Introduction:

This cool solution explains a basic Access Manager configuration and event generation for using Analytics Server. To use the Analytics Server feature, first you need to configure Access Manager. Then run the attached script to send requests to Access Manager, so that audit events are sent to the Analytics Server. Based on the events the Analytics Server will generate the graphs and display them on the dashboard.

This is a sample Access Manager configuration and script. If you already have a configuration and infrastructure to generate requests for protected resource access then you can follow the Access Manager documentation to setup the Analytics Server.

Access Manager Configuration

To create the required Access Manager configuration use code promotion. The Code promotion export file is attached. You can import the file to your setup to create the required Access Manager configuration. This export file was created from an Access Manager setup running AC, IDP on separate boxes on SLES12SP1, and Access Gateway Appliance.

All necessary files are attached as a zip file: AnalyticsServer_Config&Event_Script

1. Code promotion:
   
   Code Promotion config zip file: NAMExportedConfig_2016-10-25_1203.namcfg. This file is inside NAM_Config directory.
   
   Note: No password is needed while importing.
   
   
   
   
   1. Import the IDP configuration as a new cluster into the admin console
   
   
2. Configure the user stores

• Add the IDP server to the cluster and Update IDP cluster

• In AG create a reverse proxy with the name “rba” and proxy service as “rba” and published DNS name www.rba.com.

• Import the AG configuration
  
  Note: While importing the AG configuration change the web server IP address as per your backend web servers
  

• After code promotion go to Policies -> Risk-based Policies->NAT Settings
  
  Enable the option: Identity Servers are behind NAT
  Client IP Header Name: X-Forwarded-For
  Client IP Header Parser: .*
  
  
  
  Fig: NAT Setting for IDP
  

• Analytics Server – Geolocation Provider configuration
  
  Geolocation provider configuration is used for identifying the Country of a logged in user. You can skip this step if you have not subscribed to a Geolocation provider. If you skip this stip, the Geolocation graph will not be populated in the dashboard.
  
  
  
  
  1. Go to Devices ->Analytics Server -> Edit ->Geolocation Provider: Configure
  
  
• Enable Location Profiling
  

From the Geolocation Provider: filed select any.

If you select, neustar service, then configure the API key and Secret.

If you are using a custom provider, then:

• Specify a name to identify the provider.

• Specify the fully qualified name of the JAVA class.

• Click Add Property to add properties to the custom class.

Example: If you are using maxmind as provider, then:

Provider Name: Any Name

Java Class:
com.microfocus.nam.infodashboard.geolocationcore.providers.MaxMindLocalDB

Add a property:

Property Name: citydbfile
Value: Location of Geolocation database in Analytics Server. e.g /opt/novell/GeoLiteCity.db

Note: Please look into the license agreement of the Geolocation provider before using.

• Configure Analytics Server as the Audit Server in Admin Console.
  
  

• Enable required events as per the documentation: https://www.netiq.com/documentation/access-manager-43/admin/data/analytics-graph-events.html
  
  

• Adding users to the Admin Console e-directory/userstore
  
  Ldif file: user0_999.ldif (File is located in ldif folder)
  
  
  
  
  1. SSH to Admin Console box.
  
  
• Use the following command to upload users.
  
  user0 to user 14 will be used while sending requests to Access Manager. In this example I have used the same Admin Console eDirectory as userstore. If you are using external userstore make sure that these users are present there.
  
  ldapmodify -D cn=admin,o=novell -w novell -a -x -f user0_999.ldif
  

• Using the Script to generate real-time events from Access Manager
  
  
  
  1. Copy the content of script folder to a Linux box
  
  
• In Config.txt file change the URLs
  
  IDP_URL=https://nam32-idp.labs.blr.novell.com:8443
  AG_URL_POST_AUTH=http://postauth.rba.com:803/bajesh/ii/test.php
  AG_URL_PRE_AUTH=http://preauth.rba.com:803/bajesh/ii/test.php
  
  Note: If you have not changed the IDP URL during code promotion import, the IDP URL will remain same. For AG URLs you have to change only port and path as per your Access Manager setup.

• Add host entries for the IDP and AG Protected resource URLs
  

• Running the script
  
  This script sends Curl requests to Access Gateway to access protected resources. Use the following command to run the script:
  
  sh analytics_automation.sh
  
  If you want to run the script in loop use the following command:
  
  sh loop.sh <number>
  
  e.g: sh loop.sh 5
  
  The analytics_automation.sh script will run in loop 5 times.
  
  Note: User count will remain constant (15) as same users will be logging in again and again
  
  

• Additional Notes:
  
  
  
  • This script does not access any SAML SP. To get IDP Application Accessed graph you may try to access any SAML2 SP like google apps, AWS or salesforce using a browser
  
  
• Access Gateway Requests graphs will show activity if requests land from browser. For Curl based requests this graph will not have any impact

• Access Gateways Cache Utilization: This graph shows the cache utilization in percentage. Unless lot of content is cached in AG, this graph will not show any activity

Manual Configuration Steps

The following steps are required only if you have not used the code promotion method explained above to configure Access Manager.

1. Configuring RISK based Policies
   
   
   
   
   1. Configure two RISK policies for Pre Auth and Post auth
      
      
      
      Rules: There are two rules. Ip-subnet-rule and http-header-doesn’t contain.
      
      Below are the configuration screen shots for these rules.
      
      Ip-subnet-rule:
      
      
      
      IP Address:
      
      179.93.224.2
      196.25.255.250
      194.177.244.1
      182.19.65.177
      194.32.31.1-194.32.31.2
      1.44.44.45-1.44.44.47
      142.8.2.100-142.8.2.101
      62.8.2.100-62.8.2.101
      201.81.43.11-201.81.43.12
      196.25.255.250
      194.177.244.1
      182.19.65.177
      
      Note: No need to configure all of these IP addresses. You may configure only a few and requests from these IP addresses will be considered as Low risk requests.
      
      http-header-doesn’t-contains rule:
      
      
      
      Then define the Risk Levels as shown in figure: 1
      
      Note: Don’t look into the policy configuration from RISK-based policy perspective. This is to generate different risk level events only. If you have already configured RISK-based policies you may use the same.
      
   
   
2. Similarly configure another Risk-based policy for Post Auth. You can use the same rules created in the earlier risk policy.

• Go to Policies -> Risk-based Policies->NAT Settings
  
  Enable the option: Identity Servers are behind NAT
  Client IP Header Name: X-Forwarded-For
  Client IP Header Parser: .*
  
  

  Fig: NAT Setting for IDP

  
  

• Configuring Methods and Contracts
  
  
  
  
  1. Configure Methods to use Risk Class. One for Pre-Auth and another for Post-Auth
  
  
• Configure Contracts, One for Pre-Auth and another for Post-Auth
  
   
  
  
  
  Fig: Post-Auth Contract
  
   
  
  
  
  Fig: Pre-Auth Contract
  
  

• Access Gateway Configuration:
  
  
  
  
  1. Create two protected resources in AG
  
  
• For the first Protected Resource, assign a contract which is based on Post-Auth risk class

• For another resource assign a contract which is based on Pre-Auth risk class
  

Continue the manual configuration from the 2. Analytics server – Geolocation Provider configuration section

Accessing Analytics Dashboard

The different ways of accessing the Analytics dashboard are explained in following document.
https://www.netiq.com/documentation/access-manager-43/admin/data/accessing-analytics-dashboard.html