+

Search Tips   |   Advanced Search

Encrypting security audit data using scripting


Use wsadmin to configure the security auditing system to encrypt security audit records. Security auditing provides tracking and archiving of auditable events.

Before configuring encryption, set up the security auditing subsystem. We can enable security auditing before or after completing the steps in this topic.

Verify that we have the appropriate administrative role. To complete this topic, have the auditor administrative role. If importing a certificate from a keystore that exists in security.xml, have the auditor and administrator admin roles.

When configuring encryption, the auditor can select one of the following choices:

To verify there is a separation of privileges between the administrator role and the auditor role, the auditor can create a self-signed certificate outside of the application server process and maintain the private key of that certificate.

Use the following task steps to encrypt security audit data:

 

  1. Launch the wsadmin scripting tool using the Jython scripting language.

  2. Set encryption settings for security audit data.

    Use the createAuditEncryptionConfig command and the following parameters to create the audit encryption model to encrypt the audit records. Specify the -enableAuditEncryption, -certAlias, and -encryptionKeyStoreRef parameters, and either the -autogenCert or -importCert parameters.


    Table 1. Command parameters

    Parameter Description Data Type Required
    -enableAuditEncryption Specifies whether to encrypt audit records. This parameter modifies the audit policy configuration. Boolean Yes
    -certAlias Alias name that identifies the generated or imported certificate. String Yes
    -encryptionKeyStoreRef Reference ID of the keystore to import the certificate to. String Yes
    -autogenCert Specifies whether to automatically generate the certificate used to encrypt the audit records. Specify either this parameter or the -importCert parameter, but we cannot specify both. Boolean No
    -importCert Specifies whether to import an existing certificate to encrypt the audit records. Specify either this parameter or the -autogenCert parameter, but we cannot specify both. Boolean No
    -certKeyFileName Unique name of the key file from which the certificate is imported. String No
    -certKeyFilePath Specifies the key file location from which the certificate is imported. String No
    -certKeyFileType Specifies the key file type from which the certificate is imported. String No
    -certKeyFilePassword Specifies the key file password from which the certificate is imported. String No
    -certAliasToImport Alias from which the certificate is imported. String No

    The following command example configures encryption and supports the system to automatically generate the certificate:

    AdminTask.createAuditEncryptionConfig('-enableAuditEncryption true -certAlias auditCertificate -autogenCert true -encryptionKeyStoreRef auditKeyStore')

    The following command example configures encryption and imports a certificate:

    AdminTask.createAuditEncryptionConfig('-enableAuditEncryption true -certAlias auditCertificate -importCert true -certKeyFileName MyServerKeyFile.p12 -certKeyFilePath install_root/etc/MyServerKeyFile.p12 -certKeyFileType PKCS12 -certKeyFilePassword password4key -certAliasToImport defaultCertificate -encryptionKeyStoreRef auditKeyStore')

  3. Restart the server to apply configuration changes.

 

Results

Encryption is configured for security audit data. If we set the -enableAuditEncryption parameter to true, then the security auditing system encrypts security audit data when security auditing is enabled.

 

What to do next

After you configure the encryption model for the first time, then you may use the enableAuditEncryption and disableAuditEncryption commands to turn encryption on and off.

The following example uses the enableAuditEncryption command to turn on encryption:

AdminTask.enableAuditEncryption()

The following example uses the disableAuditEncryption command to turn off encryption:

AdminTask.disableAuditEncryption()

 

Related tasks


Set auditable events using scripting
Enable security auditing using scripting
Signing security audit data using scripting
Set security audit notifications using scripting
Set security auditing using scripting

 

Related


AuditKeyStoreCommands
AuditEmitterCommands for AdminTask
AuditSigningCommands
AuditEncryptionCommands
AuditEventFactoryCommands for AdminTask
AuditFilterCommands
AuditNotificationCommands
AuditPolicyCommands
AuditEventFormatterCommands