Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.

MaxMind Precision GeoLocation for Access Manager 4.4.4+

MaxMind Precision GeoLocation for Access Manager 4.4.4+

This setup is based on @csr's Maxmind Geolocation Provider for Risk Based Authentication with NAM 4.1 Cool Solution. You can safely have both JAR files in the IDP's lib directory.

This solution uses MaxMind's Precision City API, saving on keeping local databases, but does currently require a direct internet connection. If you need a proxy capable version, let me know and I'll see what I can do. It still has the same requirements of having the library in /opt/novell/nam/idp/webapps/nidp/WEB-INF/lib/ on the IDP(s):

Copy MaxMindPrecision.tar.gz to the IDP's /var/opt/novell/novlwww/ directory and extract with tar -xzf MaxMindPrecision.tar.gz. Executing the ./max-maxmind.sh script will download the Azulu JDK (NAM 4.4.4), build the JAR file, copy it to the lib directory, and set permissions on the jar file.

Restart the IDP service (systemctl restart novell-idp) for the JAR to be loaded.

Log into your MaxMind account and generate a License Key:

MaxMindKeys.png

In the Access Manager Administration Console, Enable Location Profiling under Risk-based Policies Geolocation. Set the following Geolocation Provider Configuration:

  • Geolocation Provider: Custom Provider
  • Provider Name: MaxMindPrecision
  • Java Class Path: com.netiq.custom.risk.core.geoloc.providers.MaxMindPrecision

Add the following 2 Provider Properties (case sensitive) with the values of your MaxMind License Key:

  • AccountID: Account/User ID
  • LicenseKey: License key

Apply to your IDP(s). You can trace the output in /var/log/microfocus/idp/tomcat/catalina.out by searching for MaxMindPrecision when IDP logging is appropriately set, for example:

< amLogEntry> 2019-03-20T02:58:56Z DEBUG NIDS Application: 
Method: AbstractProvider.< init>
Thread: https-jsse-nio-x.x.x.x-8443-exec-1
MaxMindPrecision:
	Account ID: 000000
	License Key: ************ < /amLogEntry>

< amLogEntry> 2019-03-20T02:58:56Z DEBUG NIDS Application: 
Method: GeoLocation.validateGeoLocation
Thread: https-jsse-nio-x.x.x.x-8443-exec-1
MaxMindPrecision:
	IPAddress /x.x.x.x < /amLogEntry>

< amLogEntry> 2019-03-20T02:58:57Z DEBUG NIDS Application: 
Method: GeoLocation.validateGeoLocation
Thread: https-jsse-nio-x.x.x.x-8443-exec-1
MaxMindPrecision:
	CityResponse: com.maxmind.geoip2.model.CityResponse [ {"city":{"geoname_id":2147714,"names":{"de":"Sydney","ru":"Сидней","pt-BR":"Sydney","ja":"シドニー","en":"Sydney","fr":"Sydney","zh-CN":"悉尼","es":"Sídney"}},"continent":{"code":"OC","geoname_id":6255151,"names":{"de":"Ozeanien","ru":"Океания","pt-BR":"Oceania","ja":"オセアニア","en":"Oceania","fr":"Océanie","zh-CN":"大洋洲","es":"Oceanía"}},"country":{"geoname_id":2077456,"is_in_european_union":false,"iso_code":"AU","names":{"de":"Australien","ru":"Австралия","pt-BR":"Austrália","ja":"オーストラリア","en":"Australia","fr":"Australie","zh-CN":"澳大利亚","es":"Australia"}},"location":{"accuracy_radius":1000,"latitude":-33.8689,"longitude":151.2008,"time_zone":"Australia/Sydney"},"maxmind":{"queries_remaining":137468},"postal":{"code":"1291"},"registered_country":{"geoname_id":2077456,"is_in_european_union":false,"iso_code":"AU","names":{"de":"Australien","ru":"Австралия","pt-BR":"Austrália","ja":"オーストラリア","en":"Australia","fr":"Australie","zh-CN":"澳大利亚","es":"Australia"}},"represented_country":{"is_in_european_union":false},"subdivisions":[{"geoname_id":2155400,"iso_code":"NSW","names":{"en":"New South Wales","ru":"Новый Южный Уэльс","fr":"Nouvelle-Galles du Sud","pt-BR":"Nova Gales do Sul"}}],"traits":{"autonomous_system_number":0000,"autonomous_system_organization":"ASN Org","ip_address":"x.x.x.x","is_anonymous":false,"is_anonymous_proxy":false,"is_anonymous_vpn":false,"is_hosting_provider":false,"is_legitimate_proxy":false,"is_public_proxy":false,"is_satellite_provider":false,"is_tor_exit_node":false,"isp":"ISP Org","organization":"Org"}} ] < /amLogEntry>

