Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Mohit_Verma02 Trusted Contributor.
Trusted Contributor.
1560 views

Feed actual Client IP Address from NAM IDP to Sentinel 8.2

Hi,

Currently for NAM OAuth applications we are getting the VIP IP Address(F5 LB) as the source IP Address instead of the actual client IP Address.
We are getting the correct client IP Address for SAML based applications though but that's not the case with OAuth applications.
Can anyone please help with the steps to get the actual client IP Address from NAM IDP into Sentinel?


Regards,
Mohit Verma
0 Likes
14 Replies
Mohit_Verma02 Trusted Contributor.
Trusted Contributor.

Re: Feed actual Client IP Address from NAM IDP to Sentinel 8

Did follow the below cool solution but no luck.
Though getting the x-forwarded for with the client IP in the NAM logs but not in Sentinel.

https://www.netiq.com/communities/cool-solutions/how-to-pass-users-actual-address-to-nam-identity-server-when-request-coming-in-via-load-balancer-or-proxy-server/

Regards,
Mohit Verma
0 Likes
Mohit_Verma02 Trusted Contributor.
Trusted Contributor.

Re: Feed actual Client IP Address from NAM IDP to Sentinel 8

Any pointers please?
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Feed actual Client IP Address from NAM IDP to Sentinel 8.2

On 04-12-2018 11:34 AM, Mohit verma02 wrote:
>
> Any pointers please?
>
>


have you looked into using the valve option in tomcat? You can set this and then tomcat will replace the client IP with the value from the XFF header.

--
Cheers,
Edward
0 Likes
Mohit_Verma02 Trusted Contributor.
Trusted Contributor.

Re: Feed actual Client IP Address from NAM IDP to Sentinel 8

Thanks Edward.
Did try the steps in https://www.netiq.com/documentation/access-manager-44/admin/data/b8n3v8l.html .
Used below snippet to configure Server.xml.
"
<Engine defaultHost="localhost" name="Catalina">
<Valve className="org.apache.catalina.valves.RemoteIpValve"
internalProxies="IP addresses" />
"

Did manage to see the x-forwarded-for header with the actual Client IP but still getting the VIP IP in Sentinel.

Regards,
Mohit Verma
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Feed actual Client IP Address from NAM IDP to Sentinel 8.2

On 05-12-2018 10:06 AM, Mohit verma02 wrote:
>
> Thanks Edward.
> Did try the steps in
> https://www.netiq.com/documentation/access-manager-44/admin/data/b8n3v8l.html
> .
> Used below snippet to configure Server.xml.
> "
> <Engine defaultHost="localhost" name="Catalina">
> <Valve className="org.apache.catalina.valves.RemoteIpValve"
> internalProxies="IP addresses" />
> "
>
> Did manage to see the x-forwarded-for header with the actual Client IP
> but still getting the VIP IP in Sentinel.
>
> Regards,
> Mohit Verma
>
>


Can you enable debug logging for the application under the IDP config in logging & auditing. Capture a post or get event and check what the client IP
in there is set to

--
Cheers,
Edward
0 Likes
Mohit_Verma02 Trusted Contributor.
Trusted Contributor.

Re: Feed actual Client IP Address from NAM IDP to Sentinel 8

Hi Edward,

Many thanks for reverting.
PFB logs captured. We were already on Debug and below is what we are seeing in the logs for POST event.

<amLogEntry> 2018-12-05T23:41:26Z INFO NIDS Session Logger: com.novell.nam.nidp.oauth.nidp.servlets.OAuthApplication: 7 * Server has received a request on thread http-nio-xx.xx.xxx.xx-8443-exec-1
7 > POST https://xxxxxxxxxxxxx/nidp/oauth/nam/token?resourceServer=xxx
7 > accept: */*
7 > content-length: 214
7 > content-type: application/x-www-form-urlencoded
7 > host: xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
7 > user-agent: curl/7.62.0
7 > x-forwarded-for: xxxxxxxx(Getting the actual Source IP and not VIP)
</amLogEntry>

Cheers,
Mohit
0 Likes
Mohit_Verma02 Trusted Contributor.
Trusted Contributor.

