This cool solution explains a basic Access Manager configuration and event generation for using Analytics Server. To use the Analytics Server feature, first you need to configure Access Manager. Then run the attached script to send requests to Access Manager, so that audit events are sent to the Analytics Server. Based on the events the Analytics Server will generate the graphs and display them on the dashboard.
This is a sample Access Manager configuration and script. If you already have a configuration and infrastructure to generate requests for protected resource access then you can follow the Access Manager documentation to setup the Analytics Server.
Access Manager Configuration
To create the required Access Manager configuration use code promotion. The Code promotion export file is attached. You can import the file to your setup to create the required Access Manager configuration. This export file was created from an Access Manager setup running AC, IDP on separate boxes on SLES12SP1, and Access Gateway Appliance.
Code Promotion config zip file: NAMExportedConfig_2016-10-25_1203.namcfg. This file is inside NAM_Config directory.
Note: No password is needed while importing.
Import the IDP configuration as a new cluster into the admin console
Configure the user stores
Add the IDP server to the cluster and Update IDP cluster
In AG create a reverse proxy with the name “rba” and proxy service as “rba” and published DNS name www.rba.com.
Import the AG configuration
Note: While importing the AG configuration change the web server IP address as per your backend web servers
After code promotion go to Policies -> Risk-based Policies->NAT Settings
Enable the option: Identity Servers are behind NAT Client IP Header Name: X-Forwarded-For Client IP Header Parser: .*
Fig: NAT Setting for IDP
Analytics Server – Geolocation Provider configuration
Geolocation provider configuration is used for identifying the Country of a logged in user. You can skip this step if you have not subscribed to a Geolocation provider. If you skip this stip, the Geolocation graph will not be populated in the dashboard.
Go to Devices ->Analytics Server -> Edit ->Geolocation Provider: Configure
Enable Location Profiling
From the Geolocation Provider: filed select any.
If you select, neustar service, then configure the API key and Secret.
If you are using a custom provider, then:
Specify a name to identify the provider.
Specify the fully qualified name of the JAVA class.
Click Add Property to add properties to the custom class.
Example: If you are using maxmind as provider, then:
Adding users to the Admin Console e-directory/userstore
Ldif file: user0_999.ldif (File is located in ldif folder)
SSH to Admin Console box.
Use the following command to upload users.
user0 to user 14 will be used while sending requests to Access Manager. In this example I have used the same Admin Console eDirectory as userstore. If you are using external userstore make sure that these users are present there.
ldapmodify -D cn=admin,o=novell -w novell -a -x -f user0_999.ldif
Using the Script to generate real-time events from Access Manager
Note: If you have not changed the IDP URL during code promotion import, the IDP URL will remain same. For AG URLs you have to change only port and path as per your Access Manager setup.
Add host entries for the IDP and AG Protected resource URLs
Running the script
This script sends Curl requests to Access Gateway to access protected resources. Use the following command to run the script:
sh analytics_automation.sh
If you want to run the script in loop use the following command:
sh loop.sh <number>
e.g: sh loop.sh 5
The analytics_automation.sh script will run in loop 5 times.
Note: User count will remain constant (15) as same users will be logging in again and again
Additional Notes:
This script does not access any SAML SP. To get IDP Application Accessed graph you may try to access any SAML2 SP like google apps, AWS or salesforce using a browser
Access Gateway Requests graphs will show activity if requests land from browser. For Curl based requests this graph will not have any impact
Access Gateways Cache Utilization: This graph shows the cache utilization in percentage. Unless lot of content is cached in AG, this graph will not show any activity
Manual Configuration Steps
The following steps are required only if you have not used the code promotion method explained above to configure Access Manager.
Configuring RISK based Policies
Configure two RISK policies for Pre Auth and Post auth
Rules: There are two rules. Ip-subnet-rule and http-header-doesn’t contain.
Below are the configuration screen shots for these rules.
Note: No need to configure all of these IP addresses. You may configure only a few and requests from these IP addresses will be considered as Low risk requests.
http-header-doesn’t-contains rule:
Then define the Risk Levels as shown in figure: 1
Note: Don’t look into the policy configuration from RISK-based policy perspective. This is to generate different risk level events only. If you have already configured RISK-based policies you may use the same.
Similarly configure another Risk-based policy for Post Auth. You can use the same rules created in the earlier risk policy.
Go to Policies -> Risk-based Policies->NAT Settings
Enable the option: Identity Servers are behind NAT Client IP Header Name: X-Forwarded-For Client IP Header Parser: .*
Fig: NAT Setting for IDP
Configuring Methods and Contracts
Configure Methods to use Risk Class. One for Pre-Auth and another for Post-Auth
Configure Contracts, One for Pre-Auth and another for Post-Auth
Fig: Post-Auth Contract
Fig: Pre-Auth Contract
Access Gateway Configuration:
Create two protected resources in AG
For the first Protected Resource, assign a contract which is based on Post-Auth risk class
For another resource assign a contract which is based on Pre-Auth risk class
Continue the manual configuration from the 2. Analytics server – Geolocation Provider configuration section