Audit the WS-Security runtime
Security auditing provides tracking and archiving of auditable events for the Web services runtime operations. When security auditing is enabled for Web services, the event generator utility collects and logs signing, encryption, security, authentication, and delegation events in audit event records. We can analyze the audit event records to identify possible security breaches or potential weaknesses in the security configuration of the environment.
The audit security subsystem must be enabled for before the event generator can collect auditing records for the Web services security runtime. The recording of auditable security events is achieved by enabled the security auditing subsystem.
See about enabling security auditing, read the topic "Enabling the security auditing subsystem."
WS-Security auditing is enabled for the JAX-WS runtime only. Several auditing events can occur when a SOAP message is received. Auditing data is collected during various Web Services security runtime operations, such as validating the digital signature of a SOAP message, decrypting the message, or checking the message security header. The auditing data is stored and managed by the event generator, and stored in audit logs for later analysis.
Auditable events for Web services include:
Signing
As the digital signature in each SOAP message part is validated, a SECURITY_SIGNING event is sent to the event generator, along with an outcome, which can be SUCCESS or ERROR. Reason codes, either VALID_SIGNATURE or INVALID_SIGNATURE, are also sent. The integrity of the message is audited, also with a SECURITY_SIGNING event, with the outcome of SUCCESS or DENIED. Reason codes are INTEGRITY or INTEGRITY_BAD.The following table summarizes the signing events:
Table 1. Signing audit events
Event type Possible outcomes Reason codes SECURITY_SIGNING (digital signature) SUCCESS
ERRORVALID_SIGNATURE
INVALID_SIGNATURESECURITY_SIGNING (integrity) SUCCESS
DENIEDINTEGRITY
INTEGRITY_BADIf the SECURITY_SIGNING event outcome is DENIED, and the reason code is INTEGRITY_BAD, this means that at least one message part, which must be signed by the security policy, failed signature validation. If the SECURITY_SIGNING event outcome is ERROR, and the reason code is INVALID_SIGNATURE, this means that the digital signature validation failed. This could lead to an INTEGRITY_BAD reason code in the audit record, depending on whether the digital signature is required by the security policy.
Encryption
Encryption auditing is performed in two parts: first, the encrypted parts of the SOAP message are processed, then the confidentiality of the message is audited. To audit each encrypted part of the message, a SECURITY_ENCRYPTION event is sent. An event record is created only if the outcome of the event is ERROR, meaning that an exception is encountered. The reason code is DECRYPTION_ERROR. Next, the confidentiality of the message is checked with another SECURITY_ENCRYPTION event, which has possible outcomes of SUCCESS or DENIED. Reason codes for this event are CONFIDENTIALITY or CONFIDENTIALITY_BAD.The following table summarizes the encryption events:
Table 2. Encryption audit events
Event type Possible outcomes Reason codes SECURITY_ENCRYPTION (encrypted message parts) ERROR DECRYPTION_ERROR SECURITY_ENCRYPTION (confidentiality) SUCCESS
DENIEDCONFIDENTIALITY
CONFIDENTIALITY_BADIf the SECURITY_ENCRYPTION event outcome is DENIED and the reason code is CONFIDENTIALITY_BAD, this means that at least one message part, which is required to be encrypted, is not correctly encrypted. A DECRYPTION_ERROR in the audit record could lead to a CONFIDENTIALITY_BAD reason code, depending on whether message encryption is required.
Time stamp
For each SOAP message, the time stamp is audited when a SECURITY_RESOURCE_ACCESS event is sent to the event generator. The possible outcomes of this event are SUCCESS or DENIED. Reason codes are TIMESTAMP or TIMESTAMP_BAD.The following table summarizes the time stamp events:
Table 3. Time stamp audit event
Event type Possible outcome Reason code SECURITY_RESOURCE_ACCESS SUCCESS
DENIEDTIMESTAMP
TIMESTAMP_BAD
Security header
The security header is audited to make sure it is not missing from the SOAP message. A SECURITY_RESOURCE_ACCESS event is sent, and if the header is missing, the outcome is DENIED, with the reason code SECURITY_HEADER_MISSING.The following table summarizes the security header event:
Table 4. Security header audit event
Event type Possible outcome Reason code SECURITY_RESOURCE_ACCESS DENIED SECURITY_HEADER_MISSING
Authentication
The security token used to authenticate a message is audited to determine if authentication is successful, and information about the authentication type, provider name and provider status are saved in the audit event record. The token ID is also recorded, along with information that is specific to the token type, such as username or keystore. Sensitive information such as the token itself, or the token password, is not recorded in the audit event record. Information recorded for each token type is described in the following table:
Table 5. Token information recorded in audit event record
Token type Recorded information Username token
- Username
- (null or not-null)
- Token ID
LTPA
- Principal
- Expiration
- Token ID
LTPAPropagate
- Principal
- Expiration
- Token ID
SecureConversation
- UUID
- Instance UUID
- Token ID
DerivedKey
- Reference ID
- Token ID
Kerberos
- Principal
- SPN
- pSHA1
- Token ID
X509
- Certificate
- Subject
- Issuer
- Keystore
- Token ID
- TrustAny
PKP Path (public key infrastructure)
- Certificate
- Subject
- Issuer
- Keystore
- Token ID
- TrustAny
PKCS7 (Public Key Cryptography Standards)
- Certificate
- Subject
- Issuer
- Keystore
- Token ID
- TrustAny
Message authentication is audited using a SECURITY_AUTHN event. Possible outcomes of the event are SUCCESS, DENIED or FAILURE. Reason codes are AUTHN_SUCCESS, AUTHN_LOGIN_EXCEPTION or AUTHN_PRIVILEDGE_ACTION_EXCEPTION.
The following table summarizes the authentication events:
Table 6. Authentication audit event
Event type Possible outcomes Reason codes SECURITY_AUTHN SUCCESS
DENIED
FAILUREAUTHN_SUCCESS
AUTHN_LOGIN_EXCEPTION
AUTHN_PRIVILEDGE_ACTION_EXCEPTION
Delegation
Authentication of a SOAP message can be delegated, and the delegation function is audited using a SECURITY_AUTHN_DELEGATION event. This event is sent when the client identity is propogated or when delegation involves the use of a special identity. In the Web Services Security runtime, auditing events are recorded only when the delegation type is set to Identity Assertion. Possible outcomes are SUCCESS or DENIED, with reason codes AUTHN_SUCCESS or AUTHN_DENIED. Additional information, such as delegation type, role name and identity name, is collected and stored in the audit event record.The following table summarizes the delegation events:
Table 7. Delegation audit event
Event type Possible outcomes Reason codes SECURITY_AUTHN_DELEGATION SUCCESS
DENIEDAUTHN_SUCCESS
AUTHN_DENIED
Related tasks
Enable the security auditing subsystem
Secure JAX-WS Web services using message-level security