Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
ScorpionSting Absent Member.
Absent Member.

Re: Risk Geolocation GeoIP

ScorpionSting;2494223 wrote:
Nope, wasn't the problem....


<amLogEntry> 2019-01-24T02:27:50Z SEVERE NIDS Application: com.netiq.custom.risk.core.geoloc.providers.MaxMindLocalDBException message: "com.netiq.custom.risk.core.geoloc.providers.MaxMindLocalDB"
WebappClassLoaderBase.java, Line: 1309, Method: loadClass
WebappClassLoaderBase.java, Line: 1137, Method: loadClass
Class.java, Line: -2, Method: forName0
Class.java, Line: 264, Method: forName
GeoLocationFactory.java, Line: 89, Method: getProviderInstance
</amLogEntry>


I'm using this script to compile https://drive.google.com/open?id=1OrxY0DrgrTB9kmBlPDb-VzZIIgopDNub


So,

This misleading error was because of the code:


geoLocBean.setMetroCode(response.getLocation().getMetroCode().toString());


Which is not part of the returned JSON from the MMDB, so I've taken this out and added the Time Zone as Risk accepts this:


package com.netiq.custom.risk.core.geoloc.providers;

import java.io.File;
import java.io.IOException;
import java.net.InetAddress;
import java.util.Properties;

import com.maxmind.geoip2.*;
import com.maxmind.db.*;
import com.maxmind.geoip2.model.*;
import com.maxmind.geoip2.record.*;
import com.maxmind.geoip2.exception.GeoIp2Exception;
import com.maxmind.geoip2.exception.AddressNotFoundException;

import com.novell.nam.nidp.risk.core.geoloc.AbstractProvider;
import com.novell.nam.nidp.risk.core.geoloc.exception.GeoLocException;
import com.novell.nam.nidp.risk.core.geoloc.model.GeoLocBean;
import com.novell.nam.nidp.risk.logging.RiskLog;

public class MaxMindLocalDB extends AbstractProvider {
String m_CityDBFile = null;
Properties m_Props = null;
String m_OldCityDBFile = null;
static private DatabaseReader dbReader;

public MaxMindLocalDB(Properties props) {
super(props);
m_Props = props;
}

@Override
public void init(Properties props) {
m_CityDBFile = props.getProperty("citydbfile");
RiskLog.debug("MaxMindLocalDB: DB file path " + m_CityDBFile);
}

@Override
public GeoLocBean readGeoLocInfo(InetAddress ipAddress) throws GeoLocException {
boolean createLookupService = false;
GeoLocBean geoLocBean = new GeoLocBean();
try {
RiskLog.debug("MaxMindLocalDB: IPAddress " + ipAddress);
m_CityDBFile = m_Props.getProperty("citydbfile");
if (m_OldCityDBFile == null || (!m_OldCityDBFile.equalsIgnoreCase(m_CityDBFile)))
{
m_OldCityDBFile = m_CityDBFile;
createLookupService = true;
RiskLog.debug("MaxMindLocalDB: DB new file " + m_CityDBFile + " old file " + m_OldCityDBFile + " createLookservice instance " + createLookupService);
}
RiskLog.debug("MaxMindLocalDB: DB file " + m_CityDBFile );
if (createLookupService || dbReader == null)
{
File database = new File(m_CityDBFile);
dbReader = new DatabaseReader.Builder(database).withCache(new CHMCache()).build();
RiskLog.debug("MaxMindLocalDB: Lookup service instance created");
}
try {
CityResponse response = dbReader.city(ipAddress);
RiskLog.debug("MaxMindLocalDB: CityResponse " + response.toString());
if (response != null)
{
City city = response.getCity();
Country country = response.getCountry();
Location location = response.getLocation();
Postal postal = response.getPostal();
Subdivision subdivision = response.getMostSpecificSubdivision();
RiskLog.debug("MaxMindLocalDB: City=" + city.getName() + "~Country=" + country.getName() + "~CountryCode=" + country.getIsoCode() + "~PostalCode=" + postal.getCode() + "~RegionCode=" + subdivision.getIsoCode() + "~RegionName=" + subdivision.getName() + "~State=" + subdivision.getName() + "~StateCode=" + subdivision.getIsoCode() + "~TimeZone=" + location.getTimeZone());
//prepares name=value bean
geoLocBean.setAreaCode(null);
geoLocBean.setCity((city.getName() != null) ? city.getName().toLowerCase() : null);
geoLocBean.setCountry((country.getName() != null) ? country.getName().toLowerCase() : null);
geoLocBean.setCountryCode((country.getIsoCode() != null) ? country.getIsoCode().toLowerCase() : null);
geoLocBean.setMetroCode(null);
geoLocBean.setOrganization(null);
geoLocBean.setPostalCode((postal.getCode() != null) ? postal.getCode() : null);
geoLocBean.setRegionCode((subdivision.getIsoCode() != null) ? subdivision.getIsoCode().toLowerCase() : null);
geoLocBean.setRegionName((subdivision.getName() != null) ? subdivision.getName().toLowerCase() : null);
geoLocBean.setState((subdivision.getName() != null) ? subdivision.getName().toLowerCase() : null);
geoLocBean.setStateCode((subdivision.getIsoCode() != null) ? subdivision.getIsoCode() : null);
geoLocBean.setTimeZone((location.getTimeZone() != null) ? location.getTimeZone() : null);
return geoLocBean;
}
}
catch (IOException e) {
return null;
}
}
catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
throw new GeoLocException(e);
}
catch (GeoIp2Exception e) {
// TODO Auto-generated catch block
e.printStackTrace();
throw new GeoLocException(e);
}
return null;
}
}

Visit my Website for links to Cool Solution articles.
0 Likes
ScorpionSting Absent Member.
Absent Member.

Re: Risk Geolocation GeoIP

matt;2494221 wrote:
I tested Chandu's new one and it works! You have to compile it yourself and I noticed the first line has a typo:

package com.netiq.custom.risk.core.geloc.providers;

should be:

package com.netiq.custom.risk.core.geoloc.providers;



I'd be interested in your version that allows you to exclude IP addresses. One issue with the Cool Solution version is that if it doesn't find the IP address in the MaxMind DB (e.g. a private IP) it throws an exception. I got around this with a separate rule to check for internal networks. But I'm all about options!

Matt


How about wrapping the CityResponse response = dbReader.city(IPAddress); into a deeper try and instead of a catch throw, a catch return geoLocBean (being empty)...?

Visit my Website for links to Cool Solution articles.
0 Likes
jrmhscht Super Contributor.
Super Contributor.

Re: Risk Geolocation GeoIP

You can download our custom copy here: https://drive.google.com/file/d/1v74IhHuWRjkAKAM9pKZ_j07obd_aqy6f/view?usp=sharing

Basic Install instructions:

Copy files to /opt/novell/nids/lib/webapp/WEB-INF/lib/
- maxmind-db-1.2.2.jar
- geoip2-2.12.0.jar
- maxmind-Geo_cust.jar

Copy these to a location of your choice (/opt/novell)
- GeoLite2-City.mmdb
- localip.json

Update the localip.json file to suit your needs.

Restart the IDP.

Set up a custom provider:
Name = MaxMindLocalDB
Class path = com.netiq.custom.risk.core.geoloc.providers.MaxMindLocalDB

Configure two properties:
citydbfile = /opt/novell/GeoLite2-City.mmdb
GeoIpLocOverrideFile = /opt/novell/localip.json

Obviously there is no warranty or promise it won't wreck your system ect, but we are running this in production on NAM 4.4.
0 Likes
matt4 Honored Contributor.
Honored Contributor.

Re: Risk Geolocation GeoIP

jrmhscht;2494257 wrote:
You can download our custom copy here: https://drive.google.com/file/d/1v74IhHuWRjkAKAM9pKZ_j07obd_aqy6f/view?usp=sharing

Basic Install instructions:

Copy files to /opt/novell/nids/lib/webapp/WEB-INF/lib/
- maxmind-db-1.2.2.jar
- geoip2-2.12.0.jar
- maxmind-Geo_cust.jar

Copy these to a location of your choice (/opt/novell)
- GeoLite2-City.mmdb
- localip.json

Update the localip.json file to suit your needs.

Restart the IDP.

Set up a custom provider:
Name = MaxMindLocalDB
Class path = com.netiq.custom.risk.core.geoloc.providers.MaxMindLocalDB

Configure two properties:
citydbfile = /opt/novell/GeoLite2-City.mmdb
GeoIpLocOverrideFile = /opt/novell/localip.json

Obviously there is no warranty or promise it won't wreck your system ect, but we are running this in production on NAM 4.4.



Awesome, thanks! I'll try it in my lab 🙂


I assume though I have to remove the other standalone class from the lib dir before trying your code, right? I assume your MaxMindLocalDB class is in your cust jar?

So if it finds the address in the localip.json, is that considered found or not found or exactly how will that affect the RBA policy result?

You should do a Cool Solution on it!


Matt
0 Likes
jrmhscht Super Contributor.
Super Contributor.

Re: Risk Geolocation GeoIP

Yes, it will not work with the other class installed. MaxMindLocalDB is in my custom one as well.

I believe the code checks the json file first and if it finds the IP there is returns the location data from there and doesn't check maxmind. It should show as found.

I've never done a cool solution... we'll see if I get time sometime.
0 Likes
JHakvoort
New Member.

Re: Risk Geolocation GeoIP

I'm voting for a step-by-step coolsolution. This is an important part (for the Access Manager) and essential. Is anyone willing to do this? Perhaps the "Analytics Server" component can also be included.
0 Likes
ScorpionSting Absent Member.
Absent Member.

Re: Risk Geolocation GeoIP

JHakvoort;2497095 wrote:
I'm voting for a step-by-step coolsolution. This is an important part (for the Access Manager) and essential. Is anyone willing to do this? Perhaps the "Analytics Server" component can also be included.


I'm just waiting for my Cool Solution to be approved by coolguys.... It utilises the MaxMind Precision City API (complete competition to Neustar)... I've got a script as part of it that was do most of the hard work for you. MaxMind publish costs ($0.0004 per query) whereas Neustar keep that data secret until they've roped you in as a potential customer.

Visit my Website for links to Cool Solution articles.
0 Likes
ScorpionSting Absent Member.
Absent Member.

Re: Risk Geolocation GeoIP

JHakvoort;2497095 wrote:
I'm voting for a step-by-step coolsolution. This is an important part (for the Access Manager) and essential. Is anyone willing to do this? Perhaps the "Analytics Server" component can also be included.


Risk is subjective. It depends on what is important to your organisation's content as to how you might implement risk rules and configuration. Analytics will only give you a graphical overview of general happenings, you would still need to determine what you consider "suspicious" and requiring additional inspection. Then, if you throw something like AAF in the mix, then things get more complex. I have a setup that checks the logging in user's history, there are several conditions that would require step-up MFA authentication such as the country they are in, the device fingerprint (compared to history), etc... Therefore, a Cool Solution that meets what you're asking for is almost impossible without know how your organisation operates.

Visit my Website for links to Cool Solution articles.
0 Likes
JHakvoort
New Member.

Re: Risk Geolocation GeoIP

ScorpionSting;2497099 wrote:
Risk is subjective. It depends on what is important to your organisation's content as to how you might implement risk rules and configuration. Analytics will only give you a graphical overview of general happenings, you would still need to determine what you consider "suspicious" and requiring additional inspection. Then, if you throw something like AAF in the mix, then things get more complex. I have a setup that checks the logging in user's history, there are several conditions that would require step-up MFA authentication such as the country they are in, the device fingerprint (compared to history), etc... Therefore, a Cool Solution that meets what you're asking for is almost impossible without know how your organisation operates.


Sorry! I meant something like this: https://www.netiq.com/communities/cool-solutions/enable-geolocation-access-manager-analytics-dashboard/
0 Likes
ScorpionSting Absent Member.
Absent Member.

Re: Risk Geolocation GeoIP

JHakvoort;2497149 wrote:
Sorry! I meant something like this: https://www.netiq.com/communities/cool-solutions/enable-geolocation-access-manager-analytics-dashboard/


Well, once you set up GeoLocation, the events sent to Analytics/Sentinel/ArcSight/etc will have the Geo fields populated....so not really much to do at their end, just at the IDP side to get the info....

Visit my Website for links to Cool Solution articles.
0 Likes
ScorpionSting Absent Member.
Absent Member.

Re: Risk Geolocation GeoIP

JHakvoort;2497149 wrote:
Sorry! I meant something like this: https://www.netiq.com/communities/cool-solutions/enable-geolocation-access-manager-analytics-dashboard/


If you want to try the Precision City API from MaxMind, you can download the source from: https://www.netiq.com/communities/cool-solutions/wp-content/uploads/sites/2/2019/03/MaxMindPrecision.tar.gz

Then follow the instructions in (pdf of cool solution until its published)

Visit my Website for links to Cool Solution articles.
0 Likes
ScorpionSting Absent Member.
Absent Member.

Re: Risk Geolocation GeoIP

ScorpionSting;2497152 wrote:
If you want to try the Precision City API from MaxMind, you can download the source from: https://www.netiq.com/communities/cool-solutions/wp-content/uploads/sites/2/2019/03/MaxMindPrecision.tar.gz

Then follow the instructions in (pdf of cool solution until its published)


Finally published: https://www.netiq.com/communities/cool-solutions/maxmind-precision-geolocation-access-manager-4-4-4/

Visit my Website for links to Cool Solution articles.
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Risk Geolocation GeoIP

On 20-03-2019 7:14 PM, JHakvoort wrote:
>
> I'm voting for a step-by-step coolsolution. This is an important part
> (for the Access Manager) and essential. Is anyone willing to do this?
> Perhaps the "Analytics Server" component can also be included.
>
>

Sounds like you just put your hand up for it 😉

--
Cheers,
Edward
0 Likes
JHakvoort
New Member.

Re: Risk Geolocation GeoIP

edmaa;2497146 wrote:
On 20-03-2019 7:14 PM, JHakvoort wrote:
>
> I'm voting for a step-by-step coolsolution. This is an important part
> (for the Access Manager) and essential. Is anyone willing to do this?
> Perhaps the "Analytics Server" component can also be included.
>
>

Sounds like you just put your hand up for it 😉

--
Cheers,
Edward


Certainly. I get excited about these things.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.