1. Expel Help Center
  2. Connect Your Technology
  3. L-P Integrations
  4. Oracle Cloud Infrastructure

Oracle Cloud Setup - Manual (Large/Enterprise Environments)

This process is intended for customers with large environments who wish to centralize logs across many regions into a single architecture. If you wish to use Terraform, see Oracle Cloud Infrastructure - Terraform Setup. If you want to create multiple single-tenant setups with one device per OCI region, see Oracle Cloud Infrastructure - Manual Setup (Small Environments)

To set up this integration, you will manually create the following resources using the specific parameters described in this guide:

  • Global - auth token, compartment, group, polling policy, Expel user
  • Home Region - central bucket, stream pool, stream, events service rule, dynamic group, IAM policy
  • Regional - connector, application, function, VCN, subnet, service gateway, NAT gateway, routing table, security list

Prerequisites

  • Make sure there is a user from your organization with Admin-level cloud access to the relevant cloud environment.
  • Make sure you have an email address from your organization that can be used to associate with the Expel Machine User you will create.

Before You Begin

Identify the region(s) you wish to include. If you wish to onboard multiple regions, you must repeat Steps 10-12 of this guide for each one.

Quick Links

Setup includes the following steps (select any step for detailed instructions):

  1. Download the Function Code Files
  2. Generate an Auth Token
  3. Create a Compartment
  4. Configure the Central Bucket
  5. Create a Stream Pool
  6. Create a Stream
  7. Create an Events Service Rule
  8. Create a Dynamic Group
  9. Create an IAM Policy
  10. Configure the Regional VCN and Application
  11. Create and Deploy the Function
  12. Create a Regional Service Connector
  13. Create an Expel Machine User Group
  14. Create a Polling Policy
  15. Create an Expel Machine User
  16. Obtain the Expel Credentials
  17. Add Oracle Cloud Infrastructure as a Security Device in Workbench

Step 1: Download the Function Code Files

Scroll to the bottom of this page to download the expel_oci_function.zip file, which contains the three files you need to complete this guide:

  • func.py
  • func.yaml
  • requirements.txt

Make note of the location of this file, as you will need to find and use its contents in a future step. You may also go ahead and unzip the file if you wish.

Step 2: Generate an Auth Token

An auth token is required in order to deploy the function later in this guide. You will use it to log into Docker.

  1. Log in to OCI.
  2. In the top right, select your username/email.
  3. Select the Tokens and keys tab.
  4. In the Auth tokens section, select Generate token.
  5. Enter a description for the token, such as "Expel token".
  6. Select Generate token.
  7. Copy the generated token, as you will need it for future steps and it will not be available again.
  8. Select Close.

Step 3: Create a Compartment

In this step, you will create a dedicated compartment for the log centralization resources (central bucket, VCN, function application, function, service connector, stream pool, stream, and event rules). This isolation creates a security boundary that enables precise IAM policy scoping, ensuring the Expel Collector is restricted solely to the resources required for the notification-and-fetch workflow.

  1. Make sure you are in your home region.
  2. Use the Search bar to navigate to Compartments, or go to Identity & Security > Identity > Compartments.
  3. Select Create compartment.
  4. For the new compartment:
    • Name - enter a name for the compartment, such as "Expel_Compartment". Make note of the name you chose, as you will need it in future steps.
    • Description - enter a description.
    • Parent compartment - make sure the root compartment is selected.
    • No tags are necessary.
  5. Select Create compartment.
  6. Locate your newly created compartment in the list and select it.
  7. In the details, copy and save the compartment OCID (you will need it in a later step).

Step 4: Configure the Central Bucket

Step 1: Create a Central Bucket

A bucket must be created in your home region that will act as a target for the functions. This central bucket will contain all of the logs for the regions you choose to onboard.

  1. Still in your home region, use the Search bar to navigate to Buckets, or go to Storage > Object Storage & Archive Storage > Buckets.
  2. Next to "Applied filters," select the compartment you created earlier in this guide. If you do not see your compartment or an error after selecting it, wait a few minutes and reload the page.
  3. Select Create bucket.
  4. For the new bucket:
    • Name - leave the default bucket name or enter a different name, such as "Expel_CentralBucket". Make note of the name you chose, as you will need it in future steps.
    • Default storage tier - leave it as Standard.
    • Choose the enable the Emit object events option (the third toggle).
  5. Leave all other defaults on the page as is.
  6. Select Create bucket.

