You can use the Jython scripting language to configure the security auditing system with the wsadmin tool. Use the commands and parameters in the AuditEncryptionCommands group to configure the security audit system to encrypt audit records.
The createAuditEncryptionConfig command creates the encryption model used to encrypt the audit records.
You can import the certificate from an existing key file name containing that certificate or automatically generate a certificate.
The user must have the auditor administrative role to run this command.
Target object
None.
Required parameters
Optional parameters
Return value
KeyStore_1173199825578
Batch mode example usage
AdminTask.createAuditEncryptionConfig('-enableAuditEncryption true -certAlias auditCertificate -autogenCert true -encryptionKeyStoreRef auditKeyStore')
AdminTask.createAuditEncryptionConfig(['-enableAuditEncryption', 'true', '-certAlias', 'auditCertificate', '-autogenCert', 'true', '-encryptionKeyStoreRef', 'auditKeyStore'])
Interactive mode example usage
AdminTask.createAuditEncryptionConfig('-interactive')
The createAuditSelfSignedCertificate command creates a self-signed certificate. Use this command internally to automatically generate a certificate for encryption and signing or to import that certificate into the keystore.
The user must have the auditor administrative role to run this command.
Target object
None.
Required parameters
Optional parameters
Return value
The command returns a value of true if the system successfully creates the self-signed certificate.
Batch mode example usage
AdminTask.createAuditSelfSignedCertificate('-keyStoreName AuditDefaultKeyStore -keyStoreScope (cell):Node04Cell -certificateAlias myNew -certificateCommonName cn=oet -certificateOrganization mycompany')
AdminTask.createAuditSelfSignedCertificate(['-keyStoreName', 'AuditDefaultKeyStore', '-keyStoreScope', '(cell):Node04Cell', '-certificateAlias', 'myNew', '-certificateCommonName', 'cn=oet', '-certificateOrganization', 'mycompany'])
Interactive mode example usage
AdminTask.createAuditSelfSignedCertificate('-interactive')
The deleteAuditCertificate command deletes a self-signed certificate from an audit keystore.
The user must have the auditor administrative role to run this command.
Target object
None.
Required parameters
Optional parameters
Return value
The command returns a value of true if the system successfully deletes the audit certificate.
Batch mode example usage
AdminTask.deleteAuditCertificate('-keyStoreName myKeystore -certificateAlias oldCertificate')
AdminTask.deleteAuditCertificate(['-keyStoreName', 'myKeystore', '-certificateAlias', 'oldCertificate'])
Interactive mode example usage
AdminTask.deleteAuditCertificate('-interactive')
The deleteAuditEncryptionConfig command deletes the encryption model used to encrypt the audit records. The command does not remove keystore files or the certificates.
The user must have the auditor administrative role to run this command.
Target object
None.
Return value
The command returns a value of true if the system successfully deletes the audit encryption configuration.
Batch mode example usage
AdminTask.deleteAuditEncryptionConfig()
AdminTask.deleteAuditEncryptionConfig()
Interactive mode example usage
AdminTask.deleteAuditEncryptionConfig('-interactive')
The disableAuditEncryption command disables the encryption of audit records.
The user must have the auditor administrative role to run this command.
Target object
None.
Return value
The command returns a value of true if the system successfully disables audit record encryption.
Batch mode example usage
AdminTask.disableAuditEncryption()
AdminTask.disableAuditEncryption()
Interactive mode example usage
AdminTask.disableAuditEncryption('-interactive')
The enableAuditEncryption command enables the encryption of audit records.
The user must have the auditor administrative role to run this command.
Target object
None.
Return value
The command returns a value of true if the system successfully enables audit record encyption.
Batch mode example usage
AdminTask.enableAuditEncryption()
AdminTask.enableAuditEncryption()
Interactive mode example usage
AdminTask.enableAuditEncryption()
Target object
None.
Required parameters
Optional parameters
Return value
The command returns a value of true if the system successfully exports the audit certificate.
