VBCS can invoke OIC integration endpoints using the following authentication patterns, selected based on deployment requirements and integration governance policies:
ORDS supports multiple authentication patterns depending on client type, trust boundary, and governance requirements:
ORDS enforces API-layer security and can combine it with Oracle Database native controls for defense in depth:
Reference basis: Oracle REST Data Services 26.1 Developer's Guide (Configuring Secure Access, JWT Profile/JWT RBAC, Pre-hook identity assertion), ORDS 26.1 Installation and Configuration Guide (OAuth2 over HTTPS expectations), and Oracle Database Insider blog series on ORDS JWT RBAC with OCI IAM.
OIC communicates with Oracle Process Automation using an explicitly configured OAuth 2.0 service client (or equivalent supported pattern) in OCI IAM Identity Domains. Where business-user traceability is required, OIC propagates user context as explicit process payload attributes for task attribution, escalation routing, and compliance audit needs.
|
OPERATION TYPE
|
HTTP METHODS
|
EXECUTION PATH
|
RATIONALE
|
|
Read / Lookup
|
GET
|
VBCS → Fusion REST API directly
|
Lightweight read-only lookups are served directly from Fusion, optimising latency and preserving OIC capacity for transactional flows.
|
|
State-Mutating Actions
|
POST, PATCH, DELETE
|
VBCS → OIC → Fusion REST API
|
In this governance model, write operations are routed through OIC to ensure consistent audit enrichment, error handling, and user attribution.
|
|
ORDS Access (Identity Propagation Pattern)
|
GET / POST
|
VBCS → ORDS
|
User context can be propagated to ORDS through a custom pattern (for example pre-hook identity mapping into database context), enabling row-level and context-sensitive access controls.
|
|
ORDS Access (Basic Auth)
|
GET / POST
|
OIC / OPA → ORDS (service account)
|
Service credentials managed centrally; appropriate for backend-to-data-tier integration flows where user-attributed access is not required.
|
Security Governance Principle: In the preferred governance model, browser clients do not hold write credentials to Fusion or ORDS. State-mutating operations are mediated by OIC so policy enforcement, observability, and audit enrichment stay consistent.
03 — FRONTEND LAYER
Oracle VBCS: Embedded UX Shell & Fusion-Integrated Frontend
Visual Builder Cloud Service is Oracle's enterprise low-code application development platform — generating production-grade Oracle JET web applications with declarative data bindings, built-in identity federation, and native service connection wiring to OIC, Fusion SaaS, and ORDS. What sets VBCS apart in this architecture is not merely its rendering capability, but its deep, native embeddability within Oracle Fusion SaaS pages — transforming it from a standalone portal into an invisible, seamless extension of the Fusion experience itself.
VBCS application screens are hosted as iFrame-embedded extensions directly within Oracle Fusion navigation pages. A Fusion user never perceives a context switch; the custom VBCS screens appear as native Fusion UI, inheriting the same navigation chrome, session token, and identity context. This tight embedding is the cornerstone of the user experience strategy — ensuring zero friction adoption by end-users who never leave the familiar Fusion environment.
When a Fusion user opens an embedded VBCS screen, the authenticated session is inherited from the enterprise identity context — delivering a seamless experience with no secondary login prompt. Authentication is governed by the enterprise identity provider configuration shared across Oracle services.
Key VBCS Configuration Steps
|
CONFIG AREA
|
SETTING
|
PURPOSE
|
|
Fusion Embedding
|
VBCS app URL registered as Fusion Sandbox / Page Composer extension
|
Enables VBCS screens to be rendered natively within Fusion SaaS navigation pages as iFrame-hosted extensions
|
|
Identity Configuration
|
Enterprise identity provider (e.g., Azure Active Directory) federated to OCI IAM Identity Domains
|
Fusion and VBCS share a common enterprise identity provider for authentication. Users can access embedded VBCS screens without a secondary login gesture when federation/session policies are aligned.
|
|
OIC Connectivity
|
OAuth 2.0 client credentials or User Assertion
|
VBCS invokes OIC using the appropriate authentication pattern — client credentials for service calls or user assertion for transactional operations requiring user attribution.
|
|
Fusion GET Calls
|
OAuth 2.0 preferred; Basic Auth only for tightly controlled legacy patterns
|
Read-only lookups (employees, suppliers, GL accounts, cost centres) can be fetched directly from Fusion for low latency, but many programs route reads through governed integration layers for consistent policy and logging.
