Audit logs can be encrypted
to ensure your audit data is protected.
By encrypting your audit records, only users with access to the encrypting
certificate will be able to view the audit logs.
Before you begin
Restriction: Encrypting
audit data is only available
for data created using the default audit service provider. If you
are using
the SMF emitter or a 3rd party emitter you will not be able to encrypt
your
data.
Before configuring your security audit records to be encrypted,
enable global security and security auditing in your environment.
You must
be assigned the auditor role to encrypt your security auditing records.
If
you are using a certificate stored in the
security.xml file,
you also require the administrator role to complete this task.
About this task
Procedure
- Click .
- Select the Enable encryption
check box to specify that your audit
records should be encrypted. All other fields on this panel
will
be unavailable until this check box has been selected.
- Select the keystore that contains the encrypting certificate
from
the dropdown menu or click New to create a new certificate
in an existing
keystore. Use the following steps if you are creating a
new certificate:
- Enter the name of the
keystore in the Name field.
- Enter the
path to the keystore file in the Path field.
-
Enter the password to be associated with the keystore in the
Password field.
- Confirm the password
associated with the keystore by retyping
the password in the Confirm password field.
-
Select the keystore type from the Type dropdown list. The
default value of the Type dropdown list is PKCS12.
- If you are using an existing certificate
to encrypt your audit
records, ensure Certificate in keystore is
selected
and specify the intended certificate in the Certificate alias dropdown
menu.
- If you are generating a new certificate
to encrypt your audit records,
select Create a new certificate in the selected keystore and
follow these steps:
- Enter the name of
your new certificate in the Certificate alias
field.
- Select either Automatically generate
certificate or Import a
certificate. The certificate used to encrypt the data in
the audit
log files can either be created or imported. If you selected to generate
a
certificate, then skip to the last step on this page. If you selected
to import
a certificate, then continue on with step c.
-
Enter the name of the keystore file in the Key file name field.
- Enter the path to the keystore file in the
Path field.
- Select the keystore type
from the Type dropdown list. The default value of the Type
dropdown list is PKCS12.
- Enter the password
associated with the keystore in the Key File
password field.
- Click Get key file
aliases to populate the Certificate
alias to import dropdown menu.
- Select
the certificate to be imported from the Certificate alias
to import dropdown menu.
- Click OK.
Results
After completing these steps, your audit logs
will be encrypted to
ensure only authorized users can view the content of your audit log
files.
What to do next
After you have finished configuring your audit
logs to be encrypted,
you can ensure the data integrity of your audit logs by configuring
the audit
subsystem to sign your audit records.