Event generation script for Access Manager Analytics Server

Event generation script for Access Manager Analytics Server


This cool solution explains a basic Access Manager configuration and event generation for using Analytics Server. To use the Analytics Server feature, first you need to configure Access Manager. Then run the attached script to send requests to Access Manager, so that audit events are sent to the Analytics Server. Based on the events the Analytics Server will generate the graphs and display them on the dashboard.

This is a sample Access Manager configuration and script. If you already have a configuration and infrastructure to generate requests for protected resource access then you can follow the Access Manager documentation to setup the Analytics Server.

Access Manager Configuration

To create the required Access Manager configuration use code promotion. The Code promotion export file is attached. You can import the file to your setup to create the required Access Manager configuration. This export file was created from an Access Manager setup running AC, IDP on separate boxes on SLES12SP1, and Access Gateway Appliance.

All necessary files are attached as a zip file: AnalyticsServer_Config&Event_Script

  1. Code promotion:

    Code Promotion config zip file: NAMExportedConfig_2016-10-25_1203.namcfg. This file is inside NAM_Config directory.

    Note: No password is needed while importing.

    1. Import the IDP configuration as a new cluster into the admin console

    2. Configure the user stores

    3. Add the IDP server to the cluster and Update IDP cluster

    4. In AG create a reverse proxy with the name “rba” and proxy service as “rba” and published DNS name www.rba.com.

    5. Import the AG configuration

      Note: While importing the AG configuration change the web server IP address as per your backend web servers

    6. After code promotion go to Policies -> Risk-based Policies->NAT Settings

      Enable the option: Identity Servers are behind NAT
      Client IP Header Name: X-Forwarded-For
      Client IP Header Parser: .*

      NAT Setting for IDP

      Fig: NAT Setting for IDP

  2. Analytics Server – Geolocation Provider configuration

    Geolocation provider configuration is used for identifying the Country of a logged in user. You can skip this step if you have not subscribed to a Geolocation provider. If you skip this stip, the Geolocation graph will not be populated in the dashboard.

    1. Go to Devices ->Analytics Server -> Edit ->Geolocation Provider: Configure

    2. Enable Location Profiling

    From the Geolocation Provider: filed select any.

    If you select, neustar service, then configure the API key and Secret.

    If you are using a custom provider, then:

    • Specify a name to identify the provider.

    • Specify the fully qualified name of the JAVA class.

    • Click Add Property to add properties to the custom class.

    Example: If you are using maxmind as provider, then:

    Provider Name: Any Name

    Java Class:

    Add a property:

    Property Name: citydbfile
    Value: Location of Geolocation database in Analytics Server. e.g /opt/novell/GeoLiteCity.db

    Note: Please look into the license agreement of the Geolocation provider before using.

  3. Configure Analytics Server as the Audit Server in Admin Console.

  4. Enable required events as per the documentation: https://www.netiq.com/documentation/access-manager-43/admin/data/analytics-graph-events.html

  5. Adding users to the Admin Console e-directory/userstore

    Ldif file: user0_999.ldif (File is located in ldif folder)

    1. SSH to Admin Console box.

    2. Use the following command to upload users.

      user0 to user 14 will be used while sending requests to Access Manager. In this example I have used the same Admin Console eDirectory as userstore. If you are using external userstore make sure that these users are present there.

      ldapmodify -D cn=admin,o=novell -w novell -a -x -f user0_999.ldif

  6. Using the Script to generate real-time events from Access Manager

    1. Copy the content of script folder to a Linux box

    2. In Config.txt file change the URLs


      Note: If you have not changed the IDP URL during code promotion import, the IDP URL will remain same. For AG URLs you have to change only port and path as per your Access Manager setup.

    3. Add host entries for the IDP and AG Protected resource URLs

  7. Running the script

    This script sends Curl requests to Access Gateway to access protected resources. Use the following command to run the script:

    sh analytics_automation.sh

    If you want to run the script in loop use the following command:

    sh loop.sh <number>

    e.g: sh loop.sh 5

    The analytics_automation.sh script will run in loop 5 times.

    Note: User count will remain constant (15) as same users will be logging in again and again

  8. Additional Notes:

    • This script does not access any SAML SP. To get IDP Application Accessed graph you may try to access any SAML2 SP like google apps, AWS or salesforce using a browser

    • Access Gateway Requests graphs will show activity if requests land from browser. For Curl based requests this graph will not have any impact

    • Access Gateways Cache Utilization: This graph shows the cache utilization in percentage. Unless lot of content is cached in AG, this graph will not show any activity

Manual Configuration Steps

The following steps are required only if you have not used the code promotion method explained above to configure Access Manager.

  1. Configuring RISK based Policies

    1. Configure two RISK policies for Pre Auth and Post auth


      Rules: There are two rules. Ip-subnet-rule and http-header-doesn’t contain.

      Below are the configuration screen shots for these rules.



      IP Address:

      Note: No need to configure all of these IP addresses. You may configure only a few and requests from these IP addresses will be considered as Low risk requests.

      http-header-doesn’t-contains rule:


      Then define the Risk Levels as shown in figure: 1

      Note: Don’t look into the policy configuration from RISK-based policy perspective. This is to generate different risk level events only. If you have already configured RISK-based policies you may use the same.

    2. Similarly configure another Risk-based policy for Post Auth. You can use the same rules created in the earlier risk policy.

    3. Go to Policies -> Risk-based Policies->NAT Settings

      Enable the option: Identity Servers are behind NAT
      Client IP Header Name: X-Forwarded-For
      Client IP Header Parser: .*

      NAT Setting for IDP Fig: NAT Setting for IDP

  2. Configuring Methods and Contracts

    1. Configure Methods to use Risk Class. One for Pre-Auth and another for Post-Auth

    2. Configure Contracts, One for Pre-Auth and another for Post-Auth



      Fig: Post-Auth Contract



      Fig: Pre-Auth Contract

  3. Access Gateway Configuration:

    1. Create two protected resources in AG

    2. For the first Protected Resource, assign a contract which is based on Post-Auth risk class

    3. For another resource assign a contract which is based on Pre-Auth risk class

    Continue the manual configuration from the 2. Analytics server – Geolocation Provider configuration section

    Accessing Analytics Dashboard

    The different ways of accessing the Analytics dashboard are explained in following document.

Labels (1)


Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Top Contributors
Version history
Revision #:
3 of 3
Last update:
‎2020-01-31 22:07
Updated by:
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.