Re: Feed actual Client IP Address from NAM IDP to Sentinel 8

Interestingly for SAML we are seeing the actual source IP in Sentinel but for OAuth, we are not. This I am talking when no changes are made in the valve configurations for tomcat.
I need some help as not an expert in NAM, so is there any specific reason why this difference between SAML and OAUTH? Was thinking may be should have behaved in same manner for both.

Regards,
Mohit
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Feed actual Client IP Address from NAM IDP to Sentinel 8.2

On 13-12-2018 3:34 PM, Mohit verma02 wrote:
>
> Interestingly for SAML we are seeing the actual source IP in Sentinel
> but for OAuth, we are not. This I am talking when no changes are made in
> the valve configurations for tomcat.
> I need some help as not an expert in NAM, so is there any specific
> reason why this difference between SAML and OAUTH? Was thinking may be
> should have behaved in same manner for both.


So i finally had some time to test this. I dont have a full blown sentinel setup so im just using the auditing to file option and i dont see an IP
address in there:

{
"appName": "Novell Access Manager",
"timeStamp": "Fri, 14 Dec 2018 22:46:21 +1100",
"eventId": "002E0028",
"subTarget": "6fd4181a-9841-4960-9f6d-18eda5f455bd",
"stringValue1": "1544787981011",
"stringValue2": "1234",
"stringValue3": "From: 1544787980000 - To :1544788160000",
"numericValue1": 0,
"numericValue2": 0,
"numericValue3": 0,
"component": "nidp\\\\oauth",
"data": null,
"originator": "16BF98EF28F5B719",
"description": "NIDS: OAuth2 Authorization code issued",
"message": "[Fri, 14 Dec 2018 22:46:21 +1100] [Novell Access Manager\\\\nidp\\\\oauth]: AMDEVICEID#16BF98EF28F5B719: OAuth2 authorization code
issued to user: [edward]. Issued At: [1544787981011] Issued to Client: [1234] Token Identifier: [6fd4181a-9841-4960-9f6d-18eda5f455bd] Validity:
[From: 1544787980000 - To :1544788160000]",
"target": "edward"
}


--
Cheers,
Edward
0 Likes
Mohit_Verma02 Trusted Contributor.
Trusted Contributor.

Re: Feed actual Client IP Address from NAM IDP to Sentinel 8

Thanks a ton Edward. Really appreciate the way you are helping the guys on forums.
Below is how we get event structure in logs of NAM in our environment which is configured to send events to Sentinel.

<amLogEntry> 2018-12-16T23:29:57Z INFO NIDS OAuth: Event Id: XXXXXX, Target: XXXXXXXX, Sub-Target: {"tokenIdentifier":"","grantType":"Resource Owner Credentials","resourceServerName":"XXX"}, Note 1: 1545002997072-null, Note 2: XXX, Note 3: From: 1545002997072 - To :1545006597072, Numeric 1: 0 </amLogEntry>

I just went through the below URL.As per my understanding rsylog agent collects the events and then passes to syslog server which is Sentinel in our case.

https://www.netiq.com/documentation/access-manager-42/resources/NAM_Auditing_with_Syslog.pdf

rsyslog agent in our NAM servers :- rsyslog-8.24.0-16.el7_5.4.x86_64

I guess this syslog agent detects the source IP and then captures it and send across which might not be visible in the logs and event structure but I can see in Sentinel as under. sip is mapped to Source ip in Sentinel. Below structure is for Identity manager in Sentinel. Similar is for Access manager as well. So to summarize I am getting actual client IP in sip for SAML based applications but for OAuth I am not getting the actual client IP in sip field.

