Client ip in smaccess logs

book

Article ID: 195023

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

We are unable to log user ip address in smaccess log in our non-prod environment. The ip captured in REMOTE_ADDR is the LB ip instead of user ip which is being audited as sm_client ip in smaccess logs currently.

However we have X-forwarded-for and Client-ip headers populated correct IP address for user being authenticated.
Is there any way we can force agent to use either of X-forwarded-for or Client-ip to be used while auditing.

Environment

Release : 12.52

Component : SITEMINDER -WEB AGENT FOR APACHE

Resolution

Setting the ACO parameter CustomIPHeader to X-forwarded-for should solve this.

See:

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/configuring/web-agent-configuration/list-of-agent-configuration-parameters.html#concept.dita_2fd165d3272c946abfbbca53cdd2a631bff36952_1

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/configuring/web-agent-configuration/web-application-protection/default-http-headers-used-by-the-product.html

You should not need to change ProxyDefinition and/or RequireClientIP just to include the X-forwarded-for in smaccess.log. Just set CustomIPHeader.