Announment : Beta Release of Deploying Access Manager in Docker Container

Deploying Access Manager in Docker Containers


Micro Focus is happy to announce the Beta release of deploying Access Manager as Containers. Access Manager supports Docker for deploying the containers. Access Manager components are delivered as Docker images and are self-sufficient to run on their own.

Access Manager Docker images are optimized to run on Kubernetes, a popular container orchestration engine for Docker. Kubernetes simplifies deploying, running, scaling, and upgrading Access Manager Docker images. The Access Manager Docker images are cloud-native applications and can run in Kubernetes environments deployed on Linux servers and cloud.

Introducing NetIQ Risk Service v2.0

Product Release Announcement: NetIQ Risk Service v2.0


Micro Focus is pleased to announce the availability of NetIQ Risk Service v2.0. This release brings advanced levels of Adaptive Access Management (AAM) to organizations that didn’t have the specialized knowledge or resources to implement it. Through its turnkey integration with ArcSight Interset, NetIQ Risk Service significantly simplifies the adoption of User and Entity Behavioral Analytics (UEBA), enabling organizations to do more than simple step-up authentication. Used together, this solution from Micro Focus raises access management to a higher level of access control intelligence.

Configure Local Firewall on SLES for NAM

Configuring SuSEfirewall2 on SLES 12 for Access Manager


First, create a Firewall Service file that contains the necessary ports to open (the example below assumes the Administration Console and Identity Server run on the same machine - refer to the documentation to adjust as necessary)

> vi /etc/sysconfig/SuSEfirewall2.d/services/netiq-access-manager

Access Manager and Google Chrome v80

Configuring Support for Access Manager on Google Chrome Browser


Google Chrome version 80 onwards introduces a change of how cookies are handled in web browser with the enforcement of SameSite and Secure Cookie configuration. To support this Chrome version with Access Manager, you will need to configure the following options.

Authentication Denied due to Low Memory

New Authentications Denied due to Low System Memory


Situation


Periodically, new connections to Identity Server or Access Gateway (proxy) services were failing with the error.

New authentications are being denied due to low system memory. Threshold 10 Current: 6.109713

Restarting the Identity Server or Access Gateway would temporarily resolve the problem

The Access Manager 4.4.4 Appliance each had 8 GB of memory. As the error was regarding authentications rather than proxy connections, it was suspected that this was java memory issue used by the embedded service provider.

Default Java memory is 1GB and had already been increased to 2 GB but the problem persisted.

 

Environment


  • Micro Focus Access Manager 4.4.4 Appliance(s)


Resolution


Enabling Statistics Logging on the IDP Cluster will also enable statistics in the catalina log for the ESP on the Access Gateway. A recommended logging interval value for a production system would be 600 (seconds).

These statistics are then printed to the log every ten minutes and looks like

NIDPMonitor: Tick: 598

                          System Status

                          Initialization State: Started

                          Total Sessions: 26497

                          Total Subjects: 1766

                          Total Principals: 3532

                          System Memory

                          Free Memory: 3.2926752E8 

                          Total Memory: 2.11759923E9 

                          Percent Free: 15.549095

We can see that this is a busy Access Manager system.

Total memory is 2.11 exp 9 which equates to the -Xmx2048m  (max Heap Memory) value configured in server.xml.

In the above statistic we only have 15% of memory available.


The error mentioned above states "Threshold 10 Current: 6.109713"

The Threshold of 10 is defined in server.xml

JAVA_OPTS="${JAVA_OPTS} -Dnids.freemem.threshold=10" 

and the ESP will limit further authentication when free memory goes below 10 % and throttling will begin as we see in this example.

   Free Memory: 1.36996032E8 

   Total Memory: 2.11759923E9

   Percent Free: 6.4694033

   System Throttle:

   Due to Low Memory: (Request Blocked)

The solution here is to allocate more than 2 GB memory to the java heap. As the server has 8 GB RAM and is a dedicated Access Manager Appliance, 4 GB is sufficient for the operating system and we can allocate 4 GB to the java heap for the Identity Server.

As we know from our baseline that we will use at least 2 GB for java, we should allocate at least this value at startup (-Xms) to improve performance.


The following line was added to /opt/novell/nam/idp/conf/tomcat.conf to resolve the problem.

JAVA_OPTS="-server -Xmx4096m -Xms2048m -Xss128k"

Preview Customized NAM Error Messages

Access Manager : Preview Customized Error Messages

You can do the following to preview the customized error messages located here: 

/opt/novell/apache2/share/apache2/error


How to customize Access Manager Error Messages

Early Access of NAM Analytics Dashboard v5.0

Early Access of Access Manager Analytics Dashboard v5.0


Micro Focus is happy to announce the early access release of the re-architected and cloud-ready Access Manager Analytics Dashboard. Analytics Dashboard offers deeper visualization of your Access Manager environment, system statistics, access pattern, and more. Analytics Dashboard will replace the current Access Manager Analytics Dashboard in v5.0.

Analytics Server is built as a cloud-native application and it will support diverse deployment options including containers, cloud (in FCS), and of course virtual servers. Analytics Dashboard is built on top of the latest ELK stack and offers significant improvements over the incumbent Analytics Server.

The following are some of the noteworthy updates:
  • Significantly reduced hardware requirements:

For the demonstration purpose For a production environment
CPU: 2 Cores
Memory: 4 GB
Hard disk: 50 GB

CPU: 4 Cores
Memory: 16 GB

 


Access Gateway and SNI support

Access Gateway and SNI support

Introduction


Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) protocol by which a client can mention which hostname it is attempting to connect to at the start of the TLS handshaking process. This enables the server to select the correct virtual domain and corresponding TLS certificate at the very beginning of the process of establishing secure communication with the client.

The purpose of this document is to help users enabling SNI and getting benefits of it in secure TLS communication of Access Gateway (AG) (pre NAM 5.0). There are two such channels available at AG.

  1. Between browser and AG.
  2. Between AG and backend webserver.