Thursday, October 9, 2014

Oracle SOA Suite is used for reliable transfer of information, it stores whole the message in SOA_INFRA schema. We can see incoming and outgoing messages in audit trail from EM console. That means user which has access to EM console can see all the messages coming and going through middleware, sometimes some of the information which is flowing through Oracle SOA Suite is very critical and SOA Suite user should not have access to see that critical piece of information. In this post we will discuss how to fulfill this requirement using Oracle SOA Suite.

In previous version of Oracle SOA Suite (11g) there were no out of box provision to encrypt and decrypt sensitive data so user can see the data which is flowing through fusion but in current version of Oracle SOA Suite which is 12c, Oracle provided out of box functionality to encrypt specific fields in the message which is flowing through middleware. Below is sample encrypted message field.

Sample Encrypted Data

In Oracle SOA 12c, encryption policy is used to encrypt and decrypt the message, message encryption happens at component binding that means message get encrypted before it come to component (BPEL or Mediator) and we see only encrypted message in audit trail. Message decryption happens at reference binding level that means message fields get decrypted before it is sent to target service/system.

Encrypting Sensitive Data Flow

Let’s see in detail how to encrypt and decrypt a specific field in message.  For this post we have created a target service which is noting a SOA composite, we also created another SOA composite (Sales Order Composite) where we perform data encryption and decryption. Sales Order composite invokes target service. Sales Order composite receives message from source system and it contain below shown fields in the message. From these fields “Quantity” field is critical and we don’t want to show actual value for this field in EM console so we encrypt this field in this post.

Encrypting Sensitive Sample Composite

How to encrypt sensitive field

To do encryption, right click on the source bindings and choose “Encrypt Sensitive Data”. This open another pop-up where you can see out of box policy used for the encryption. Click on the edit button so that we can define the message field which we want to encrypt.

Encrypting Sensitive Data Reference Binding

Once you click on the edit button, this opens another window. Click on plus sign to choose the required field which we need to encrypt. For this post, we encrypt quantity field. Once done click on next, now we need to provide CSF-key value, by default it choose “pii-csf-key”. Click on finish.

Specify Sensitive data

Make sure pii-csf-key should exist, if it does not exist then you will not be able to encrypt the message and see error message. Click here to see how to create csf-key.

Encrypting Sensitive Data CSF-Key

How to decrypt sensitive field

As mentioned earlier in the post, field decryption happens at reference binding level. To perform decryption, right click on the reference binding and choose “Decrypt Sensitive Data”. This open another window where you can see the out of box policy used for decryption, click on edit sign and choose the field which you need to decrypt. Also choose the default csf-key.

Decrypt Sensitive Data

Save your composite and deploy it to the server.

Testing Results

Now test your sales order composite, once you open the sales order composite instance and open the audit trail for receive activity, you see quantity field is encrypted.

Encrypting Sensitive Data Testing

Now let’s open the target service instance. As you can see in below screen shot, field decryption happens at sales order composite reference binding level and quantity field is passed to target service in plain text.

Encrypting Sensitive Data Testing Result

Download sample code from here.


  1. Vivek:
    can we encrypt just one field at a time in this or is there a provision for multiple fields. For example: i want to encrypt my credit card no, name on card and CVV all three fields. How can we do it?

  2. Hi Vivek,
    We receive data from source system through webservice or file adapter as normal data,once receive data , through BPEL send that data as a Encrypted file to the target system using File adapter in SOA 11g.
    (files needs to be encrypted before sending it to the target path).
    Please let me know how to implement this process.

  3. What is point of having Encryption/Decryption here? If we still can see the sensitive data in the instance. Did I miss anything ?

  4. Great blog, thanks.
    Need one clarification... Is the data only encrypted while being displayed in the audit trail or is it also stored encrypted in the dehydration store?

  5. Hi Vivek,

    I think in real time, decription of the message(payload) may happen at target system side and not in middleware, to show the encript/decrypt expample, you decrypted in middleare itself,am i right?