|
|
ORDS Access — Identity Propagation Pattern
|
Custom user-context propagation (for example ORDS pre-hook + database context)
|
VBCS propagates user context to ORDS through an explicit implementation pattern. Row-level security (VPD) and context-sensitive policies then apply based on mapped database context.
|
|
ORDS Access — Basic Auth
|
Custom Backend Service with Basic Auth credentials
|
VBCS routes ORDS calls through a server-side Custom Backend service configuration where Basic Auth credentials are stored centrally — credentials are never exposed to the browser client
|
04 — CUSTOM DATA LAYER
Oracle ORDS & ATP: Custom Data Persistence
Fusion Cloud's native schema remains untouched. Extension data belongs in Autonomous Transaction Processing, and ORDS is used to expose controlled APIs for that custom dataset.
In this design, all ORDS objects (tables, views, packages, modules, templates, and handlers) are maintained in a single dedicated application schema to simplify deployment, security reviews, and runtime ownership.
OIC + ATP: Enterprise-Grade Business Logic Platform: Oracle Integration Cloud combined with Autonomous Transaction Processing enables implementation of highly complex PL/SQL-based business logic, advanced data transformations, and custom enrichment layers. This combination is well suited for enterprise-grade derivations, validation frameworks, and domain-specific customization requirements that demand both integration orchestration power and robust relational data processing.
ATP Schema Design for Fusion Extensions
|
TABLE
|
PURPOSE
|
KEY COLUMNS
|
|
EXT_REQUESTS
|
Staging table for VBCS-submitted requests before OPA approval
|
REQUEST_ID, FUSION_REF_ID, REQUESTED_BY, STATUS, CREATED_TS, OPA_INSTANCE_ID
|
|
EXT_AUDIT_LOG
|
Immutable audit trail of all system actions
|
LOG_ID, REQUEST_ID, ACTION, ACTOR, ACTOR_TYPE, TIMESTAMP, PAYLOAD_CLOB
|
|
EXT_INTEGRATION_MAP
|
Maps ATP records to Fusion Object IDs after write-back
|
ATP_ID, FUSION_OBJECT_TYPE, FUSION_OBJECT_ID, SYNC_STATUS, LAST_SYNC_TS
|
|
EXT_CONFIG
|
Runtime configuration values (thresholds, routing rules)
|
CONFIG_KEY, CONFIG_VALUE, EFFECTIVE_FROM, EFFECTIVE_TO
|
ORDS Exposure Model (Single Schema)
|
AREA
|
IMPLEMENTATION
|
REASON
|
|
Schema Ownership
|
Single schema only (no multi-schema split)
|
Consistent grants, easier CI/CD migration, and clean ownership boundaries
|
|
API Grouping
|
Multiple ORDS modules and templates in the same schema
|
Predictable endpoint layout and easier lifecycle management
|
|
VBCS Access — Identity Propagation Pattern
|
Custom user-context propagation (for example ORDS pre-hook + database context)
|
VBCS can propagate user context to ORDS through an explicit implementation pattern. Row-level security (VPD) and context-sensitive policies then apply based on mapped database context.
|
|
VBCS Access — Backend Basic Auth
|
VBCS Custom Backend Service with Basic Auth credentials
|
An alternative access path where VBCS routes ORDS calls through a server-side custom backend configuration — credentials are stored and managed centrally, never surfaced to the browser
|
|
OIC Access Path
|
OIC REST connection invokes the same ORDS endpoints with Basic Auth (service account)
|
Single canonical API contract for both orchestration and UI retrieval; OIC holds service-account credentials as a managed connection property
|
|
OPA Access Path
|
OPA calls ORDS endpoints directly for in-workflow data reads and status updates
|
Keeps OPA self-sufficient for data operations within the approval lifecycle — avoiding a round-trip through OIC for simple database interactions
|
ATP Advantage: Autonomous Database auto-scales OCPU and storage, auto-patches, and provides Always-On availability — removing operational overhead from extension teams who should focus on business logic, not DBA tasks.
05 — ORCHESTRATION LAYER
Oracle OIC: Core Orchestration Fabric
OIC 3.0 (Oracle Integration Cloud) is the central orchestration layer for this platform. It acts as the intermediary between VBCS user interactions and the Fusion SaaS backend, and in this architecture it is the primary gateway for state-mutating operations against Fusion. POST, PATCH, and DELETE calls that touch Fusion data are routed through OIC rather than originating directly from the browser tier.
