Skip to main content

Connecting to Oracle NetSuite (extractor)

Important

Any references to third-party products or services do not constitute Celonis Product Documentation nor do they create any contractual obligations. This material is for informational purposes only and is subject to change without notice.

Celonis does not warrant the availability, accuracy, reliability, completeness, or usefulness of any information regarding the subject of third-party services or systems.

The Celonis NetSuite extractor allows you to transfer data from your Oracle NetSuite’s cloud-based ERP platform to the Celonis Platform for process mining and analysis. It supports the following basic features:

This section details important prerequisites or prerequisite knowledge for using this extractor.

Before creating a connection between your database and the Celonis Platform you must decide which connection type you want to use. Except where stated in Supported database types, all databases have two basic connection types: Direct connections and Uplink connections via an on-premise extractor, as described below:

  • Direct connections: Use direct connections when you want to allow the Celonis Platform direct access to your database without additional infrastructure. Meaning, you do not need to install, patch, or maintain on-premises extractors, which speeds up implementation, reduces complexity, and simplifies operations.

    Note

    By default, all cloud-based extractors are direct connections.

  • Uplink connections via an on-premise extractor: Use uplink connections when you don't want to or can't allow the Celonis Platform to directly access your on-premise or private cloud database. The connection between the database and Celonis is then established using an on-premise extractor that's installed within your network ideally on a dedicated server.

    The role of the JDBC Extractor is to poll and fetch job requests from the Celonis Platform, before then submitting the execution information to the database via SQL queries. Once the data is retrieved from the database, the extractor fetches it and sends it back to the Celonis Platform. As such, the connection between the database and the Celonis Platform is always made by the extractor, with it continuously querying the Celonis Platform

    Note

    To use an uplink connection, you must install an on-premise JDBC extractor in your environment. To do so, see JDBC Extractor. Additionally, if you want to use a proxy (optional), see Configuring.

For the database extractor to communicate with your database and the Celonis Platform, you must modify your network settings to allow access.

Note

Follow the instructions in network settings section below based on the connection type you using. Additionally, if you are using uplink connections, follow the instructions in Celonis Platform IP addresses depending on the cluster .

The following network settings apply only for direct connections:

Source system

Target system

Port

Protocol

Description

Celonis Platform

Source system

Depending on the database, typical ports are 5432 for PostgreSQL and 30015 for HANA for example

TCP

JDBC connection from the Celonis Platform to the database. The port is the one you normally use to connect to the database. The IPs of the Celonis Platform depending on the cloud cluster (which can be seen in the URL).

The following network settings apply only for uplink connections (via the on-premise extractor):

Source system

Target system

Port

Protocol

Description

On-premise extractor server

Source system

Depending on the database, typical ports are 5432 for PostgreSQL and 30015 for HANA for example.

TCP

JDBC connection from on-premise extractor server to the database. The port is the one you normally use to connect to the database.

On-premise extractor server

Celonis Platform

443

TCP

HTTPS connection from on-premise extractor server to Celonis cloud endpoint. The IPs of the Celonis Platform depending on the cloud cluster (which can be seen in the URL).

The respective clusters use multiple IPs each, so you need to enable all three of them in your firewall configuration to connect the on-premise extractor server and the cloud endpoint.

For a complete list of inbound and outbound Celonis Platform IP addresses to be allowlisted if needed, see: Allowlisting Celonis domain names, IP addresses, and third-party domains

This section describes the guidelines for using custom JDBC strings in extractor configurations:

  • Authentication: The Credentials fields in the extractor configuration are required and always used to authenticate the connection. Do not embed credentials directly in your JDBC string.

  • Encryption: For standard (unencrypted) extractors (examples: SAP HANA, PostgreSQL), you can enable encryption by adding encrypt=true to the JDBC string. For encrypted extractors (examples: SAP HANA encrypted, PostgreSQL encrypted), connections are established with encryption enabled (encrypt=true) by default. You do not need to include this parameter in your JDBC string.

  • Certificate validation: Do not include validateCertificate=true in your JDBC strings. Instead, use Advanced Settings > Validate Certificate > Enabled.