Step 2: Create a Lifecycle Policy Rule for the Central Bucket (Optional)

This step is not required, but it is highly recommended for cost control because it enables automatic deletion of objects outside of a safe retention window. If you do not wish to create this rule, skip to Step 3: Create a Retention Rule for the Central Bucket.

  1. Select your newly created central bucket in the list.
  2. Select the bucket's Policies tab.
  3. Under Lifecycle policy rules, select Create rule.
  4. For the new rule:
    • Name - enter a name for the rule, or use the default name.
    • Target - leave as Objects.
    • Lifecycle action - select Delete.
    • Number of days - enter "14".
  5. In Advanced options, make sure the State is enabled.
  6. If an alert banner appears. Select the Try to add statements button within the banner.
  7. For the new Add IAM Policy:
    • Name - enter a name, or use the default name.
    • Description - enter a description, or use the default description.
    • Policy Statement - Leave it as is.
  8. Select Create.
  9. Look for the Policies added successfully message.
  10. Wait for a few minutes and then select Create rule.

Step 3: Create a Retention Rule for the Central Bucket

The retention rule prevents deletion of objects for a certain timeframe (this ensures the audit logs remain available during our fetching window).

  1. Still in the bucket's Policies tab, under Retention rules, select Create rule.
  2. For the new rule:
    • Name - enter a name for the rule, or use the default name.
    • Retention rule type - leave it as Time-bound.
    • Retention duration - enter "7" and select Days.
  3. Select Enable retention rule lock to prevent the rule from being inadvertently disabled.
  4. Select Create rule.
  5. Select the checkbox on the confirmation screen, then select Create.

Step 5: Create a Stream Pool

The stream pool will be the container for the stream, which you will create next.

  1. Still in your home region, use the Search bar to navigate to Stream Pools, or go to Analytics & AI > Messaging > Streaming > Stream Pools.
  2. Select Stream Pools.
  3. Select Create steam pool.
  4. For the new stream pool:
    • Name - enter a name for the stream pool, such as "Expel_StreamPool"
    • Resource compartment - make sure the compartment you created earlier in this guide is selected.
  5. For the endpoint type, make sure Public endpoint is selected.
  6. Leave all other defaults on the page as is.
  7. Select Create.

Step 6: Create a Stream

Now you will create the stream and add it to the stream pool. The stream will function as a running log of all objects uploaded to the central bucket, helping our event poller to determine what it needs to download.

  1. Still in Analytics & AI navigate to Streaming > Streams.
  2. Select Create stream.
  3. Set the stream properties:
    • Name - enter a name for the stream, such as "Expel_Stream". Make note of this name, as you will need it in the next section.
    • Resource compartment - make sure the compartment you created earlier in this guide is selected.
  4. Scroll past tags and choose the Select Existing Stream Pool option. If you do not see the option to select a stream pool then wait a few minutes and reload the page.
  5. Choose the stream pool you created in the previous section.
  6. For the stream settings:
    • Retention - enter "168".
    • Number of partitions - leave it as "1".
  7. Select Create.
  8. In the list of streams, select the new stream.
  9. Copy the following two values and save them, as you will need them later in this guide:
    • Stream OCID
    • Messages endpoint

Step 7: Create an Events Service Rule

The rule enables you to designate which events belong in the stream.

  1. Still in your home region, use the Search bar to navigate to Rules, or go to Observability & Management > Events Service > Rules.
  2. Make sure you are still in the compartment you created earlier in this guide, then select Create Rule.
  3. For the new rule:
    • Display name - enter a name for the rule, such as "Expel_Rule".
    • Description - enter a description for the rule.
  4. For the rule conditions:
    • Condition - leave as Event Type.
    • Service Name - select Object Storage.
    • Event Type - select both Object - Create and Object - Update.
  5. Select Another Condition.
  6. For the condition:
    • Condition - select Attribute as the type.
    • Attribute Name - select bucketName.
    • Attribute Values - enter the name of the central bucket you created earlier in this guide (you may also have to select it after entering, to get it to save).
  7. In the Actions section:
    • Action Type - select Streaming.
    • Stream Compartment - select the compartment you created earlier in this guide (you will have to select the + beside the root compartment to display all other compartments).
    • Stream - select the stream you created in the previous section.
  8. Select Create Rule.

