OCI - WAF - Web Application Firewall

Oracle OCI WAF safeguards our web applications or internet-facing applications against threats like OWASP-defined vulnerabilities. It offers a range of protective measures such as restricting access based on Geo location, implementing rate limiting, and supporting protection rules, access control, and Bot management.

By utilizing WAF, we can defend OCI-based applications, on-premise systems, and multi-cloud applications against potential security risks.

Moreover, WAF supports two types of enforcements to ensure comprehensive protection.

• WAF on OCI Load Balancer
• WAF Edge Enforcement 
• For On-Prime Applications
• Multi Cloud , Multi Region Applications. 

WAF Demo:

• Access OCI Console. 
• Select Identity and Security from the Menu
• Select Web Application Firewall
• Select Create WAF Policy
• Provide a unique name 
• Select the compartment
• Use Legacy Workflow Option to create an Edge Policy
• New Window will open
• Provide the following details. 
• Domain Name :  connect.vijaya.in
• Additional Domain :  oic.dvp.connect.vijaya.in
• WAF Origin : Target application to be Protected 
• Origin Name :  sample-origin-name
• URI : oic.svn-dvp.connect.vijaya.in
• Create Policy
• In case of Edge Policy, once the WAF is activated , OCI console will display the CNAME to be added in DNS Zone. 
• Go to DNS zone and add the CNAME.
• Add a CNAME record
• Domain Name : oic.dvp.connect.vijaya.in
• RDATA :  WAF-CNAME from the OCI console.
• TTL : Time to live.

• In case of WAF for LB continue to the next page. 
• Add Access Control Rules
• Add Access Rules
• Example:
• Geo restrictions
• Source IP List
• HTTP request Methods
• HTTP Request Headers
• Cookies
• Path Check
• Etc
• For Each access control rule select the action to be performed. 
• You can create your own action.
• Select the pre configured actions
• Check and Allow
• Allow
• Check and Block 
• Send Error Response Back to the client. 
• Go to Next Page 
• Apply rate limiting rules if required
• Go to next page
• Apply protect rules. 
• Select predefined  OWASP rules to block the malicious requests. 
• Example :
• Cross Site Scripting
• SQL Injections
• Etc 
• Go to the Next page
• Select the OCI LoadBalncer to which WAF needs to be applied. 
• Review
• Create WAF Policy

Reference for more details: https://www.ateam-oracle.com/post/enhance-security-with-oracle-cloud-infrastructures-web-application-firewall

https://www.ateam-oracle.com/post/using-oci-waf-web-application-firewall-with-oracle-e-business-suite

DNS Resolution

 Following diagram illustrates how the DNS resolution works in the background. 

SOA - Capture Authentication Details

Add the following property in composite.xml file  

 <service name="InvAdjOnline_ep" ui:wsdlLocation="XxScmInvProcessMaterialTransaction_01.wsdl">

    <interface.wsdl interface="http://www.xxxxx.xx/erp/inv/wsdl#wsdl.interface(XxScmInvProcessMaterialTransaction)"/>

    <binding.ws port="http://www.xxxx.xx/erp/inv/wsdl#wsdl.endpoint(InvAdjOnline_ep/XxScmInvProcessMaterialTransaction_pt)">

    <property name="oracle.webservices.http.headers">Authorization</property>

    </binding.ws>

  </service>

Use the following property in the receive activity to capture the authentication details. 

<bpelx:fromProperties>

          <bpelx:fromProperty name="Authorization" variable="authTokenVar"/>

        </bpelx:fromProperties>