  • Additional properties: You can include additional properties in either the JDBC string or the Additional Properties field. Do not specify the same properties in both places.

The following JDBC string connection parameters are not supported due to security reasons:

Important

If you are using any of the following parameters in your JDBC string, you must remove them for the connection to be successful.

- AUTO_DESERIALIZE("autoDeserialize"),
- ALLOW_URL_IN_LOCAL_IN_FILE("allowUrlInLocalInfile"),
- ALLOW_LOAD_LOCAL_IN_FILE("allowLoadLocalInfile"),
- ALLOW_PUBLIC_KEY_RETRIEVAL("allowPublicKeyRetrieval"),
- EXPOSE_METADATA("exposeMetadata"),
- STATEMENT_INTERCEPTORS("statementInterceptors"),
- QUERY_INTERCEPTORS("queryInterceptors"),
- DETECT_CUSTOM_COLLATIONS("detectCustomCollations"),

//IBM DB2 driver properties according to <add this link - https://www.ibm.com/support/pages/node/7010029>
- TRACE_FILE("traceFile"),
- CLIENT_REROUTE_SERVER_LIST_JNDI_NAME("clientRerouteServerListJNDIName"),
- PLUGIN_CLASS_NAME("pluginClassName");

Before creating a data connection between Oracle NetSuite and the Celonis Platform, you need the following information from your Oracle NetSuite instance:

  • Host name

  • Account ID

  • Role ID

For more information on finding these values, see: Oracle Help Center - Finding Your Settings Portlet.

This extractor supports the authentication methods described in the following sections.

The Oracle NetSuite extractor can connect to the database using a database user account. Provide the username and password for this account to authenticate the connection. Ensure this database user has sufficient permissions to access the data to be extracted.

This extractor can connect to the source system using OAuth authentication. Provide the required OAuth credentials, Client ID and Client Secret, to establish the connection. Ensure the connected application or integration user has sufficient permissions to access the data to be extracted.

NetSuite's OAuth 2.0 Client Credentials (Machine-to-Machine with JWT assertion) flow enables secure, automated data extraction without requiring manual user interaction. The Celonis extractor authenticates by presenting a signed JSON Web Token (JWT) to NetSuite's token endpoint, receives a short-lived access token in return, and uses that token to query SuiteAnalytics Connect.

Before starting the configuration, ensure you have gathered the standard NetSuite connection values required by the extractor:

  • Host

  • Account ID

  • Role ID

  1. Log in to NetSuite and create a new Integration Record.

  2. Enable Client Credentials.

  3. Under the Authentication tab, set Client Credentials (Machine to Machine) Grant to Enabled.

  4. Save the integration record.

Important

NetSuite will display the Consumer Key only once upon saving. Copy and securely store it immediately, as it cannot be retrieved later.

  1. Generate an X.509 key pair external to NetSuite.

  2. Ensure you use one of the supported algorithms accepted by NetSuite for JWT signing:

    • PS256, PS384, PS512

    • ES256, ES384, ES512

  3. Save both the public certificate file and the Private Key securely.

  1. In NetSuite, navigate to Setup -> Integration -> Manage Authentication -> OAuth 2.0 Client Credential (M2M) Setup.

  2. Click Create New.

  3. Configure the mapping details:

    • Entity and role: Select the specific entity and role for the extractor. (Note: The entity and role selected here determine the data permissions available to Celonis).

    • Integration Application: Select the integration record created in Step 1.

    • Certificate: Upload the public part of the X.509 certificate generated in Step 2.

  4. Save the mapping.

  5. Copy and save the Certificate ID displayed on the confirmation screen.

After completing this procedure, you will have the three required secrets/identifiers ready to be pasted into the Celonis extractor configuration:

  1. Consumer Key (from Step 1)

  2. Private Key (from Step 2)

  3. Certificate ID (from Step 3)

When setting up your data connection, this information is entered inside the Data Integration tab—specifically within the Extractor Builder or the data connection configuration wizard—under the OAuth2 JWT Assertion authentication method.

NetSuite / Source Value

Celonis Connection Configuration Field

Requirement and notes

Private Key

Private Key

Paste the private half of your generated X.509 certificate. Celonis requires this to be in a non-encrypted PKCS 8 syntax.