Step 8: Create a Dynamic Group

This dynamic group is defined to automatically include all OCI Functions located within the specified compartment. It enables the resource principal authentication for the included functions to manage other OCI resources. Before you begin, make sure you have the compartment OCID from Step 3.

  1. Use the Search Bar to navigate to Domains (Identity), or go to Identity & Security > Domain.
  2. Change to the root compartment.
  3. Select the Default domain.
  4. Select the Dynamic Groups tab.
  5. Select Create dynamic group.
  6. For the new dynamic group:
    • Name - enter a name for the dynamic group, such as "Expel_DynamicGroup".
    • Description - enter a description for the group.
    • Select the Match all rules defined below option.

  7. Paste the following rule into the Rule 1 box, making sure to use the OCID for the compartment you created:
     

    ALL {resource.type = 'fnfunc', resource.compartment.id = 'YOUR_COMPARTMENT_OCID'}
  8. Select Create.
  9. Make note of your dynamic group name, as you will need it in the next section.

Step 9: Create an IAM Policy

This policy will allow the created dynamic group to manage the objects within the central bucket. Before you begin, make sure you have the dynamic group name from Step 7, compartment name from Step 3, and central bucket name from Step 4.

  1. Still in Identity & Security, navigate to Identity > Policies.
  2. Switch back to the compartment you created earlier in this guide, then select Create Policy.
  3. For the new policy:
    • Name - enter a name for the policy, such as "Expel_Policy".
    • Description - enter a description for the policy.
    • Compartment - select the compartment you created earlier in this guide.
  4. For the Policy Builder, select Show manual editor.

  5. Paste the following statements into the box, making sure to use the dynamic group, compartment, and the bucket you created:

    Allow dynamic-group DYNAMIC_GROUP_NAME to manage objects in compartment COMPARTMENT_NAME where target.bucket.name = 'CENTRAL_BUCKET_NAME'
  6. Select Create.

Step 10: Configure the Regional VCN and Application

You must repeat all of these steps for each region you wish to onboard.

Step 1: Create the VCN

Before you begin, make sure you are aware of your existing VCNs and the CIDR ranges they use. When setting up each VCN, you must select a CIDR range that does not conflict with an existing VCN.

  1. Change to the region you wish to onboard.
  2. Use the Search Bar to navigate to Virtual Cloud Networks, or go to Networking > Virtual Cloud Networks.
  3. Make sure you are still in the compartment you created earlier in this guide, then select Create VCN.
  4. For the new VCN:
    • VCN name - enter a name for the VCN, such as “Expel_RegionName_VCN”
    • Compartment - make sure the compartment you created earlier in this guide is selected.
    • Configure VCN - enter a CIDR range that does not conflict with an existing VCN. Make note of this CIDR value, as you will need it in a later step.
  5. Toggle Use DNS hostnames in this VCN to DISABLED.
  6. Leave all other values on the page as is.
  7. Select Create VCN.

Step 2: Create a NAT Gateway

  1. Inside your new VCN, select the Gateways tab.
  2. Scroll to the NAT Gateways section.
  3. Select Create NAT Gateway.
  4. For the new NAT gateway:
    • Name - enter a name for the gateway, such as “Expel_RegionName_NATGateway”.
    • Create in compartment - make sure the compartment you created earlier in this guide is still selected.
    • Leave Ephemeral Public IP Address selected.
  5. Select Create NAT Gateway.

Step 3: Create a Service Gateway

  1. Still in the Gateways tab for your VCN, scroll to the Service Gateways section.
  2. Select Create Service Gateway.
  3. For the new service gateway:
    • Name - enter a name for the gateway, such as “Expel_RegionName_ServiceGateway”.
    • Create in compartment - make sure the compartment you created earlier in this guide is still selected.
    • Services - select All <RegionKey> Services in Oracle Services Network.
  4. Select Create Service Gateway.
    • Note: A VCN can have only one Service Gateway. If a Service Gateway already exists in this VCN, you do not need to create a new one; simply use the existing gateway.