Batch mode example usage
AdminTask.exportAuditCertificate('-keyStoreName AuditDefaultKeyStore -keyStoreScope
(cell):Node04Cell -keyFilePath c:/wasinstall/appserver/profiles/AppSrv01/config/cells/Node04Cell/nodes/Node04/trust.p12
-keyFilePassword myPwd -keyFileType PKCS12 -certificateAlias root')
AdminTask.exportAuditCertificate(['-keyStoreName', 'AuditDefaultKeyStore', '-keyStoreScope',
'(cell):Node04Cell', '-keyFilePath', 'c:/wasinstall/appserver/profiles/AppSrv01/config/cells/Node04Cell/nodes/Node04/trust.p12',
'-keyFilePassword', 'myPwd', '-keyFileType', 'PKCS12', '-certificateAlias', 'root'])
Interactive mode example usage
AdminTask.exportAuditCertificate('-interactive')
The exportAuditCertToManagedKS command exports a self-signed certificate from an audit keystore to a managed audit keystore.
The user must have the auditor administrative role to run this command.
Target object
None.
Required parameters
Optional parameters
Return value
The command returns a value of true if the system successfully exports the audit certificate.
Batch mode example usage
AdminTask.exportAuditCertToManagedKS('-keyStoreName auditEncryptionKeyStore -keyStorePassword myPwd -toKeyStoreName AuditTrustStore -toKeyStoreScope (cell):my03Cell -certificateAlias newauditcert -aliasInKeyStore newauditcert1')
AdminTask.exportAuditCertToManagedKS(['-keyStoreName', 'auditEncryptionKeyStore', '-keyStorePassword', 'myPwd', '-toKeyStoreName', 'AuditTrustStore', '-toKeyStoreScope', '(cell):my03Cell', '-certificateAlias', 'newauditcert', '-aliasInKeyStore', 'newauditcert1'])
Interactive mode example usage
AdminTask.exportAuditCertToManagedKS('-interactive')
The getAuditCertificate command retrieves the attributes for an audit self-signed certificate in an audit keystore.
The user must have the monitor administrative role to run this command.
Target object
None.
Required parameters
Optional parameters
Return value
The command returns a list of attributes associated with the audit certificate.
Batch mode example usage
AdminTask.getAuditCertificate('-keyStoreName auditEncryptionKeyStore -certificateAlias newauditcert')
AdminTask.getAuditCertificate(['-keyStoreName', 'auditEncryptionKeyStore', '-certificateAlias', 'newauditcert'])
Interactive mode example usage
AdminTask.getAuditCertificate('-interactive')
The getAuditEncryptionConfig command retrieves the encryption model that the system uses to encrypt the audit records.
The user must have the monitor administrative role to run this command.
Target object
None.
Return value
{{certRef Certificate_1184698729015} {keystoreRef KeyStore_1173199825578} {keyStore AuditDefaultKeyStore(cells/CHEYENNENode04Cell|audit.xml#KeyStore_1173199825578)} {enabled true} {alias mycertalias} {_Websphere_Config_Data_Version {}} {_Websphere_Config_Data_Id cells/CHEYENNENode04Cell|audit.xml#Certificate_1184698729015} {_Websphere_Config_Data_Type Certificate}}
Batch mode example usage
AdminTask.getAuditEncryptionConfig()
AdminTask.getAuditEncryptionConfig()
Interactive mode example usage
AdminTask.getAuditEncryptionConfig('-interactive')
The getEncryptionKeyStore command retrieves the attributes for the keystore that contains the certificate that the system uses to encrypt the audit records.
The user must have the monitor administrative role to run this command.
Target object
None.
