Signing security audit data using scripting

You can use the wsadmin tool to configure the security auditing system to sign security audit records. Security auditing provides tracking and archiving of auditable events.

Before you begin

Verify that you have the appropriate administrative role. To complete this topic, you must have the auditor and administrator administrative roles.

About this task

When configuring the signing of audit data, the auditor can choose between the following options:
  • Allow the application server to automatically generate a certificate.
  • Use an existing self-signed certificate that the auditor previously generated.
  • Use the same self-signed certificate as the system uses to encrypt the audit records.
  • Use an existing keystore to store this certificate.
  • Create a new keystore to store this certificate.
  • Use an existing self-signed certificate in an existing keystore.

Use the following task steps to configure the signing of security audit data:

Procedure

  1. Launch the wsadmin scripting tool using the Jython scripting language. See the Starting the wsadmin scripting client article for more information.
  2. Configure signing settings for security audit data.

    Use the createAuditSigningConfig command to create the signing model to sign your audit records.

    You can import the certificate from an existing key file name that contains that certificate, automatically generate the certificate, or use the same certificate as used to encrypt the audit records. The signing keystore must exist in the security.xml file. The system updates this keystore with the certificate to use to sign the audit records.
    Table 1. Command parameters.

    Use the parameters in the following table with the createAuditSigningConfig command. You must specify the -enableAuditSigning, -certAlias, and -signingKeyStoreRef parameters.

    Parameter Description Data Type Required
    -enableAuditSigning Specifies whether to sign audit records. This parameter modifies your audit policy configuration. Boolean Yes
    -certAlias Specifies the alias name that identifies the generated or imported certificate. String Yes
    -signingKeyStoreRef Specifies the reference ID of the keystore to import the certificate to. String Yes
    -useEncryptionCert Specifies whether to use the same certificate for encryption and signing. You must specify the -useEncryptionCert, -autogenCert, or -importCert parameter. Boolean No
    -autogenCert Specifies whether to automatically generate the certificate used to sign the audit records. You must specify the -useEncryptionCert, -autogenCert, or -importCert parameter. Boolean No
    -importCert Specifies whether to import an existing certificate to sign the audit records. You must specify the -useEncryptionCert, -autogenCert, or -importCert parameter. Boolean No
    -certKeyFileName Specifies the unique name of the key file for the certificate to import. String No
    -certKeyFilePath Specifies the key file location for the certificate to import. String No
    -certKeyFileType Specifies the key file type for the certificate to import. String No
    -certKeyFilePassword Specifies the key file password for the certificate to import. String No
    -certAliasToImport Specifies the alias of the certificate to import. String No
    The following command example configures signing and allows the system to automatically generate the certificate:
    AdminTask.createAuditSigningConfig('-enableAuditSigning true -certAlias auditSigningCert 
    -autogenCert true -signingKeyStoreRef Ref_Id_of_KeyStoreInSecurityXML') 
    The following command example configures signing and imports a certificate:
    AdminTask.createAuditSigningConfig('-enableAuditSigning true -certAlias auditSigningCert 
    -importCert true -certKeyFileName MyServerKeyFile.p12 -certKeyFilePath install_root/etc/MyServerKeyFile.p12 
    -certKeyFileType PKCS12 -certKeyFilePassword password4key -certAliasToImport defaultCertificate 
    -signingKeyStoreRef Ref_Id_of_KeyStoreInSecurityXML') 
    The following command example uses the same certificate for signing and encryption:
    AdminTask.createAuditSigningConfig('-enableAuditSigning true -certAlias auditSigningCert 
    -useEncryptionCert true -signingKeyStoreRef Ref_Id_of_KeyStoreInSecurityXML')
  3. Save your configuration changes.
    Use the following command example to save your configuration changes:
    AdminConfig.save()
  4. Restart the server to apply the configuration changes.

Results

Signing is configured for your security audit data. If you set the -enableAuditSigning parameter to true, your security auditing system signs security audit data when security auditing is enabled.

What to do next

Once you configure the signing model for the first time, use the enableAuditSigning and disableAuditSigning commands to quickly turn signing on and off. The following example uses the enableAuditSigning command to turn signing on:
AdminTask.enableAuditSigning()
The following example uses the disableAuditSigning command to turn signing off:
AdminTask.disableAuditSigning()



In this information ...


IBM Redbooks, demos, education, and more

(Index)

Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.

Task topic    

Terms of Use | Feedback

Last updated: Oct 20, 2010 7:53:43 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=compass&product=was-nd-dist&topic=txml_7signaudit
File name: txml_7signaudit.html