Step 4: Create a Route Table

  1. Still inside your new VCN, select the Routing tab.
  2. Select Create Route Table.
  3. For the new route table:
    • Name - enter a name for the route table, such as "Expel_RegionName_RouteTable".
    • Create in compartment - make sure the compartment you created earlier in this guide is still selected.
  4. In the Route Rules section, select Another Route Rule.
  5. For the new rule:
    • Target Type - select NAT Gateway.
    • Destination CIDR Block - enter 0.0.0.0/0.
    • Target NAT Gateway Compartment - make sure the compartment you created earlier in this guide is still selected.
    • Target NAT Gateway - select the NAT gateway you created in Step 2.
    • Description - enter a description for the rule if desired.
  6. Select Another Route Rule to add a second rule.
  7. For the new rule:
    • Target Type - select Service Gateway.
    • Destination Service - select All <RegionKey> Services in Oracle Services Network.
    • Target Service Gateway Compartment - make sure the compartment you created earlier in this guide is still selected.
    • Target Service Gateway - select the service gateway you created in Step 3.
  8. Select Create.

Step 5: Create a Security List

  1. Still inside your new VCN, select the Security tab.
  2. Select Create Security List.
  3. For the new security list:
    • Name - enter a name for the security list, such as "Expel_RegionName_SecurityList".
    • Create in Compartment - make sure the compartment you created earlier in this guide is still selected.
  4. Skip the Ingress rules.
  5. Select Another Egress Rule.
  6. For the new egress rule:
    • Stateless - leave the toggle DISABLED.
    • Destination Type - leave as CIDR.
    • Destination CIDR - enter 0.0.0.0/0
    • IP Protocol - select All Protocols.
    • Description - enter a description if desired.
  7. Select Create Security List.

Step 6: Create a Private Subnet

  1. Still inside your new VCN, select the Subnets tab.
  2. Select Create Subnet.
  3. For the new subnet:
    • Name - enter a name for the subnet, such as "Expel_RegionName_Subnet". Make note of the name you chose, as you will need it in the next step.
    • Create in compartment - make sure the compartment you created earlier in this guide is still selected.
    • Subnet type - leave as Regional (Recommended).
    • IPv4 CIDR Block - enter a CIDR value that is within your VCN CIDR range (example: if the VCN CIDR is 10.0.0.0/16, then the CIDR of the subnet can be 10.0.0.0/24).
  4. For the IPv6 Prefixes:
    • Route Table compartment - make sure the compartment you created earlier in this guide is still selected.
    • Route Table - select the route table you created in Step 4 (do not use the default route table).
  5. Subnet Access - select Private Subnet.
  6. For the Security Lists:
    • Security List compartment - make sure the compartment you created earlier in this guide is still selected.
    • Security List - select the security list you created in Step 5 (do not use the default security list)
  7. Leave all other defaults on the page as is.
  8. Select Create Subnet.

Step 7: Create an Application

  1. Use the Search Bar to navigate to Applications, or go to Developer Services > Functions > Applications.
  2. Select Create application.
  3. For the new application:
    • Name - enter a name for the app, such as "Expel_RegionName_App".
    • VCN compartment - make sure the compartment you created earlier in this guide is still selected.
    • VCN - select the VCN you created in Step 1.
    • Subnets compartment - make sure the compartment you created earlier in this guide is still selected.
    • Subnets - select the private subnet you created in the previous step.
    • Shape - select GENERIC_ARM.
  4. Select Create.

If you have other regions you wish to onboard, repeat all of these steps to configure the VCN and application for each region. When you have finished configuring all regions, or if you have no additional regions to onboard, continue to Step 11.

Step 11: Create and Deploy the Function

In this step, you will use OCI's Cloud Shell to create and deploy the function within your newly created application. If you created multiple applications because you are onboarding multiple regions, you will need to repeat all of these steps for each application.

To access the Cloud Shell, use the Developer Tools menu in the top right. Wait for your machine to be created, and then begin the steps below.

Step 1: Log in to Docker

Before you begin, make sure you know the region identifier (not the region name) for each region you wish to onboard, the auth token you generated in Step 2, as well as your OCI username. This information must be entered correctly into the commands in order to successfully log into Docker. 

If you need help locating the region identifier(s), see the Troubleshooting section.

  1. Make sure you are in a fresh Cloud Shell window.

  2. Run the following command to get the tenancy namespace:

    oci os ns get
  3. Copy and save the data value as your tenancy namespace value (it should be an alphanumeric value, like abcd1234efgh).

  4. Get the region key, replacing the REGION_ID with the region identifier for the first region you wish to onboard (see the Troubleshooting section for help with region identifiers):
     

     oci iam region list --query "data[?name=='REGION_ID'].key | [0]" --raw-output | tr '[:upper:]' '[:lower:]'
  5. Make note of the region key value that is returned.

  6. Now use the tenancy namespace value, your OCI username, and the region key value in the following command to log in to Docker:
     

    docker login -u 'TENANCY_NAMESPACE/OCI_USERNAME' REGION_KEY.ocir.io
  7. When prompted for a password, enter the auth token you generated earlier in this guide. Look for a Login Succeeded! message.

Step 2: Use and Update the Context

Before you begin, make sure you have the compartment OCID from Step 3, the region identifier, the region key from the previous step, and the tenancy namespace from the previous step.

  1. Run the following command to list all available context:

    fn list context
  2. Look for a context name that matches the region you are onboarding:
    • If context exists for the region, continue to the next step.

    • If you do not see any context for the region, create it for the region by using the following command before continuing to the next step: 

      fn create context REGION_IDENTIFIER --provider oracle-cs

  3. Set the region's context as the "active" one:
     

    fn use context REGION_IDENTIFIER

  4. Modify the context so that it becomes associated with the compartment you created earlier in this guide:
     

    fn update context oracle.compartment-id COMPARTMENT_OCID

  5. Associate the context to the OCI registry and also create a new repo with any name you choose. We recommend using the format expel-reponame for your chosen repo name. Important: Your repo name must be all lowercase.
     

    fn update context registry REGION_KEY.ocir.io/TENANCY_NAMESPACE/REPO_NAME

Step 3: Create and Deploy the Function

Before you begin, make sure to locate and unzip the file you downloaded in Step 1, and make sure you have the name of the app you created for the region. 

  1. If you have already created a function in another region, then skip to step 3.2., else run the following command to initialize a new function with the name expel_audit_function:

    fn init -runtime python expel_audit_function

  2. Switch to the function's directory:

    cd expel_audit_function
  3. If you have already created a function in another region, then skip to step 3.6., else locate the function files you downloaded in Step 1 and unzipped (you will find a function folder within that zip file).
  4. Locate the func.py file and edit it to update the following variables:
    • DESTINATION_BUCKET: replace the variable value with the name of the central bucket you created earlier in this guide (eg: 'expel_audit_central_bucket').
    • DESTINATION_REGION: replace the variable value with the name of your home region (eg: 'us-ashburn-1').
    • NAMESPACE: replace the variable value with your tenancy namespace you retrieved in Step 11.1.
  5. Update the function's files with the content from the zip file's func.py, func.yaml, and requirements.txt files (you may swap the files out entirely or just replace the content). You may access the function's files via their Code Editor.

  6. Deploy the function, using the name of the application you created for the region:
     

    fn -v deploy -app APPLICATION_NAME
  7. Close the Cloud Shell window.

If you have other regions you wish to onboard, repeat all of these steps to create and deploy the function after repeating Step 10 for each region. Make sure to start in a fresh Cloud Shell window and perform the Docker login steps using the appropriate region identifier.  

When you have finished configuring all regions, or if you have no additional regions to onboard, continue to Step 12.

Step 12: Create a Regional Service Connector

This connector will forward all of the audit logs to the central bucket. You must create a connector for each region you wish to onboard.