When VBCS triggers an actionable operation, it invokes OIC using the appropriate connectivity pattern for the deployment. OIC captures the originating user's identity and propagates it as a first-class audit attribute through every downstream call. When OIC subsequently calls Fusion REST APIs, it authenticates using dedicated service credentials registered in OCI IAM Identity Domains, enriching each request with requestedBy attributes to preserve business-user attribution alongside the technical service principal in integration and business logs.
OIC Integration Flow: Submit & Route
|
①
|
REST Trigger (Inbound from VBCS)
VBCS invokes OIC's REST trigger endpoint using the configured authentication pattern. OIC validates the request and captures the originating user's identity — preserving it for downstream attribution throughout the entire integration flow.
|
|
②
|
Data Enrichment & Routing Logic
OIC's mapper transforms the VBCS JSON payload into a canonical internal format. A Decision model or configuration lookup in OIC (EXT_CONFIG) determines routing rules — which OPA process to launch, which Fusion object to invoke, and what approval threshold applies.
|
|
③
|
ATP Write via ORDS (Staging Record)
OIC calls the ORDS POST /requests/submit endpoint using the managed ATP ORDS connection (Basic Auth service account). The requestedBy field carries the original username extracted from the VBCS token. On success, OIC captures the new REQUEST_ID for correlation throughout the workflow lifecycle.
|
|
④
|
Secure Integration → OPA
OIC invokes Oracle Process Automation using an explicitly configured OAuth 2.0 client (or equivalent supported credential pattern), and propagates the originating user's business context in the process initiation payload. OIC then calls the process instantiation API to launch a workflow instance with consistent business-user attribution for task routing and audit traceability.
|
|
⑤
|
Fusion Object API Call
For conditional Fusion data operations — supplier validation, GL account checks, or any lookup required for routing — OIC calls the appropriate Fusion REST endpoint using dedicated service credentials. The Fusion identity domain enforces Fusion-specific data roles, row-level security, and business rule validation. OIC adds requestedBy or equivalent audit metadata to preserve business-user attribution.
|
|
⑥
|
Response to VBCS
OIC returns a structured JSON response containing the ATP REQUEST_ID, the OPA processInstanceId, and a status polling URL. VBCS stores these correlation identifiers for real-time status tracking within the embedded Fusion screen.
|
OIC Connection Configuration Summary
|
CONNECTION
|
ADAPTER
|
AUTH METHOD
|
NOTES
|
|
Inbound from VBCS
|
REST Trigger
|
OAuth 2.0 / User Assertion / Basic Auth
|
Authentication pattern is configured per deployment model. OIC captures the originating user's identity and propagates it as an audit attribute through all downstream calls.
|
|
OPA REST API
|
REST
|
OAuth 2.0 service client + propagated business context
|
Base URL: OPA instance domain + /process/api/v1; process instances are launched with user attribution fields for task traceability and audit compliance.
|
|
ATP via ORDS
|
REST
|
Basic Auth (service account)
|
Managed OIC connection; uses ORDS module/template endpoints from the single application schema; base URL: /ords/<schema>/
|
|
Fusion Cloud REST APIs
|
Oracle ERP Cloud / REST
|
OAuth 2.0 (service credentials)
|
Service credentials registered in OCI IAM Identity Domains carry Fusion-specific data roles and row-level security context. OIC enriches all calls with requestedBy attributes to preserve business-user traceability in integration and business logs.
|
06 — PROCESS AUTOMATION
Oracle Process Automation: Human Workflow, Approvals & Fusion-Embedded Task Experience
Oracle Process Automation (OPA) is the platform's dedicated human-workflow engine — providing structured, enterprise-grade approval capabilities that Fusion Cloud implementations routinely demand: multi-level approval chains, parallel review gates, SLA-driven escalation timers, decision tables, and adaptive digital task forms. OPA processes are invoked by OIC with full user attribution, and they operate as autonomous, stateful workflow engines that can independently interact with both the data tier (ORDS) and the orchestration layer (OIC) without requiring OIC to remain in the execution loop for the lifetime of the process.
