Event generation script for Access Manager Analytics Server

1 Likes
over 4 years ago
Introduction:

This cool solution explains a basic Access Manager configuration and event generation for using Analytics Server. To use the Analytics Server feature, first you need to configure Access Manager. Then run the attached script to send requests to Access Manager, so that audit events are sent to the Analytics Server. Based on the events the Analytics Server will generate the graphs and display them on the dashboard.

This is a sample Access Manager configuration and script. If you already have a configuration and infrastructure to generate requests for protected resource access then you can follow the Access Manager documentation to setup the Analytics Server.

Access Manager Configuration



To create the required Access Manager configuration use code promotion. The Code promotion export file is attached. You can import the file to your setup to create the required Access Manager configuration. This export file was created from an Access Manager setup running AC, IDP on separate boxes on SLES12SP1, and Access Gateway Appliance.

All necessary files are attached as a zip file: AnalyticsServer_Config&Event_Script


  1. Code promotion:

    Code Promotion config zip file: NAMExportedConfig_2016-10-25_1203.namcfg. This file is inside NAM_Config directory.

    Note: No password is needed while importing.


    1. Import the IDP configuration as a new cluster into the admin console

  2. Configure the user stores

  • Add the IDP server to the cluster and Update IDP cluster

  • In AG create a reverse proxy with the name “rba” and proxy service as “rba” and published DNS name www.rba.com.

  • Import the AG configuration

    Note: While importing the AG configuration change the web server IP address as per your backend web servers

  • After code promotion go to Policies -> Risk-based Policies->NAT Settings

    Enable the option: Identity Servers are behind NAT
    Client IP Header Name: X-Forwarded-For
    Client IP Header Parser: .*

    NAT Setting for IDP

    Fig: NAT Setting for IDP


  • Analytics Server – Geolocation Provider configuration

    Geolocation provider configuration is used for identifying the Country of a logged in user. You can skip this step if you have not subscribed to a Geolocation provider. If you skip this stip, the Geolocation graph will not be populated in the dashboard.


    1. Go to Devices ->Analytics Server -> Edit ->Geolocation Provider: Configure

  • Enable Location Profiling


From the Geolocation Provider: filed select any.

If you select, neustar service, then configure the API key and Secret.

If you are using a custom provider, then:

  • Specify a name to identify the provider.

  • Specify the fully qualified name of the JAVA class.

  • Click Add Property to add properties to the custom class.



Example: If you are using maxmind as provider, then:

Provider Name: Any Name

Java Class:
com.microfocus.nam.infodashboard.geolocationcore.providers.MaxMindLocalDB

Add a property:

Property Name: citydbfile
Value: Location of Geolocation database in Analytics Server. e.g /opt/novell/GeoLiteCity.db


Note: Please look into the license agreement of the Geolocation provider before using.



  • Configure Analytics Server as the Audit Server in Admin Console.



  • Adding users to the Admin Console e-directory/userstore

    Ldif file: user0_999.ldif (File is located in ldif folder)


    1. SSH to Admin Console box.

  • Use the following command to upload users.

    user0 to user 14 will be used while sending requests to Access Manager. In this example I have used the same Admin Console eDirectory as userstore. If you are using external userstore make sure that these users are present there.

    ldapmodify -D cn=admin,o=novell -w novell -a -x -f user0_999.ldif





  • Add host entries for the IDP and AG Protected resource URLs


  • Running the script

    This script sends Curl requests to Access Gateway to access protected resources. Use the following command to run the script:

    sh analytics_automation.sh

    If you want to run the script in loop use the following command:

    sh loop.sh <number>

    e.g: sh loop.sh 5

    The analytics_automation.sh script will run in loop 5 times.

    Note: User count will remain constant (15) as same users will be logging in again and again


  • Additional Notes:

    • This script does not access any SAML SP. To get IDP Application Accessed graph you may try to access any SAML2 SP like google apps, AWS or salesforce using a browser

  • Access Gateway Requests graphs will show activity if requests land from browser. For Curl based requests this graph will not have any impact

  • Access Gateways Cache Utilization: This graph shows the cache utilization in percentage. Unless lot of content is cached in AG, this graph will not show any activity






Manual Configuration Steps



The following steps are required only if you have not used the code promotion method explained above to configure Access Manager.


  1. Configuring RISK based Policies


    1. Configure two RISK policies for Pre Auth and Post auth

      Risk_Policy

      Rules: There are two rules. Ip-subnet-rule and http-header-doesn’t contain.

      Below are the configuration screen shots for these rules.

      Ip-subnet-rule:

      IP_Subnet_Rule

      IP Address:

      179.93.224.2
      196.25.255.250
      194.177.244.1
      182.19.65.177
      194.32.31.1-194.32.31.2
      1.44.44.45-1.44.44.47
      142.8.2.100-142.8.2.101
      62.8.2.100-62.8.2.101
      201.81.43.11-201.81.43.12
      196.25.255.250
      194.177.244.1
      182.19.65.177

      Note: No need to configure all of these IP addresses. You may configure only a few and requests from these IP addresses will be considered as Low risk requests.

      http-header-doesn’t-contains rule:

      header

      Then define the Risk Levels as shown in figure: 1

      Note: Don’t look into the policy configuration from RISK-based policy perspective. This is to generate different risk level events only. If you have already configured RISK-based policies you may use the same.

  2. Similarly configure another Risk-based policy for Post Auth. You can use the same rules created in the earlier risk policy.


  • Go to Policies -> Risk-based Policies->NAT Settings

    Enable the option: Identity Servers are behind NAT
    Client IP Header Name: X-Forwarded-For
    Client IP Header Parser: .*

    NAT Setting for IDP Fig: NAT Setting for IDP



  • Configuring Methods and Contracts


    1. Configure Methods to use Risk Class. One for Pre-Auth and another for Post-Auth

  • Configure Contracts, One for Pre-Auth and another for Post-Auth

     

    con_postauth

    Fig: Post-Auth Contract

     

    con_preauth

    Fig: Pre-Auth Contract



  • Access Gateway Configuration:


    1. Create two protected resources in AG

  • For the first Protected Resource, assign a contract which is based on Post-Auth risk class

  • For another resource assign a contract which is based on Pre-Auth risk class

Continue the manual configuration from the 2. Analytics server – Geolocation Provider configuration section

Accessing Analytics Dashboard

The different ways of accessing the Analytics dashboard are explained in following document.
https://www.netiq.com/documentation/access-manager-43/admin/data/accessing-analytics-dashboard.html

 

Labels:

How To-Best Practice
Comment List
Anonymous
Related Discussions
Recommended