  1. Decide which region you wish to set up first, if you are working in more than one, and select that region in the top-right.
  2. Use the Search bar to navigate to Connector Hub, or go to Analytics & AI > Messaging > Connector Hub.
  3. Select Create connector.
  4. For the new connector:
    • Connector name - enter a name for the connector, such as "Expel_RegionName_Connector".
    • Description - enter a description, such as "Forwards audit logs to the regional function".
    • Resource compartment - select the compartment you created earlier in this guide.
  5. In the Configure connector section:
    • Source - select Logging.
    • Target - select Function.
  6. In the Configure source section:
    • Compartment name - select the root compartment.
    • Log group - select _Audit.
    • Select the Include _Audit in subcompartments checkbox.
    • Skip the Log filter task.
  7. Skip the Configure task section.
  8. In the Configure target section:
    • Compartment - make sure your compartment is selected.
    • Function application - select the function application you created earlier in this guide.
    • Function - select expel_audit_function.
    • Select Show additional options and select Use manual settings.
    • Batch size limit (KBs) - enter “5120”.
    • Batch time limit (seconds) - enter "60".
  9. If an alert banner appears. Select the Create button within the banner.
  10. Look for a confirmation that your connector policy was created.
  11. Select Create at the bottom of the page to create the connector.

If you are onboarding other regions, repeat these steps for each region.

Step 13: Create an Expel Machine User Group

Creating a group is the first step in setting specific permissions for Expel. This group will eventually contain the Expel machine user and determine what permissions that user has.

  1. Use the Search bar to navigate to Domains (Identity), or go to Identity & Security > Identity > Domains.
  2. Select the root compartment.
  3. Select the Default domain.
  4. Select the User management tab.
  5. Scroll down to Groups and Select Create group.
  6. For the new group:
    • Name - enter a name for the group, such as "Expel_MachineUserGroup". Make note of the group name you chose, as you will need it in the next section.
    • Description - enter a description for the group, such as "Group with audit log polling permissions".
  7. Leave the "User can request access" option disabled.
  8. Select Create.

Step 14: Create a Polling Policy

In this step, you'll create a policy granting the new group the minimum permissions needed for Expel to poll your audit logs. Before you begin, make sure you have the stream OCID and central bucket name that you saved in earlier steps.

  1. Still in Identity & Security, navigate to Identity > Policies.
  2. Select Create Policy.
  3. For the new policy:
    • Name - enter a name for the policy, such as "Expel_PollingPolicy".
    • Description - enter a description for the policy.
    • Compartment - select the root compartment.
  4. For the Policy Builder, select Show manual editor.

  5. Paste the following statements into the box, making sure to use your group name, stream OCID, CRR bucket name, and home home audit log bucket name:

    Allow group 'Default'/'GROUP_NAME' to use stream-pull in tenancy where target.stream.id= 'YOUR_STREAM_OCID'
Allow group 'Default'/'GROUP_NAME' to read buckets in tenancy where target.bucket.name = 'CENTRAL_BUCKET_NAME'

Allow group 'Default'/'GROUP_NAME' to read objects in tenancy where target.bucket.name = 'CENTRAL_BUCKET_NAME'
Allow group 'Default'/'GROUP_NAME' to read users in tenancy
  6. Select Create.

Step 15: Create an Expel Machine User

You will create a new user for Expel within the group you created in Step 11. The purpose of this user is solely to generate an API key and other access values (like a fingerprint) for Expel, which you will need when you configure the security device in Workbench.

  1. Still in Identity & Security, navigate to Identity > Domains.
  2. Select the root compartment.
  3. Select the Default domain.
  4. Select the User management tab.
  5. Select Create.
  6. For the new user:
    • First name - enter "Expel".
    • Last name - enter "MachineUser".
    • Username/email - enter an email address that you have access to (this email will be used to generate an API key in the next step, and also for us to contact you).
  7. Leave "Use the email address as the username" enabled.
  8. In Groups, select the group you created earlier in this guide.
  9. Select Create.
  10. Log out of OCI and look for the activation email from Oracle. You will need to log in as this new user to complete Step 16.

Step 16: Obtain the Expel Credentials

These credentials will be used when you configure the security device in Workbench.

Step 1: Generate the Credentials

  1. Log in as the Expel user you created in the previous section.
  2. In the top right, select your username/email.
  3. Select the Tokens and keys tab.
  4. Select Add API key.
  5. Choose the Generate API key pair option.
  6. Download the private key. This file will download as a .pem file.
  7. Select Add.
  8. In the Configuration file preview, use the Copy button to quickly copy out the following values:
    • User
    • Fingerprint
    • Tenancy
    • Region

Step 2: Base64 Encode the API Keys

You must now format your private API key as a base64-encoded string, and save the output. This string is what you will use for the API key when you configure the security device in Workbench.