< amLogEntry> 2019-03-20T02:58:57Z DEBUG NIDS Application: 
Method: GeoLocation.validateGeoLocation
Thread: https-jsse-nio-x.x.x.x-8443-exec-1
MaxMindPrecision:
	AddlProps: {is_anonymous_vpn=false, is_public_proxy=false, is_in_european_union=false, is_legitimate_proxy=false, is_hosting_provider=false, is_tor_exit_node=false}
	Anonymous: false
	City: Sydney
	Country: Australia
	CountryCode: AU
	Organization: ASN Org
	PostalCode: 1291
	RegionCode: OC
	RegionName: Oceania
	State: New South Wales
	StateCode: NSW
	TimeZone: Australia/Sydney
 < /amLogEntry>

< amLogEntry> 2019-03-20T02:58:57Z DEBUG NIDS Application: 
Method: GeoLocation.evaluate
Thread: https-jsse-nio-x.x.x.x-8443-exec-1
GeoLocation Bean: [ country: australia,countryCode: au,city: sydney,timeZone: Australia/Sydney,state: new south wales,stateCode: nsw,areaCode: null,organization: asn org,postalCode: 1291,metroCode: null,regionCode: oc,regionName: oceania,annonymous: false,privateIPAddress: false,AdditionaParameters:{is_anonymous_vpn=false, is_public_proxy=false, is_in_european_union=false, is_legitimate_proxy=false, is_hosting_provider=false, is_tor_exit_node=false} ] < /amLogEntry>

2019-10-10 Updated for ZuluOpenJDK 1.8.0_222

Labels (2)
Attachments

DISCLAIMER:

Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Comments

This is very cool indeed. I just set this up at a customer running NAM 4.5 SP1 Appliance and it works.  The instructions need a little bit of clarification though as you need to get all the dependencies copied into the IdP lib directory, not just the geoip2 jar.  It's also not clear if you should overwrite what is already there with the dependencies from the geoip2 zip (I opted not to). I had trouble with the max-maxmind.sh script as well since it appears to want to compile the standalone DB version JAR file as well as the MaxMindPrecision one.  Is that by design?  I just ignored the error and it seems to work ok.  

About my only complaint/concern is how slow the query is.  You can see the client IP detected in the log, but then it seems to take 5-10 second for the query to complete.  Is there any way to speed that up?

Thanks!

Hi @matt4 ,

 

It appears when I did the update on 10th October I used a bad script and bundled it up....will clean up now and upload new tar.gz file

 

Lookup will depend on your network access to MaxMind. As you can see from my example above, the lookup is all done and DB updated within 1 second.

Thanks @Rehtael,

Ok, will download the new bundle, thanks.

Unfortunately, the customer I had this setup at had to disable RBA due to another issue, so I cannot do anymore testing on it right now. I would see this part in the logs (just stealing from your example since I don't have access to the actual logs at the moment):

< amLogEntry> 2019-03-20T02:58:56Z DEBUG NIDS Application:
Method: GeoLocation.validateGeoLocation
Thread: https-jsse-nio-x.x.x.x-8443-exec-1
MaxMindPrecision:
IPAddress /x.x.x.x < /amLogEntry>

 

And then nothing for 10 seconds.  Then I would see the response.  Way too slow of course for typical use.  I might try and duplicate it in my lab.  This customer is a city government and has a very large Internet pipe, so that is not an issue.

I wish I saved one of the logs.  If we get a solution to the RBA problem I'll test it again.

 

 

Hi @matt4 

 

See if the govt org does any shaping and can enhance access to https://geoip.maxmind.com:443

 

You can test desktop access with https://geoip.maxmind.com/geoip/v2.1/city/me

Top Contributors
Version history
Revision #:
13 of 13
Last update:
‎2019-11-10 09:17
Updated by:
 
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.