Consumer Key

Issuer

Enter the Consumer Key generated from your NetSuite Integration Record.

Token Endpoint URL

Audience

Enter the canonical NetSuite token endpoint URL (e.g., https://<accountID>.suitetalk.api.netsuite.com/services/rest/auth/oauth2/v1/token). If left blank, Celonis automatically derives it from your Account ID.

Subject

Subject (Optional)

Can be left blank as it is not a required field for this standard setup.

OAuth Scopes

Scopes

Provide a comma-separated list of the specific scopes your connection needs (e.g., restlets, rest_webservices, suite_analytics).

Signature Algorithm

Signature Algorithm

Select the dropdown value (PS256, ES256, etc.) that matches the algorithm used to sign your key pair.

This section describes the basic setup of configuring the Amazon Redshift extractor. To configure the extractor:

  1. In the Celonis Platform left navigation, select Data > Data Integration.

  2. On the Data Pools screen, select the data pool you want to use for the extraction.

    Note

    If you do not have a data pool to use for this extraction, see Creating and managing data pools for instructions on how to create one.

  3. In the Data Integration section, select Connect to Data Source.

    Note

    If this is not the data pool's first connection, the Data Connections window opens below. Select + Add Data Connection to add a new connection.

  4. In the Add Data Connection window, select Connect to Data Source.

  5. In the Connect to Data Source window, depending on your use case, select either Database – On Premise or Database – Cloud.

    Note

    Select Database – On Premise to connect to on-premise or private cloud databases.

    1. If you selected Database – On Premise, follow the on-screen instructions.

  6. In the New Database Data Connection window, fill in the following information:

    1. For Name, provide a name for this configuration.

    2. For Database Type, select NetSuite.

    3. For Connection Type, select either Standard or Custom JDBC Connection String.

      Note

      For uplink connections with this extractor, you must select Custom JDBC Connection String.

      1. If you selected Standard:

        • For Host, enter the account-specific NetSuite Connect domain, in the format:

          <account_id>.connect.api.netsuite.com
        • For Port, provide the port to connect to (Default is 1708).

        • (Optional) For Schema Name, enter the name of the schema that contains the tables to extract.

        • (Optional) For Additional Properties, enter any additional connection properties required by your database or driver. Separate each with ;.

        • For Account ID, enter your NetSuite account ID (for example, 1234567_SB1). This value identifies your specific NetSuite account and is required for authentication.

        • For Role ID, enter the internal ID of the NetSuite role that the connection should use for authentication. The role determines which data and permissions are available to the extractor during data extraction.

      2. If you selected Custom JDBC Connection String:

        Important

        When using JDBC strings, there are specific guidelines to follow. For more information, see JDBC string_guildelines.

        • For JDBC Connection String, provide your string. Use the format:

          jdbc:ns://<account_id>.connect.api.netsuite.com:<port>;ServerDataSource=<data_source>;Encrypted=1;NegotiateSSLClose=false;CustomProperties=(AccountID=<account_id>;RoleID=<role_id>);property1=value1;property2=value2...
          
          

          Note

          For more information, see the Oracle NetSuite documentation.

        • Optionally, provide values for:

          • Schema Name: Enter the name of the schema that contains the tables to extract.

          • Additional Properties: Enter any additional connection properties required by your database or driver. Separate each with ;.

    4. For Credentials, select the type of authentication to use for this connection. For more information, see Authentication methods.

      Note

      Ensure the credentials used have sufficient permissions to access the data to be extracted.

    5. If desired, select Advanced Settings, and update these parameters as needed.

      Note

      The Advanced Setting > Validate Certificate parameter (Default: DISABLED) controls whether the extractor validates the server’s SSL/TLS certificate:

      • Disabled: Disables certificate validation (validateCertificate=false).

      • Enabled: Enforces certificate validation (validateCertificate=true).

      • Removed: Uses the driver’s default behavior. Check the driver documentation to confirm the default.

  7. Select the Test Connection button to confirm the extractor can connect to the host system. If the test fails, adjust the data in the configuration fields as needed.

  8. Once the test connection passes, select the Save button to continue. This returns you to the Data Integration window.

Related topics