You can achieve the encoding through one of the following methods (for security reasons, we do NOT recommend using an online Base64 encoding website).

Note
You may delete the .pem file after you have successfully set up the security device in Workbench. Please retain it until then. If you need to verify that your API key was encoded correctly, see the Troubleshooting section.

Windows Systems

  1. Open PowerShell.

  2. Run the following command (drag your .pem file into the window after entering the first part):

    [Convert]::ToBase64String([IO.File]::ReadAllBytes("<file location/path>"))
  3. Copy and save the output as your base64-encoded API key.

UNIX-Like Systems

  1. Open Terminal.

  2. Run the following command (drag your .pem file into the window after entering the first part):

    base64 -i ~<file location/path>
  3. Copy and save the output as your base64-encoded API key.

Step 17: Add Oracle Cloud Infrastructure as a Security Device in Workbench

Before you begin, make sure you have the stream OCID, stream messages endpoint, configuration file values, region identifier, and base64-encoded API key.

  1. Log in to Workbench.
  2. In the side menu, navigate to Organization Settings > Security Devices. If you have multiple organizations, you must select the appropriate organization name from the list.
  3. Select Add Security Device.
  4. In the search box, type “Oracle” and then select the Oracle Cloud Infrastructure integration.
  5. Complete the fields as follows:
    • Name - enter a name that might help you more easily identify this integration, such as “CompanyName OCI”; this name will display in Workbench under the Name column, and is a text string that you can filter on.
    • Location - enter the location of your integration, for example “cloud;” this is also a text string that you can filter on, so we recommend being consistent with location naming across your Expel integrations.
    • Stream ID - enter the stream OCID you saved in Step 6.
    • Stream endpoint - enter the messages endpoint you saved in Step 6.
    • OCI user - enter the user value from the configuration file you saved in Step 14.
    • OCI key fingerprint - enter the fingerprint value from the configuration file you saved in Step 14.
    • OCI user tenancy - enter the tenancy value from the configuration file you saved in Step 14.
    • OCI region - enter the region identifier you used in Step 9.
    • OCI user key - enter the base64-encoded string for the private API key, which you created in Step 14.
    • Select Save.
  6. Select No thanks, I will not provide console access from the console access dropdown.
  7. Your device should be created successfully within a few seconds. A few reminders:
    • After your connection is healthy, it will take some time for your device to begin polling and receiving data.
    • To check on the status, select the downward arrow for your device in the first column and choose View details.
    • Polling will happen first; data will be received after that. You must refresh the page to see updates.
    • If your device does not begin polling within 15 minutes, and does not begin receiving data within 30 minutes, contact our support team for help.
    • To check if alerts are coming through, navigate to Dashboards > Alert Analysis. Scroll to the device you want to check and select the Expel Alerts tab to reveal more alert information. It can take 36 to 72 hours for alerts to appear after setup, as we tune your device.

Troubleshooting

Device Connection Issues

If your device does not connect successfully, there are a few things you can try.

  • Make sure you selected the correct compartment when you deployed the stacks.
  • Make sure the region identifier you used was in the correct format (see below for help).
  • Verify that you downloaded the private API key and not the public one.
  • Check to be sure your API key was base64-encoded correctly (see below for help).
  • Make sure you pasted all values into the security device correctly, and that you removed any quotes; these values are case-sensitive.
  • Check your CRR policy in the regional bucket to make sure it is active.
  • Check your connector to make sure it is active.

If issues persist after checking the above, contact Support. Make sure to provide:

  1. The error message shown in Workbench
  2. Your tenancy OCID and home region
  3. Screenshots of your bucket list and stream details

Region Identifier

When you set up the region-specific policy, you must use the correct region identifier. To determine the region identifier:

  1. In the upper right, select Manage regions.
  2. Locate your region to find its region identifier.

Base64 Encoding

To verify your API key, you can decode your Base64 string and make sure the key matches the one in your .pem file.

On Windows systems, open PowerShell and run:

[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('YOUR-BASE64-STRING'))

On UNIX-like systems, open Terminal and run:

printf "%s" "YOUR-BASE64-STRING" | base64 -d


 

Finished downloading the function code zip file? Return to Step 1.

Related articles