Return value
{{location ${CONFIG_ROOT}/audittrust.p12} {password *****} {_Websphere_Config_Data_Id cells/CHEYENNENode04Cell|audit.xml#KeyStore_1173199825578} {_Websphere_Config_Data_Version {}} {useForAcceleration false} {slot 0} {type PKCS12} {additionalKeyStoreAttrs {}} {fileBased true} {_Websphere_Config_Data_Type KeyStore} {customProviderClass {}} {hostList {}} {keystoreRef KeyStore_1173199825578} {createStashFileForCMS false} {description {keyStore description}} {managementScope (cells/CHEYENNENode04Cell|audit.xml#ManagementScope_1173199825608)} {readOnly false} {initializeAtStartup true} {usage {}} {provider IBMJCE} {name AuditDefaultKeyStore}}
Batch mode example usage
AdminTask.getEncryptionKeyStore()
AdminTask.getEncryptionKeyStore()
Interactive mode example usage
AdminTask.getEncryptionKeyStore('-interactive')
The importAuditCertFromManagedKS command imports a self-signed certificate into a keystore from a managed audit keystore. Use this command internally to automatically generate a certificate for encryption or signing and to import a certificate into the keystore.
The user must have the auditor administrative role to run this command.
Target object
None.
Required parameters
Optional parameters
Return value
The command returns a value of true if the system successfully imports the audit certificate.
Batch mode example usage
AdminTask.importAuditCertFromManagedKS('-keyStoreName AuditDefaultKeyStore -keyStoreScope (cell):myNode03Cell -fromKeyStoreName AuditSecondDefaultKeyStore -fromKeyStoreScope (cell):myNode03Cell -fromKeyStorePassword myPwd -certificateAliasFromKeyFile root -certificateAlias myimportcert')
AdminTask.importAuditCertFromManagedKS(['-keyStoreName', 'AuditDefaultKeyStore', '-keyStoreScope', '(cell):Node04Cell', '-fromKeyStoreName', 'AuditSecondDefaultKeyStore', '-fromKeyStoreScope', '(cell):myNode03Cell', '-fromKeyStorePassword', 'myPwd', '-certificateAliasFromKeyFile', 'root', '-certificateAlias', 'myimportcert'])
Interactive mode example usage
AdminTask.importAuditCertFromManagedKS('-interactive')
Target object
None.
Required parameters
Optional parameters
Return value
The command returns a value of true if the system successfully imports the audit certificate.
Batch mode example usage
AdminTask.importAuditCertificate('-keyStoreName AuditDefaultKeyStore -keyStoreScope
(cell):Node04Cell -keyFilePath c:/wasinstall/appserver/profiles/AppSrv01/config/cells/Node04Cell/nodes/Node04/trust.p12
-keyFilePassword myPwd -keyFileType PKCS12 -certificateAliasFromKeyFile root -certificateAlias myimportcert')
AdminTask.importAuditCertificate(['-keyStoreName', 'AuditDefaultKeyStore', '-keyStoreScope', '(cell):Node04Cell',
'-keyFilePath', 'c:/wasinstall/appserver/profiles/AppSrv01/config/cells/Node04Cell/nodes/Node04/trust.p12',
'-keyFilePassword', 'myPwd', '-keyFileType', 'PKCS12', '-certificateAliasFromKeyFile', 'root',
'-certificateAlias', 'myimportcert'])
Interactive mode example usage
AdminTask.importAuditCertificate('-interactive')
The importEncryptionCertificate command imports the self-signed certificate that the system uses to encrypt audit data from the encryption keystore into a managed keystore in security.xml.
The user must have the auditor administrative role to run this command.
Target object
None.
Required parameters
Optional parameters
Return value
The command returns a value of true if the system successfully imports the encryption certificate.
Batch mode example usage
AdminTask.importEncryptionCertificate('-keyStoreName DefaultKeyStore -keyStoreScope (cell):Node04Cell
-keyFilePath c:/wasinstall/appserver/profiles/AppSrv01/config/cells/Node04Cell/nodes/Node04/trust.p12
-keyFilePassword myPwd -keyFileType PKCS12 -certificateAliasFromKeyFile root -certificateAlias myimportcert')
AdminTask.importEncryptionCertificate(['-keyStoreName', 'DefaultKeyStore', '-keyStoreScope', '(cell):Node04Cell',
'-keyFilePath', 'c:/wasinstall/appserver/profiles/AppSrv01/config/cells/Node04Cell/nodes/Node04/trust.p12',
'-keyFilePassword', 'myPwd', '-keyFileType', 'PKCS12', '-certificateAliasFromKeyFile', 'root',
'-certificateAlias', 'myimportcert'])
Interactive mode example usage
AdminTask.importEncryptionCertificate('-interactive')
The isAuditEncryptionEnabled command determines if audit record encryption is enabled.
