X

Best Practices from Oracle Development's A‑Team

Using a WAF with Oracle Analytics Cloud

Introduction

When a Oracle Analytics Cloud instance is created, Oracle provides a default URL that is very hard to remember. If you want to customize the user login experience for Oracle Analytics Cloud, one can use custom or own vanity URL instead of the default URL that Oracle provides. A vanity URL is a unique, customized web address that helps users remember and find the web site.

The below examples show the standard URL for Oracle Analytics Cloud and a sample vanity URL:

  • Standard URL: https://mytenancy.analytics.ocp.oraclecloud.com/ui
  • Vanity URL: https://myanalytics.com/ui

In order to protect from malicious and unwanted internet traffic. A Customer managed WAF can be used to secure this internet facing endpoint. Below diagram shows how the user access to OAC would be with and without WAF.

 

 

Getting started

Following is required:

1. Oracle Analytics Cloud(with Public Access)

2. Web Application Firewall

3. Custom domain name one want to use from a web service provider or use the domain name of the company.

4. A Secure Socket Layer (SSL) certificate - Obtain a digital SSL certificate for the vanity(or custom) domain name from a Certificate Authority.

5. Obtain a public digital X.509 certificate (.pem) for the vanity domain name from a Certificate Authority.

6. Obtain a private key file (.pem) that matches the certificate’s public key.

7. Obtain a certificate chain for multiple certificates (.pem).

How to configure Vanity URL for Oracle Analytics Cloud 

Use Oracle Cloud Infrastructure Console to configure a vanity URL for the Oracle Analytics Cloud(OAC) instance.

1. In Console, click in the top left corner "Menu Options".

2. Under Solutions and Platform, select Analytics, then Analytics Cloud.

3. Select the compartment that contains the Oracle Analytics Cloud instance.

4. Click the name of the instance you want to configure a vanity URL for.

5. On the Instance Details page, click Create Vanity URL. See below snippet for details.

6. For Hostname, enter the fully qualified domain name/URL.
        For example: myanalytics.com.
        A preview of the HTTPS URL is displayed. 
        For example: https://myanalytics.com/ui/

7. Under Certificate section

  •  Select Choose an X.509 certificate File.
  •  Drop or Upload a valid certificate(public key) file in PEM format (.pem .cer .cn)

OR

  •  Select Paste an X.509 Certificate
  •  Paste valid X.509 certificate text
  •  Note: The private key provided must be in PEM format.

8.Under Private Key section

  • Select Choose a private key file.
  • Drop or Upload a valid certificate(private key) file in PEM format (.pem)

OR

  • Select Paste a Private Key
  • Paste valid private key text
  • Note: The private key provided must be in PEM format.

9.  Optional. In Private Key Passphrase, enter the password for the private key.

Note: A passphrase is usually used to protects private key files. A passphrase will add another level of security   by avoiding unauthorized users from encrypting/decrypting the key. The keys can be protected using the passphrase

10. Optional. If the certificate requires or you want to use a custom certificate authority chain, then select Custom Certificate Authority Chain..

Note:A certificate chain is an ordered list of certificates, containing an SSL Certificate and Certificate Authority (CA) Certificates, that enable the receiver to verify that the sender and all CA's are trustworthy

  • Select Choose a Certificate Authoritative Chain file.
  • Drop or Upload a valid certificate Authoritative Chain

OR

  • Select Paste a Certificate Authoritative Chain
  • Paste valid certificate Authoritative Chain 

11. Click Create.

The vanity URL will be ready to use in sometime as the URL becomes a live link in the Access Information section.

 

Create a WAF instance and map the WAF through to OAC

Use Oracle Cloud Infrastructure Console to configure WAF instance and to map the WAF to OAC.

1. In Console, click in the top left corner "Menu Options".

2. Under Governance and Administration, select Security, then Web Application Firewall.

3. Select the compartment that contains the Web Application Firewall.

4. Create a WAF Policies in the selected compartment. See below snippet for details.


5. Provide a Name for a WAF Policy.

6. Select or enter the Primary Domain that you intend to use for your OAC's Vanity URL.

7. Enter Origin Name under WAF Origin

    Name: Origin Name is a friendly name to refer to the actual OAC instance

8. Enter URI(IPv4 address) of your OAC instance.

9. Click on Create WAF Policy

 

Note:

1. Make sure to add a record(C-NAME) for the domain for OAC instance and Publish those changes

2. Open the port to WAF for OAC Instance, and the access can be lock down by filtering WAF rules so that only WAF can reach out to OAC.

3. Create a "Access Control" WAF Policy to redirect HTTP to HTTPS redirect as OAC is only available on HTTPS. So that anyone who tries to access OAC on http should get redirected to https.

4. Create a "Access Control" WAF Policy to redirect for anything that does not begin with "/ui/dv/" as shown in the below snippet

Summary

After all the configuration are completed, you will be able to access OAC instance on the Custom Vanity URL. Anyone who is trying to configure a custom Vanity URL for OAC instance, they can use the steps mentioned in this blogpost to access OAC instance on the Custom Vanity URL. 

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha