Environment
NetIQ Access Manager 3.2
NetIQ Access Manager 3.2 Identity Server
Identity Server Logging enabled
Auditing of login events enabled
NetIQ Access Manager 3.2 Identity Server
Identity Server Logging enabled
Auditing of login events enabled
Situation
With auditing of login events enabled on the Identity (IDP) Server, the logging of both the user and
users IP address are performed. This allows administrators or auditors to verify the IP location of
the incoming users.
If the IDP server is sitting behind a Proxy or a NATted device (load balancer for example), all users
are logged as coming in from the same IP address ie. the Proxy or L4 source IP address. Assuming that an X-Forwarded-For header exists in the incoming request, the IDP server should to be able to log this unique IP address instead, as it defines the IP address of the workstation that triggered the original request. Being able to send that information over to an
SLM or Audit server implies that we can map events for that specific host.
With Access Manager 3.1, the above logging of X-Forwarded-For IP addresses during login events would
fail ie. the IDP server would only log the IP address of the incoming HTTP request, which was that of the
intermediate proxy or load balancer.
Resolution
Upgrade to Access Manager 3.2 and enable tomcat Valves using the following procedure:
1) For tomcat 7 (in Access Manager 3.2 SP1), add following line in IDP's server.xml (path : /opt/novell/nam/idp/conf/server.xml) just below Engine :
<Engine defaultHost="localhost" name="Catalina">
<Valve className="org.apache.catalina.valves.RemoteIpValve" internalProxies="192.168.1.1" />
The internalProxies IP address should correspond to the intermediate proxy's and load balancer's IP addresses in use in environment.
2) restart tomcat on the IDP server using "/etc/init.d/novell-idp restart"
By enabling this configuration, tomcat will replace the value of "remoteAddr" attribute in the Http request with the source ip present in the "x-forwarded-for" attribute.Please see following article for more understanding this process in detail: http://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html http://code.google.com/p/xebia-france/wiki/RemoteIpValve
If the load balancer at 192.168.1.1 added the X-Forwarded-For HTTP header to requests destined for the IDP server, the following Audit server user login log entry would now show the following (assuming user logged in from workstation IP address "10.1.1.1")
[Tue, 23 Oct 2012 17:18:22 +0550] [Novell Access Manager\nidp]: AMDEVICEID#CA19A575F9D40B70: AMAUTHID#1085851D966574674446F62EDE008900: User session was authenticated: [cn=ncashell,o=novell]. Authentication Type: [Local] Authenticating Entity Name: [Name/Password - Form] Contract Class or Method Name: [name/password/uri] Source IP Address: [10.1.1.1]
1) For tomcat 7 (in Access Manager 3.2 SP1), add following line in IDP's server.xml (path : /opt/novell/nam/idp/conf/server.xml) just below Engine :
<Engine defaultHost="localhost" name="Catalina">
<Valve className="org.apache.catalina.valves.RemoteIpValve" internalProxies="192.168.1.1" />
The internalProxies IP address should correspond to the intermediate proxy's and load balancer's IP addresses in use in environment.
2) restart tomcat on the IDP server using "/etc/init.d/novell-idp restart"
By enabling this configuration, tomcat will replace the value of "remoteAddr" attribute in the Http request with the source ip present in the "x-forwarded-for" attribute.Please see following article for more understanding this process in detail: http://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html http://code.google.com/p/xebia-france/wiki/RemoteIpValve
If the load balancer at 192.168.1.1 added the X-Forwarded-For HTTP header to requests destined for the IDP server, the following Audit server user login log entry would now show the following (assuming user logged in from workstation IP address "10.1.1.1")
[Tue, 23 Oct 2012 17:18:22 +0550] [Novell Access Manager\nidp]: AMDEVICEID#CA19A575F9D40B70: AMAUTHID#1085851D966574674446F62EDE008900: User session was authenticated: [cn=ncashell,o=novell]. Authentication Type: [Local] Authenticating Entity Name: [Name/Password - Form] Contract Class or Method Name: [name/password/uri] Source IP Address: [10.1.1.1]