This guide shows you how to use the Oracle Cloud Infrastructure WAF migration tool to transfer your Web Application Security WAF to Oracle Cloud Infrastructure. For more information about the Oracle Cloud Infrastructure service, see Overview of the Web Application Firewall Service.
As a part of this transition, we recommend working with our Security Operations Center (SOC) team to help monitor and support your transition to Oracle Cloud Infrastructure WAF. The SOC team can:
- Assist with any issues encountered during the migration.
- Remove Web Application Security edit access for all of your users to ensure further changes cannot be made.
- Ensure prerequisites such as the standard configuration template are met.
For a list of features currently supported by Oracle Cloud Infrastructure WAF, see the WAAS API.
Set Up Your Oracle Cloud Infrastructure Tenancy
An administrator at your company will need to perform some setup tasks for your tenancy. When your tenancy is provisioned, a root compartment is created for you.
- It is recommended that your administrator create a new compartment for WAF rather than use the root compartment. See "To create a compartment" in Managing Compartments.
- Create a group called "WAFMigration". See "To create a group" in Managing Groups.
- Create a policy that allows the WAFMigration group to manage waas-family. For example,
Allow group WAFMigration to manage waas-family in compartment CompartmentName
If you're new to policies, see Getting Started with Policies and Common Policies. For more details about policies for WAF, see Details for the WAF Service.
Create new users. A new user must be added for the Security Operations Center (SOC) engineer assisting with the migration. See Managing Users.
Create RSA key pairs and assign the public keys to the new users. See How to Generate an API Signing Key for more information.
Migrate WAF to Oracle Cloud Infrastructure
Oracle Cloud Infrastructure features the ability to migrate your WAF policies using an automated tool. The data migration feature must be enabled in Web Application Security Administration by a member of the SOC team.
Note: The SOC team is able to perform the steps below for you as long as you create a user in Oracle Cloud Infrastructure for the engineer providing assistance.
To begin migrating:
- Go to the company profile in Web Application Security and click Migrate to OCI.
Note: If the Migrate to OCI option is not available, go to My Oracle Support and create a service request for assistance with your migration.
- In the Migration to OCI window enter the following:
- OCI Region - The home region of the tenancy. For example, us-ashburn-1.
- Tenancy OCID - Unique ID of the tenancy where the data will be migrated. See Where to Find Your Tenancy's OCID.
- Compartment OCID - Unique ID of the compartment within the specified tenancy where data will be migrated. If a compartment is not specified, data will be migrated to the root compartment of the specified tenancy. To find the compartment OCID:
- Open the navigation menu, under Governance and Administration, go to Identity and click Compartments.
- Click on compartment name created for the migration. The compartment OCID is shown under Compartment Information. Click Copy to copy it to your clipboard.
- User OCID - Unique user ID of the user that will be used to authenticate to OCI for the data migration. To find the user OCID:
- If you are signed in as the user, open the Profile menu (User menu icon) and click User Settings. The user OCID is shown under User Information. Click Copy to copy it to your clipboard.
- If you are an administrator doing this for another user, open the navigation menu. Under Governance and Administration, go to Identity and click Users. Locate the user's OCID and click Copy to copy it to your clipboard.
- Fingerprint - Fingerprint of the uploaded public key in the OCI console for the specified user. To find the fingerprint:
- Open the Profile menu (User menu icon) and click User Settings. The fingerprint is shown under API Keys. Copy the key beside Fingerprint.
- Private key pass phrase - Enter the OCI private key pass phrase. This field can be left blank if there is no pass phrase.
- Private Key - Upload the generated private key pair file.
- Click Test credentials. The system will validate the information you provided (that is, the tenant exists, the tenant doesn't have any existing WAF policies and the user has correct entitlements). If the information provided is not valid or there is something that would prevent the migration from completing, you will receive an error message.
- If the test is successful, click Save.
- Click Start Data Migration. A migration log appears as the migration is performed. All Web apps, certificates, and existing functionality will be migrated as part of the process.
- Once the migration is complete, you can update the company name in Web Application Security to reflect the migration or you can inform the SOC team that the migration is complete. To update the company name, append the following text to the name: (Company Migrated to OCI). For example, Company A (Company Migrated to OCI).
After performing the migration, you must use Oracle Cloud Infrastructure to manage your WAF, as access to Web Application Security will no longer exist. See Managing WAF Policies for more information.
Contact Oracle Support with Questions
For any questions regarding steps for migration, please go to My Oracle Support and create a service request. Include the following information in the service request:
- Company Name.
- Web Application Security web apps to be migrated.
- The OCID for your Oracle Cloud Infrastructure tenancy. See Where to Find Your Tenancy's OCID.
- Any other pertinent information.