One disadvantage of running PeopleSoft behind a load balancer is that it can hide your user’s real IP address. With a load balancer, WebLogic and PeopleSoft log the load balancer’s IP address instead of the client connecting to your system. Load balancers support an HTTP header called X-Forwarded-For
, and will populate that HTTP header with the client’s IP address. We can configure WebLogic to read this header and add that to our HTTP access log.
The
psaccesslog
table tracks logins into PeopleSoft, but a customization is required to change the logged IP address to read fromX-Forwarded-For
. We won’t over that here. Instead, we’ll show a configuration change to capture this information.
X-Forwarded-For
The X-Forwarded-For
HTTP header is designed to pass in the HTTP originating client IP address through the load balancer. Logging a client IP address helps you identify where users are coming from (geo-ip) and can help with auditing access to your system. Since organizations run many different load balancers, we won’t cover how to enable that. Ask your network administrators to enable and populate X-Forwarded-For
and pass it through to your WebLogic servers.
If you want to test the logging without getting a network admin involved, FireFox has a nice add-on, X-Forwarded-For Header that simulates the header for you.
WebLogic Access Log
Out of the box, WebLogic doesn’t capture the X-Forwarded-For HTTP header. To read that header, we can configure the HTTP Access Log to read the header and log it. To do that, we need to enable the Access Log and tell WebLogic what header to look for.
- Open
http://server:port/console
and login. - Go to “Environment > Servers > PIA > Logging > HTTP”.
- Click “Lock & Edit”.
- Select the checkbox for “HTTP access log file enabled”.
- Save the changes.
- Expand the “Advanced” section.
- Change the Format to
Extended
. - Add
cs(X-Forwarded-For)
to the Extended Logging Format Fields. - Set the Log File Buffer to
0
. (This will write entires immediately to the log file.) - Save the changes.
- Click the “Release Configuration” button.
- Restart the web server.
In the PIA_access.log
file, you should see a dash -
or an IP address. If the header is blank, the dash will be populated. Otherwise, WebLogic will log the client’s real IP address.
Here a sample line from the PIA_access.log
file after we enabled X-Forwarded-For
logging:
#Version: 1.0
#Fields: date time cs-method cs-uri sc-status cs-username cs(user-agent) s-ip c-ip time-taken bytes cs(X-Forwarded-For)
#Software: WebLogic
2016-11-23 20:49:16 GET /psc/ps/EMPLOYEE/ELM/c/NUI_FRAMEWORK.PT_LANDINGPAGE.GBL 200 - "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0" 0.0.0.0:10020 10.0.1.174 5.484 10907 "10.0.1.222"
The last value, "10.0.1.222"
is the client IP address (my workstation). The c-ip
value (10.0.1.174) is the load balancer IP adress in this scenario.
I’ve have a problem with my Tuxedo Appserver doing a reverse-dns lookup on the ipaddress when inserting into the PSACCESSLOG table in PS. Has anyone found a way to have tux insert the straight IP?
Pingback: #58 – Pagelets and Complaints
I made this change and am able to see Client IP now in PA-ACCESS.LOG. Is there any way to also get the EmplID of the user into this log?
Yes, there is a way to log EMPLID, but it takes a custom
.jar
file. I have this working in our DEV environments but haven’t moved it to PRD yet, so make sure you test it first. The code is in this Gist:https://gist.github.com/iversond/1fe465f7b0ba307d0915aa5de335de90
We log X-Forwarded-For in our login peoplecode, so it’s stored in the database and is tied to an emplid.
Brett, did you write custom PeopleCode signon event to capture that?
Yes we did. We already had all the hooks in place due to our SSO integration, so extending it was pretty simple.
Dan, this was helpful for me on the physical load balancer side to get the client IP to show up in the PIA access log. However, our PeopleSoft admins are concerned the IP address doesn’t appear in the database table psaccesslog. Will that require custom development to get it to appear?
Yes, getting the X-Forwarded-For header value logged to PSACCESSLOG requires a customization.
Does anyone have any customization to share to capture the X-Forwarded-For header value to update the PSACCESSLOG table ?