A defining characteristic of this architecture is that OPA task list pages are natively embedded within Oracle Fusion SaaS pages — precisely mirroring the embedding strategy applied to VBCS screens. Approvers and reviewers access their pending workflow tasks directly from within the Fusion navigation environment, with the same session identity, the same UI chrome, and zero context switching. The custom approval layer built on OPA is seamlessly integrated with Oracle Fusion — making it functionally indistinguishable from Fusion's native BPM workflow experience, while providing far greater configurability and modern process design tooling.
OPA's Active Role in the Data & Orchestration Layers
OPA is not merely a passive recipient of process initiation calls from OIC. Within the lifecycle of an active approval workflow, OPA is an active, bidirectional participant in both the data tier and the orchestration fabric:
|
▶
|
OPA → ORDS: In-Workflow Database Operations
OPA calls ORDS REST endpoints directly for all database read and write operations that occur within the workflow lifecycle — fetching task context data, updating request status fields (e.g., EXT_REQUESTS.STATUS = 'PENDING_L2'), writing interim approval decisions to EXT_AUDIT_LOG, and reading configuration thresholds from EXT_CONFIG to drive conditional routing logic. This direct OPA-to-ORDS path keeps database interactions fast and self-contained within the process engine.
|
|
▶
|
OPA → OIC: Actionable Item Delegation
For operations that transcend data persistence — sending structured notifications, triggering Fusion write-backs, invoking external system calls, or executing complex multi-system orchestration — OPA delegates to OIC integration flows via REST callback invocations. This preserves the architectural principle that OIC is the sole authorised orchestration agent for cross-system mutations, while allowing OPA to remain the authoritative owner of workflow state and human-task management.
|
Process Design Patterns for Fusion Extensions
|
✅ Sequential Approval
L1 → L2 → FINANCE
Standard pattern for purchase requests. Each approver receives a human task in their embedded Fusion task list. OPA routes to the next stage on approval, or terminates on rejection — triggering an OIC callback to update the ATP staging record and push a real-time notification to the originating VBCS user.
|
⚡ Parallel Approval
SIMULTANEOUS REVIEWS
Legal and Compliance review in parallel. OPA waits for both branches to resolve before proceeding via a gateway join condition. Reduces approval cycle time compared to sequential chains while maintaining full auditability of each parallel decision.
|
|
⏱️ SLA Escalation
TIMER BOUNDARY EVENTS
If an approver fails to act within the configured SLA window, OPA automatically escalates to their manager — resolved in real time from the Fusion HCM supervisor hierarchy via an OIC integration call — and dispatches a reminder notification, maintaining governance compliance without manual intervention.
|
|
OPA → OIC Callback Pattern
When all workflow tasks complete, OPA invokes the OIC callback integration endpoint. OIC then executes the post-approval orchestration sequence:
|
A
|
Update ATP Record via ORDS
OIC calls ORDS to update EXT_REQUESTS.STATUS to APPROVED or REJECTED, writing the complete approver chain and decision timestamps into EXT_AUDIT_LOG for an immutable, regulatorily compliant audit trail.
|
|
B
|
Write-back to Fusion Objects (Approved Transactions Only)
On APPROVED status, OIC invokes the relevant Fusion Object REST API using dedicated service credentials to create or update the authoritative ERP record: a Purchase Order in Fusion Procurement, an invoice in Fusion Payables, a supplier qualification update in Fusion SCM.
|
|
C
|
Notify the Originating VBCS User
OIC dispatches a structured notification — via Oracle Notification Service or a VBCS application webhook endpoint — updating the embedded Fusion screen in real time so the originating user is immediately informed of the approval outcome without needing to poll or navigate away.
|
07 — ERP/HCM/SCM BACKEND
Fusion Cloud Object HTTPS APIs
Oracle Fusion Cloud exposes every major business object as a versioned REST resource under the /fscmRestApi/resources/{version}/ base path. These are not generic CRUD endpoints — they enforce Fusion security policies (data roles, row security), fire business rules and validations, and update Fusion's audit trail.
