Security
This section covers security-related topics.
Architectural Overview of WikiTraccs
The following image shows which building blocks are at play when running a WikiTraccs migration.
The building block explained:
| Building block | Purpose |
|---|
| Client’s computer | A computer running WikiTraccs. Uses Windows as operating system. You control this computer. |
| WikiTraccs console applications (GUI, Console) | WikiTraccs consists of two .NET-based console applications: WikiTraccs.GUI.exe and WikiTraccs.Console.exe. WikiTraccs is portable, no installation is necessary. |
| Confluence | The source Confluence environment that should be migrated to SharePoint. You decide whether this environment is being connected to via HTTP or HTTPS by using the respective URL scheme (http://, https://) in the source address configuration of WikiTraccs. |
| Confluence migration account | The account used to log in to Confluence. WikiTraccs uses the session of this account and therefor has access to everything this account has access to. |
| SharePoint, MS Graph | The Microsoft 365 target environment that will be migrated to. All connections are HTTPS and TLS-secured. For the state of TLS in Microsoft 365 have a look at Preparing for TLS 1.2 in Office 365 and Office 365 GCC. |
| SharePoint migration account | The account used to log in to SharePoint. The permission that WikiTraccs has is the intersection of this user’s permission and the permissions configured for the Entra ID app registration. |
| Azure AD App Registration for WikiTraccs | Entra ID app registration that allows WikiTraccs to work with Microsoft services on an API level. See Registering WikiTraccs as app in Entra ID for details. |
| Locally stored files | WikiTraccs stores files locally on the system it runs. Those files comprise: attachments downloaded from Confluence, log files, caches, WikiTraccs.GUI configuration, debugging-related files (if certain debug settings are turned on) |
| Client’s migration team | This is your migration team. |
| WikiTraccs support | Support channels, mainly GitHub, email, and Microsoft Teams. Support might ask for log files to diagnose issues. You decide if you want to provide those log files. |
| Other services | Other services being used are documented below, and their respective endpoints in the Endpoint reference. |
Other services
Google Chrome WebDriver Download
WikiTraccs launches and controls an automated Chrome browser for the Confluence migration user to log in, and to get the session cookies.
This automation requires the Google Chrome WebDriver to be downloaded and run. This is an application provided by Google and needs to match the Chrome version running on the migration machine. So after every Chrome update on the migration machine a matching Chrome driver will be automatically downloaded by WikiTraccs.
The endpoints used to get the WebDriver are listed in the Endpoint reference.
1 - Data Storage and Transmission
This article is a resource where you can find information about stored data and data transmission.
This article covers one of the major concerns with any migration tool: handling of data.
WikiTraccs handles data securely.
Big Picture
WikiTraccs is a console application that connects to both Confluence and SharePoint Online during the Confluence to SharePoint migration.
It downloads content like pages and attachments from Confluence to a local directory. It processes this locally stored data and uploads it to SharePoint Online.
Where does WikiTracc run? Is it a cloud service?
WikiTraccs is not a cloud service. WikiTraccs is a .NET-based console application that runs on a Windows workstation of your choosing.
The workstation WikiTraccs runs on can be any machine: your VPN-connected laptop at home, an on-premises server, a cloud VM - as long as it can connect to and authenticate with both Confluence and SharePoint Online it will work.
And because this question sometimes comes up: No, WikiTraccs does not need to run on the Confluence server.
Where does WikiTraccs store data? Is data being sent somewhere?
WikiTraccs stores data locally on the workstation it is running on.
This locally stored data includes:
- page contents
- attachments
- log files
- cached data and temporary files
There is no cloud storage involved, apart from SharePoint Online as migration target. Other migration tools use Azure or third-party storage solutions as temporary storage location before data is being moved to SharePoint Online. WikiTraccs does not do that. It directly uploads to SharePoint.
The data never leaves the workstation, except for SharePoint Online, which is the target of the migration.
What level of encryption is used for data at rest?
Data at rest in the context of WikiTraccs is content stored on the workstation that is used to perform the migration and to run WikiTraccs. This data is not encrypted and can potentially be accessed by users of this workstation, depending on file system access permissions.
How is data transmission secured?
Connections use TLS version 1.2. For Confluence, some clients run their instance disconnected from the internet and connect via HTTP from their internal network, which WikiTraccs allows.
WikiTraccs uses the Confluence REST API as well as the SharePoint Online API and Microsoft Graph, when it comes to transmitting migrated content.
A complete list of endpoints used by WikiTraccs is shown in the Endpoint Reference.
Can WikiTraccs access all my data?
No, WikiTraccs can only access data you choose to let it have access to.
The access level of WikiTraccs depends on the migration accounts you choose for Confluence and SharePoint.
When starting a migration, you will authenticate with one user account in Confluence, with another user account in SharePoint. Since WikiTraccs accesses data in the context of those user sessions, it can only see what those accounts can see.
Example for Confluence: when starting the migration, you log in with an account that can only see pages from one space. WikiTraccs will only be able to migrate this one space since it cannot access other spaces.
Example for SharePoint: when starting the migration, you log in with an account that is site admin for all migration target sites, but doesn’t have access to other sites in the SharePoint tenant. WikiTraccs now also will only be able to access the migration target sites. Nothing else.
No, unless you actively send it to me.
Where can I get an architectural overview, like, a diagram?
Please have a look at the Security article, which dives deeper.
2 - Endpoint reference
This article is a resource where you can find endpoint information for WikiTraccs.
Note
This is a potentially non-exhaustive listing.Required endpoints
The following table lists the required endpoints for using WikiTraccs.
Microsoft 365
| Required Endpoint | Purpose |
|---|
| login.microsoftonline.com | Authentication with Microsoft |
| aadcdn.msftauth.net | Authentication with Microsoft |
| login.live.com | Authentication with Microsoft |
| *.sharepoint.com | Access to store pages migrated from Confluence to SharePoint |
Atlassian Confluence REST
WikiTraccs uses the REST endpoints of Confluence. The REST endpoints are expected under the following URL:
<confluencebaseurl>/rest/api/
Automatic Chrome WebDriver download
The Chrome WebDriver is used by WikiTraccs to show a browser window for Confluence authentication.
| Required Endpoint | Purpose | Owner info |
|---|
| chromedriver.chromium.org | Chrome WebDriver version detection | Whois registrant: Google LLC (CA, US) |
| chromedriver.storage.googleapis.com | Chrome WebDriver download | Whois registrant: Google LLC (CA, US) |
| googlechromelabs.github.io/chrome-for-testing/latest-patch-versions-per-build-with-downloads.json | Chrome WebDriver version information for Chrome starting with version 115 | Github-Repository owner: Google Chrome team |
| edgedl.me.gvt1.com | Host for Chrome WebDriver downloads | Whois registrant: Google LLC (CA, US) |
| storage.googleapis.com | Host for Chrome WebDriver downloads | Whois registrant: Google LLC (CA, US) |
Refer to the troubleshooting section for handling blocked connections to those endpoints.
Optional endpoints
Atlassian Confluence XML-RPC
WikiTraccs uses the REST endpoints of Confluence with one exception.
There is one endpoint of the old XML-RPC API that is being used to read space permissions, since those are not available via the REST API. This endpoint is expected under the following URL:
<confluencebaseurl>/rpc/xmlrpc/
Space permissions are currently retrieved by WikiTraccs but not processed during the migration. It currently is no problem when this endpoint is not available, but data about space permissions might be missing when a future release of WikiTraccs starts working with them.