The user must have the monitor administrative role to run this command.
Target object
None.
Return value
The command returns a value of true if audit record encryption is enabled.
Batch mode example usage
AdminTask.isAuditEncryptionEnabled()
AdminTask.isAuditEncryptionEnabled()
Interactive mode example usage
AdminTask.isAuditEncryptionEnabled('-interactive')
The listAuditEncryptionKeyStores command retrieves the attributes for each configured encryption keystore from the audit.xml file. The command returns attributes for active and inactive keystores.
The user must have the monitor administrative role to run this command.
Target object
None.
Return value
{{location ${CONFIG_ROOT}/audittrust.p12} {password *****} {_Websphere_Config_Data_Id cells/CHEYENNENode04Cell|audit.xml#KeyStore_1173199825578} {useForAcceleration false} {slot 0} {type PKCS12} {additionalKeyStoreAttrs {}} {fileBased true} {_Websphere_Config_Data_Type KeyStore} {customProviderClass {}} {hostList {}} {keystoreRef KeyStore_1173199825578} {createStashFileForCMS false} {description {keyStore description}} {readOnly false} {initializeAtStartup true} {managementScope (cells/CHEYENNENode04Cell|audit.xml#ManagementScope_1173199825608)} {usage {}} {provider IBMJCE} {name AuditDefaultKeyStore}}
Batch mode example usage
AdminTask.listAuditEncryptionKeyStores()
AdminTask.listAuditEncryptionKeyStores()
Interactive mode example usage
AdminTask.listAuditEncryptionKeyStores('-interactive')
The listCertAliases command retrieves a list of the personal certificates in the keystore, as specified by the keystore name and scope of interest.
The user must have the monitor administrative role to run this command.
Target object
None.
Required parameters
Optional parameters
Return value
mycertalias
Batch mode example usage
AdminTask.listCertAliases('-keyStoreName AuditDefaultKeyStore -keyStoreScope (cell):Node04Cell')
AdminTask.listCertAliases(['-keyStoreName AuditDefaultKeyStore -keyStoreScope (cell):Node04Cell'])
Interactive mode example usage
AdminTask.listCertAliases('-interactive')
The modifyAuditEncryptionConfig command modifies the encryption model that the system uses to encrypt the audit records. Specify values for the -enableAuditEncryption, -certAlias, and encryptionKeyStoreRef parameters to use an existing keystore. Do not specify the -importCert or -autogenCert parameters if you use an existing keystore.
The user must have the auditor administrative role to run this command.
Target object
None.
Required parameters
NoneOptional parameters
Return value
The command returns a value of true if the system successfully updates the configuration.
Batch mode example usage
AdminTask.modifyAuditEncryptionConfig('-enableAuditEncryption true -certAlias mycertalias
-encryptionKeyStoreRef KeyStore_1173199825578')
AdminTask.modifyAuditEncryptionConfig(['-enableAuditEncryption', 'true', '-certAlias', 'mycertalias',
'-encryptionKeyStoreRef', 'KeyStore_1173199825578'])
Interactive mode example usage
AdminTask.modifyAuditEncryptionConfig('-interactive')
The renewAuditCertificate command renews a self signed certificate in an audit keystore.
The user must have the auditor administrative role to run this command.
Target object
None.
Optional parameters
Return value
The command returns a value of true if the system successfully updates the configuration.
Batch mode example usage
AdminTask.renewAuditCertificate('-keyStoreName auditEncryptionKeyStore -certificateAlias newauditcert')
AdminTask.renewAuditCertificate(['-keyStoreName', 'auditEncryptionKeyStore', '-certificateAlias', 'newauditcert'])
Interactive mode example usage
AdminTask.renewAuditCertificate('-interactive')