Commonly Used Fusion REST Object APIs
|
DOMAIN
|
OBJECT
|
ENDPOINT FRAGMENT
|
OIC OPERATION
|
|
Procurement
|
Purchase Orders
|
/purchaseOrders
|
POST (create PO after approval)
|
|
Procurement
|
Suppliers
|
/suppliers
|
GET (validate supplier)
|
|
HCM
|
Workers
|
/workers
|
GET (resolve manager for escalation)
|
|
HCM
|
Assignments
|
/emps/{id}/child/assignments
|
GET (cost center / grade)
|
|
Financials
|
GL Accounts
|
/ledgerAccounts
|
GET (validate account combination)
|
|
Financials
|
Invoices
|
/invoices
|
POST (create payable invoice)
|
|
SCM
|
Items
|
/items
|
GET/PATCH (item master updates)
|
|
Projects
|
Projects
|
/projects
|
GET (project code validation)
|
Fusion Object API Authentication Strategy
|
OIC as the Primary Write Gateway: In this architecture, POST, PATCH, and DELETE operations against Fusion REST APIs are executed by OIC using dedicated service credentials that carry the requisite Fusion data roles and row-level security context. OIC enriches every call with requestedBy or equivalent metadata so business-user attribution is preserved alongside the authenticated technical principal. Read-only GET calls can be direct from VBCS where allowed, but many implementations prefer governed API/integration paths for centralized policy, throttling, and observability.
|
08 — END-TO-END
Complete End-to-End Flow
Bringing all six components together, a typical purchase request submission traverses the following path — with user identity preserved and every action audited throughout
09 — USE CASES
Example Custom Solutions Built with This Architecture
The same architecture can be reused for spreadsheet-driven business operations where users upload Excel files in VBCS, OPA manages approvals, and OIC posts approved transactions into Oracle Fusion.
|
📘 Manual Journal Upload Dashboard
VBCS + OPA + OIC + ORACLE FINANCIALS
Finance users upload Excel journal files through VBCS, where file details are validated and routed into an approval workflow in OPA. After approval, OIC transforms the spreadsheet content and integrates the journal entries into Oracle Financials with full status tracking and audit visibility.
|
🧾 AR Invoice Upload Dashboard
VBCS + OPA + OIC + ORACLE RECEIVABLES
Users upload Excel-based AR invoice data in VBCS, trigger an approval process in OPA, and monitor upload status from a centralized dashboard. Once approved, OIC maps the invoice rows into the target Oracle Receivables interface or API and completes the integration with traceable processing updates.
|
10 — OCI INFRASTRUCTURE
Oracle Cloud Infrastructure Services Supporting Fusion Architectures
Oracle Cloud Infrastructure provides a set of platform services that complement and extend the Oracle Fusion-based application stack. Object Storage, API Gateway, Load Balancer, Compute, Events, and Vault each play a defined architectural role — enabling durable file handling, governed API access, scalable traffic distribution, and centralised secrets management across the integration landscape.
|
🪣 OCI Object Storage
STORAGE · DURABLE · S3-COMPATIBLE
Oracle Cloud Infrastructure Object Storage is a highly durable, geo-redundant, infinitely scalable object store — purpose-built for unstructured data at enterprise scale. It natively integrates with OIC via pre-authenticated requests (PARs) and supports lifecycle policies, versioning, and AES-256 encryption at rest. In this architecture, Object Storage acts as the primary staging layer for bulk file operations, making it indispensable for upload-driven customization scenarios.
USAGE IN THIS ARCHITECTURE • VBCS uploads Excel / CSV files (journal entries, AR invoices, bulk payloads) directly to an Object Storage bucket via pre-authenticated URLs — eliminating the need to route large files through OIC or the API tier.
• OIC monitors bucket events (via OCI Events Service triggers) or polls for new objects, then reads and processes file content as part of integration flows.
• Approved and processed files are moved to an archive prefix within the same bucket for a complete, auditable file lifecycle trail.
• Attachment files associated with OPA workflow tasks are stored in Object Storage and referenced by pre-authenticated URLs rather than as inline database BLOBs — keeping ATP lean.
• Large data sets are staged in Object Storage and imported into ATP using Oracle Data Pump — enabling bulk data loads without routing large volumes through API tiers.
• File references are exchanged as lightweight pre-authenticated request URLs across OIC, VBCS, and OPA workflows, avoiding inline binary transfers in integration payloads.
|
|
🔀 OCI API Gateway
API MANAGEMENT · SECURITY · RATE LIMITING
OCI API Gateway is a fully managed, serverless API management service that provides a secure, observable, and policy-governed entry point for any HTTP-based backend — whether hosted on OCI Compute, ORDS, or external services. It supports JWT validation, OAuth 2.0 scopes, CORS policies, request transformation, and rate limiting at the edge, without introducing any additional compute infrastructure to manage.
USAGE IN THIS ARCHITECTURE • Hosts and secures OIC integration endpoints behind a consistent base URL, decoupling consumer-facing addresses from OIC's internal service structure and supporting custom domain configuration.
• Segregates access between downstream systems by applying route-level policies — different authentication requirements, rate limits, and IP allowlists can be enforced per consumer or per integration endpoint.
• Enables policy-governed header injection and transformation: correlation IDs or tenant identifiers can be supplemented before requests reach ORDS or OIC backends, without weakening downstream authentication trust chains.
• Acts as a proxy governance layer with centralised request logging, latency monitoring, and error rate visibility via OCI Logging and Monitoring across all API traffic.
|
|
⚖️ OCI Load Balancer
TRAFFIC DISTRIBUTION · RESILIENCE · SCALABILITY
OCI Load Balancer provides Layer 7 HTTP/HTTPS traffic distribution across backend service instances, delivering high availability and horizontal scalability for integration and data access endpoints. It supports SSL termination, session persistence, health-check-driven failover, and backend set management — ensuring consistent service availability under variable load conditions.
USAGE IN THIS ARCHITECTURE • Distributes traffic across multiple ORDS instances, preventing any single listener from becoming a bottleneck under high-volume data access scenarios and ensuring availability during rolling upgrades.
• Fronts high-load OIC service endpoints in configurations where integration traffic is routed through on-premises or custom backend services requiring load distribution.
• Provides resilience and automatic failover for integration middleware hosted on OCI Compute, maintaining uninterrupted service availability during instance maintenance or failure events.
• Enables blue-green and rolling deployment strategies for ORDS and custom middleware by progressively shifting traffic between backend instance pools without service interruption.
|
|
🖥️ OCI Compute (Virtual Machines)
COMPUTE · FLEXIBLE SHAPES · CUSTOM MIDDLEWARE
OCI Compute provides flexible, bare-metal-class virtual machine instances across an extensive library of shapes — from ARM-based Ampere A1 instances for cost-efficient workloads to Intel and AMD high-memory shapes for demanding middleware. With live migration, autoscaling instance pools, and Oracle Linux as the native OS, OCI Compute is the trusted home for custom backend services, middleware adapters, and legacy integration components that have not yet been re-platformed to managed cloud services.
USAGE IN THIS ARCHITECTURE • Hosts custom middleware components implementing specialised transformation or enrichment logic that exceeds standard OIC mapper capabilities — invoked by OIC as REST endpoints within the integration network.
• Implements specialised integration logic as a transformation or orchestration layer, particularly in complex derivation or validation scenarios requiring custom code execution.
• Provides a self-managed ORDS runtime for organisations requiring fine-grained control over ORDS configuration, connection pool tuning, and database wallet management while keeping ATP as the managed database tier.
• Hosts Oracle Middleware (SOA Suite, OSB) components in hybrid transition architectures where legacy integration flows are being progressively migrated to OIC 3.0.
|
|
📨 OCI Events & Notifications
EVENT-DRIVEN · REAL-TIME TRIGGERS
OCI Events Service captures state-change events from any OCI resource — Object Storage objects created, ATP backups completed, Compute instance state changes — and routes them to Notifications topics, Functions, or Streaming. This enables a fully event-driven trigger model for integration flows, replacing costly polling loops with instant, serverless event delivery.
USAGE IN THIS ARCHITECTURE • Triggers OIC integration flows immediately when a new file lands in an Object Storage bucket (e.g., a newly uploaded Excel journal file), eliminating scheduled polling and reducing processing latency to near-real-time.
• Sends OCI Notifications (email, SMS, Slack webhook via HTTPS) to operations teams when critical events occur — failed OIC integration runs, ATP storage thresholds, or OPA process instance backlogs.
• Drives the VBCS notification layer by publishing approval-completion events to an ONS topic that VBCS subscribes to via a webhook service connection.
|
|
🔐 OCI Vault (Key Management)
SECRETS · ENCRYPTION KEYS · COMPLIANCE
OCI Vault is the platform's centralised secrets management and key management service — providing HSM-backed encryption key storage, automatic key rotation, and a secrets API that helps eliminate hardcoded credentials across the architecture. Runtime retrieval and non-plaintext handling depend on each service's configured integration pattern.