{
"_index": "security.events.normalized_20181217",
"_type": "event",
"_id": "AWe41IFTEgoSHyrCQKvO",
"_version": 1,
"_score": null,
"_source": {
"msg": "Status Success channel:system\\idm\\driverset\\EmailNotifyDriver\\Publisher object:<null> level:success object-type:heartbeat event-id:0 from XXXXXXXXX",
"estzhour": "19",
"vul": "0",
"xdasprov": "0",
"xdasid": "4",
"tid": "1",
"estzdiy": "350",
"dt": "1544987339051",
"estzmonth": "11",
"rv32": "IDM",
"id": "27DA6FE1-E393-1036-9C75-005056982B78",
"estz": "UTC",
"sip": "XXXXXXXXX",
"sp": "EmailNotifyDriver",
"rv39": "default",
"st": "N",
"evt": "Publisher Status Success heartbeat",
"ei": "{\"Event ID\":\"0\",\"MIMEtype\":\"text/xml\"}",
"sev": "0",
"xdasoutcomename": "XDAS_OUT_SUCCESS",
"xdasreg": "0",
"obsip": "XXXXXXXXXX",
"estzmin": "8",
"estzdiw": "1",
"xdasoutcome": "0",
"xdasclass": "1",
"rv24": "CBEC35B2-83C0-1036-84D5-005056982B78",
"rv40": "00030001",
"xdastaxname": "XDAS_AE_QUERY_TRUST",
"estzdim": "16",
"rv171": "408E7E50-C02E-4325-B7C5-2B9FE4853476",
"xdasdetail": "0",
"pn": "NetIQ Identity Manager"
},
"fields": {
"dt": [
1544987339051
]
},
"sort": [
1544987339051
]
}

Regards,
Mohit
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Feed actual Client IP Address from NAM IDP to Sentinel 8.2

On 17-12-2018 11:14 AM, Mohit verma02 wrote:
>


> I guess this syslog agent detects the source IP and then captures it and
> send across which might not be visible in the logs and event structure
> but I can see in Sentinel as under. sip is mapped to Source ip in
> Sentinel. Below structure is for Identity manager in Sentinel. Similar
> is for Access manager as well. So to summarize I am getting actual
> client IP in sip for SAML based applications but for OAuth I am not
> getting the actual client IP in sip field.



Let me spin up a Sentinel server and see what i get.


--
Cheers,
Edward
0 Likes
Mohit_Verma02 Trusted Contributor.
Trusted Contributor.

Re: Feed actual Client IP Address from NAM IDP to Sentinel 8

Thanks a ton Edward.
Really appreciate your help.

Regards,
Mohit Verma
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Feed actual Client IP Address from NAM IDP to Sentinel 8.2

On 18-12-2018 10:16 AM, Mohit verma02 wrote:
>
> Thanks a ton Edward.
> Really appreciate your help.
>
> Regards,
> Mohit Verma
>
>

Ok, so finally found some time to spin up a Sentinel server and test this. The OAUTH event (i'm just using a authz code) still doesn't show a client
IP inside Sentinel either, however, as i'm only using my browser for this i can see a authentication event (same sessionID) where I can see the
correct source IP.



--
Cheers,
Edward
0 Likes
Mohit_Verma02 Trusted Contributor.
Trusted Contributor.

Re: Feed actual Client IP Address from NAM IDP to Sentinel 8

Thanks for the update Edward.
Does this mean we need to raise a service request with NetIQ for this? Looks like OOB functionality doesn't provide this feature.
What IP do you see in Sentinel though? Is it the NAM Source IP?

Regards,
Mohit
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Feed actual Client IP Address from NAM IDP to Sentinel 8.2

On 07-01-2019 10:54 AM, Mohit verma02 wrote:
>
> Thanks for the update Edward.
> Does this mean we need to raise a service request with NetIQ for this?
> Looks like OOB functionality doesn't provide this feature.
> What IP do you see in Sentinel though? Is it the NAM Source IP?


The data in the event itself doesn't contain any source IP. The event was generated by NAM so that is what Sentinel sees. I think this should be seen
as a broader event where the authentication (which does contain a source IP) is separated from the token issuing so I think this is just working as
designed. Whether you agree with that design is obviously a different question 🙂


--
Cheers,
Edward
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.