Maximo

Hi Experts,

This is very unique scenario but I am guessing a lot of you would have faced this issue.

Scenario:

User's browser>CDN> reverse proxy>Load balancer>HTTP server>WAS>Maximo
Above is the flow of user's request to Maximo and the user's login request is registered in Maximo. 
Now, Maximo has this functionality to block IP address when there are more than 50 failed attempts from the same IP.
Currently, Maximo is doing this properly but the IP address registered currently is of the load balancer IP. This is causing blocking of login for all the users.

Now, I know if we configure load balancer to set User's actual IP address in the X-forward-for header than Maximo will be able to capture the right ip address in the failed login attempt and block only the IP address where the failed attempt originated from. 

Now, my questions are as follows:
1. When there is no X-forward-for header(which is the current setup) then how and where is the IP address of the load balancer captured and sent to Maximo?
2. Can we configure HTTP server or WAS to fetch the IP address from a specific header in the request? CDN is sending the user's IP address in the a header called 'True-Client'IP'. I am still investigating if HTTP server is receiving this header information.

Any inputs will be appreciated! 

Thanks in Advance.


------------------------------
Biplab Choudhury
Maximo Consultant
Tata Consultancy Services
Melbourne
------------------------------

#Maximo
#AssetandFacilitiesManagement

That's definitely a pretty complicated flow. Maximo has a system property that enables the login tracking functionality to retrieve the client's IP address when using a load balancer (mxe.system.usingLoadBalancer) that works by looking at the X-Forwarded-For header. There was a bug on some earlier versions of 7.6 where this wouldn't work if there was only a single IP address in the X-Forwarded-For (which would happen when there was only one redirect), but I would try with this enabled to ensure that it really isn't being provided.

We don't use HTTP Server so I've never done what I'm about to say, but I think the apache mod_headers should allow you to replace the header if necessary. https://httpd.apache.org/docs/2.4/en/mod/mod_headers.html. Specifically, there is a SetEnvIf that allows you to check for a header and only do something if that header is set. That should allow you to store it in the appropriate place for Maximo to consume.

------------------------------
Steven Shull
Director of Development
Projetech Inc
Cincinnati OH
------------------------------

Original Message:
Sent: Mon July 27, 2020 09:22 PM
From: Biplab Choudhury
Subject: Capturing User's IP Address in Maximo's IP block functionality

Hi Experts,

This is very unique scenario but I am guessing a lot of you would have faced this issue.

Scenario:

User's browser>CDN> reverse proxy>Load balancer>HTTP server>WAS>Maximo
Above is the flow of user's request to Maximo and the user's login request is registered in Maximo. 
Now, Maximo has this functionality to block IP address when there are more than 50 failed attempts from the same IP.
Currently, Maximo is doing this properly but the IP address registered currently is of the load balancer IP. This is causing blocking of login for all the users.

Now, I know if we configure load balancer to set User's actual IP address in the X-forward-for header than Maximo will be able to capture the right ip address in the failed login attempt and block only the IP address where the failed attempt originated from. 

Now, my questions are as follows:
1. When there is no X-forward-for header(which is the current setup) then how and where is the IP address of the load balancer captured and sent to Maximo?
2. Can we configure HTTP server or WAS to fetch the IP address from a specific header in the request? CDN is sending the user's IP address in the a header called 'True-Client'IP'. I am still investigating if HTTP server is receiving this header information.

Any inputs will be appreciated! 

Thanks in Advance.


------------------------------
Biplab Choudhury
Maximo Consultant
Tata Consultancy Services
Melbourne
------------------------------

#Maximo
#AssetandFacilitiesManagement

Hi Steve,

Can you please tell me how is maximo getting the user's ip address when X-forward-for property is not set?


Thanks,
Biplab

------------------------------
Biplab Choudhury
Maximo Consultant
Tata Consultancy Services
Melbourne
------------------------------

Original Message:
Sent: Tue July 28, 2020 08:27 AM
From: Steven Shull
Subject: Capturing User's IP Address in Maximo's IP block functionality

That's definitely a pretty complicated flow. Maximo has a system property that enables the login tracking functionality to retrieve the client's IP address when using a load balancer (mxe.system.usingLoadBalancer) that works by looking at the X-Forwarded-For header. There was a bug on some earlier versions of 7.6 where this wouldn't work if there was only a single IP address in the X-Forwarded-For (which would happen when there was only one redirect), but I would try with this enabled to ensure that it really isn't being provided.

We don't use HTTP Server so I've never done what I'm about to say, but I think the apache mod_headers should allow you to replace the header if necessary. https://httpd.apache.org/docs/2.4/en/mod/mod_headers.html. Specifically, there is a SetEnvIf that allows you to check for a header and only do something if that header is set. That should allow you to store it in the appropriate place for Maximo to consume.

------------------------------
Steven Shull
Director of Development
Projetech Inc
Cincinnati OH

Original Message:
Sent: Mon July 27, 2020 09:22 PM
From: Biplab Choudhury
Subject: Capturing User's IP Address in Maximo's IP block functionality

Hi Experts,

This is very unique scenario but I am guessing a lot of you would have faced this issue.

Scenario:

User's browser>CDN> reverse proxy>Load balancer>HTTP server>WAS>Maximo
Above is the flow of user's request to Maximo and the user's login request is registered in Maximo. 
Now, Maximo has this functionality to block IP address when there are more than 50 failed attempts from the same IP.
Currently, Maximo is doing this properly but the IP address registered currently is of the load balancer IP. This is causing blocking of login for all the users.

Now, I know if we configure load balancer to set User's actual IP address in the X-forward-for header than Maximo will be able to capture the right ip address in the failed login attempt and block only the IP address where the failed attempt originated from. 

Now, my questions are as follows:
1. When there is no X-forward-for header(which is the current setup) then how and where is the IP address of the load balancer captured and sent to Maximo?
2. Can we configure HTTP server or WAS to fetch the IP address from a specific header in the request? CDN is sending the user's IP address in the a header called 'True-Client'IP'. I am still investigating if HTTP server is receiving this header information.

Any inputs will be appreciated! 

Thanks in Advance.


------------------------------
Biplab Choudhury
Maximo Consultant
Tata Consultancy Services
Melbourne
------------------------------

#AssetandFacilitiesManagement
#Maximo

I believe they use Java's getRemoteAddr to get the IP address when the load balancer system property isn't enabled or it's enabled and there is no x-forwarded-for header (such as when you login hitting internal WebSphere ports). I haven't really looked at it since I opened the case ~4 years ago. What I think you would have to do is set the X-Forwarded-For to the user's IP address and then configure the load balancer setting.

------------------------------
Steven Shull
Director of Development
Projetech Inc
Cincinnati OH
------------------------------

Original Message:
Sent: Tue July 28, 2020 09:03 AM
From: Biplab Choudhury
Subject: Capturing User's IP Address in Maximo's IP block functionality

Hi Steve,

Can you please tell me how is maximo getting the user's ip address when X-forward-for property is not set?


Thanks,
Biplab

------------------------------
Biplab Choudhury
Maximo Consultant
Tata Consultancy Services
Melbourne

Original Message:
Sent: Tue July 28, 2020 08:27 AM
From: Steven Shull
Subject: Capturing User's IP Address in Maximo's IP block functionality

That's definitely a pretty complicated flow. Maximo has a system property that enables the login tracking functionality to retrieve the client's IP address when using a load balancer (mxe.system.usingLoadBalancer) that works by looking at the X-Forwarded-For header. There was a bug on some earlier versions of 7.6 where this wouldn't work if there was only a single IP address in the X-Forwarded-For (which would happen when there was only one redirect), but I would try with this enabled to ensure that it really isn't being provided.

We don't use HTTP Server so I've never done what I'm about to say, but I think the apache mod_headers should allow you to replace the header if necessary. https://httpd.apache.org/docs/2.4/en/mod/mod_headers.html. Specifically, there is a SetEnvIf that allows you to check for a header and only do something if that header is set. That should allow you to store it in the appropriate place for Maximo to consume.

------------------------------
Steven Shull
Director of Development
Projetech Inc
Cincinnati OH

Original Message:
Sent: Mon July 27, 2020 09:22 PM
From: Biplab Choudhury
Subject: Capturing User's IP Address in Maximo's IP block functionality

Hi Experts,

This is very unique scenario but I am guessing a lot of you would have faced this issue.

Scenario:

User's browser>CDN> reverse proxy>Load balancer>HTTP server>WAS>Maximo
Above is the flow of user's request to Maximo and the user's login request is registered in Maximo. 
Now, Maximo has this functionality to block IP address when there are more than 50 failed attempts from the same IP.
Currently, Maximo is doing this properly but the IP address registered currently is of the load balancer IP. This is causing blocking of login for all the users.

Now, I know if we configure load balancer to set User's actual IP address in the X-forward-for header than Maximo will be able to capture the right ip address in the failed login attempt and block only the IP address where the failed attempt originated from. 

Now, my questions are as follows:
1. When there is no X-forward-for header(which is the current setup) then how and where is the IP address of the load balancer captured and sent to Maximo?
2. Can we configure HTTP server or WAS to fetch the IP address from a specific header in the request? CDN is sending the user's IP address in the a header called 'True-Client'IP'. I am still investigating if HTTP server is receiving this header information.

Any inputs will be appreciated! 

Thanks in Advance.


------------------------------
Biplab Choudhury
Maximo Consultant
Tata Consultancy Services
Melbourne
------------------------------

#Maximo
#AssetandFacilitiesManagement

Thanks Steve. I want to explore the X-forward-for header.

------------------------------
Biplab Choudhury
Maximo Consultant
Tata Consultancy Services
Melbourne
------------------------------

Original Message:
Sent: Tue July 28, 2020 09:31 AM
From: Steven Shull
Subject: Capturing User's IP Address in Maximo's IP block functionality

I believe they use Java's getRemoteAddr to get the IP address when the load balancer system property isn't enabled or it's enabled and there is no x-forwarded-for header (such as when you login hitting internal WebSphere ports). I haven't really looked at it since I opened the case ~4 years ago. What I think you would have to do is set the X-Forwarded-For to the user's IP address and then configure the load balancer setting.

------------------------------
Steven Shull
Director of Development
Projetech Inc
Cincinnati OH

Original Message:
Sent: Tue July 28, 2020 09:03 AM
From: Biplab Choudhury
Subject: Capturing User's IP Address in Maximo's IP block functionality

Hi Steve,

Can you please tell me how is maximo getting the user's ip address when X-forward-for property is not set?


Thanks,
Biplab

------------------------------
Biplab Choudhury
Maximo Consultant
Tata Consultancy Services
Melbourne

Original Message:
Sent: Tue July 28, 2020 08:27 AM
From: Steven Shull
Subject: Capturing User's IP Address in Maximo's IP block functionality

That's definitely a pretty complicated flow. Maximo has a system property that enables the login tracking functionality to retrieve the client's IP address when using a load balancer (mxe.system.usingLoadBalancer) that works by looking at the X-Forwarded-For header. There was a bug on some earlier versions of 7.6 where this wouldn't work if there was only a single IP address in the X-Forwarded-For (which would happen when there was only one redirect), but I would try with this enabled to ensure that it really isn't being provided.

We don't use HTTP Server so I've never done what I'm about to say, but I think the apache mod_headers should allow you to replace the header if necessary. https://httpd.apache.org/docs/2.4/en/mod/mod_headers.html. Specifically, there is a SetEnvIf that allows you to check for a header and only do something if that header is set. That should allow you to store it in the appropriate place for Maximo to consume.

------------------------------
Steven Shull
Director of Development
Projetech Inc
Cincinnati OH

Original Message:
Sent: Mon July 27, 2020 09:22 PM
From: Biplab Choudhury
Subject: Capturing User's IP Address in Maximo's IP block functionality

Hi Experts,

This is very unique scenario but I am guessing a lot of you would have faced this issue.

Scenario:

User's browser>CDN> reverse proxy>Load balancer>HTTP server>WAS>Maximo
Above is the flow of user's request to Maximo and the user's login request is registered in Maximo. 
Now, Maximo has this functionality to block IP address when there are more than 50 failed attempts from the same IP.
Currently, Maximo is doing this properly but the IP address registered currently is of the load balancer IP. This is causing blocking of login for all the users.

Now, I know if we configure load balancer to set User's actual IP address in the X-forward-for header than Maximo will be able to capture the right ip address in the failed login attempt and block only the IP address where the failed attempt originated from. 

Now, my questions are as follows:
1. When there is no X-forward-for header(which is the current setup) then how and where is the IP address of the load balancer captured and sent to Maximo?
2. Can we configure HTTP server or WAS to fetch the IP address from a specific header in the request? CDN is sending the user's IP address in the a header called 'True-Client'IP'. I am still investigating if HTTP server is receiving this header information.

Any inputs will be appreciated! 

Thanks in Advance.


------------------------------
Biplab Choudhury
Maximo Consultant
Tata Consultancy Services
Melbourne
------------------------------

#Maximo
#AssetandFacilitiesManagement