USAGE IN THIS ARCHITECTURE • Stores ORDS Basic Auth credentials, Fusion service account secrets, and JWT signing keys as Vault secrets — referenced by OIC through supported secret integration patterns configured per connection/runtime.
• Manages ATP wallet passphrases and TDE master encryption keys for regulatory compliance (GDPR, SOX) requirements.
• Provides a central rotation mechanism: when a Fusion service account password is rotated, a single Vault secret update propagates to all OIC connections referencing it — no redeployment required.
|
|
Platform Cohesion: The power of these OCI infrastructure services lies not in their individual capabilities, but in their deep integration with the application-tier services. Object Storage events can trigger OIC processing. API Gateway can validate JWTs issued by OCI IAM Identity Domains. Vault centralizes secret lifecycle management, with OIC integration implemented through configured secret patterns. This interoperability is a hallmark of a mature cloud platform.
|
11 — CONCLUSION
Conclusion
|
The architecture presented in this blueprint is a testament to Oracle's singular vision: a unified cloud platform where every service is purpose-built to work in concert with every other. By leveraging VBCS for governed low-code experiences, OIC as the intelligent integration backbone, OPA for enterprise-grade process discipline, ATP for self-managing data persistence, and ORDS for clean API projection — all atop OCI's hardened infrastructure — organizations unlock a customization model that is simultaneously powerful, maintainable, and architecturally coherent.
What distinguishes this approach from conventional multi-vendor integration patterns is not any single technology choice, but the compounding effect of platform convergence. When identity is federated through OCI IAM Identity Domains, when operational observability flows through a unified OCI Logging stack, when security credentials are managed in one Vault, and when every component carries Oracle's enterprise SLA — the result is an architecture whose operational burden is a fraction of its functional capability. The toil of managing integrations between disparate vendors is replaced by the momentum of building on a platform designed to be extended.
For enterprise architects and integration engineers, the message is clear: Oracle Cloud is not merely a destination for migrating existing workloads — it is a platform for reimagining how enterprise software is built. Every customization built within this ecosystem inherits the security, scalability, and governance standards of Oracle Fusion itself — a standard that no third-party toolchain can replicate.
Whether the next project is a streamlined journal upload dashboard, a multi-tier procurement approval workflow, or a full extension module spanning HCM, ERP, and SCM — this blueprint scales with it. The platform is ready. The architecture is proven. The only remaining question is: what will you build?
|
Key Takeaways: All customization lives within Oracle Cloud. OCI IAM Identity Domains provide unified identity across every layer. OIC is the primary orchestration and write-governance layer in this design. ATP + ORDS isolates extension data from Fusion. OCI infrastructure services extend platform capability without adding unnecessary vendor complexity.
12 — FURTHER READING
References & Documentation
Architecture diagrams aligned to Oracle standard representations from the provided PPT assets (trusted-client-flow and OIC-OPA sequence).
Authors
Ajay Narayan (Main Author)
Ajay Narayan is a Global Information & Technology Integrations Architect with two decades of experience, currently serving as Senior Manager at Equinix. He specializes in Oracle PaaS, AI-driven solutions, and enterprise cloud architecture. Recognized as an “AI and Cloud Architect of the Year,” he has led several large-scale digital transformation initiatives. Ajay brings deep expertise in designing scalable integrations and modern cloud solutions.
Abhishek Aithal (Co-Author)
Abhishek Aithal is an Oracle Cloud and Integration Developer at Equinix with expertise in Oracle Integration Cloud, enterprise automation, AI-driven architectures, and multi-cloud solutions. He specializes in designing scalable Oracle Fusion and cloud integration ecosystems, with hands-on experience across Oracle PaaS, OCI, AWS, and intelligent workflow automation.
Lakshmi Reddy Kishtipati (Co-Author)
Lakshmi Reddy Kishtipati is a Senior Software Engineer at Equinix with strong expertise in Oracle PaaS and SaaS technologies. He has worked extensively on enterprise integrations, cloud-based solutions, and multiple Oracle ERP implementation projects across complex business environments. With hands-on experience in Oracle Cloud applications and automation-driven solutions, His expertise spans Oracle integrations, VBCS page development, Oracle Process Automation, Oracle RPA, ERP transformations, and modern cloud platform development