/topliners/discussion/comment/16773142#Comment_16773142

Hello @User_IBQYV - can you please pass along the SR number? (You can send me a direct message via Topliners with the SR if you'd prefer rather than replying here as well)

sshew-Oracle

@User_IBQV, please let us know this issue via the SR. We may need to renew the request with Akamai, as the original prompt/request may have expired.