Signing security audit data using scripting
Use wsadmin to configure the security auditing system to sign security audit records. Security auditing provides tracking and archiving of auditable events.
Verify that we have the appropriate admin role. To complete this topic, have the auditor and administrator administrative roles.
When configuring the signing of audit data, the auditor can choose between the following options:
- Allow the appserver to automatically generate a certificate.
- Use an existing self-signed certificate that the auditor previously generated.
- Use the same self-signed certificate as the system uses to encrypt the audit records.
- Use an existing keystore to store this certificate.
- Create a new keystore to store this certificate.
- Use an existing self-signed certificate in an existing keystore.
Use the following task steps to configure the signing of security audit data:
- Launch the wsadmin scripting tool using the Jython scripting language.
- Set signing settings for security audit data.
Use the createAuditSigningConfig command to create the signing model to sign the audit records. We can import the certificate from an existing key file name that contains that certificate, automatically generate the certificate, or use the same certificate as used to encrypt the audit records. The signing keystore must exist in security.xml. The system updates this keystore with the certificate to use to sign the audit records. Use the parameters in the following table with the createAuditSigningConfig command. Specify the -enableAuditSigning, -certAlias, and -signingKeyStoreRef parameters.
Table 1. Command parameters
Parameter Description Data Type Required -enableAuditSigning Specifies whether to sign audit records. This parameter modifies the audit policy configuration. Boolean Yes -certAlias Alias name that identifies the generated or imported certificate. String Yes -signingKeyStoreRef Reference ID of the keystore to import the certificate to. String Yes -useEncryptionCert Specifies whether to use the same certificate for encryption and signing. Specify the -useEncryptionCert, -autogenCert, or -importCert parameter. Boolean No -autogenCert Specifies whether to automatically generate the certificate used to sign the audit records. Specify the -useEncryptionCert, -autogenCert, or -importCert parameter. Boolean No -importCert Specifies whether to import an existing certificate to sign the audit records. Specify the -useEncryptionCert, -autogenCert, or -importCert parameter. Boolean No -certKeyFileName Unique name of the key file for the certificate to import. String No -certKeyFilePath Specifies the key file location for the certificate to import. String No -certKeyFileType Specifies the key file type for the certificate to import. String No -certKeyFilePassword Specifies the key file password for the certificate to import. String No -certAliasToImport Alias of the certificate to import. String No
The following command example configures signing and allows the system to automatically generate the certificate:
AdminTask.createAuditSigningConfig('-enableAuditSigning true -certAlias auditSigningCert -autogenCert true -signingKeyStoreRef Ref_Id_of_KeyStoreInSecurityXML')
The following command example configures signing and imports a certificate:
AdminTask.createAuditSigningConfig('-enableAuditSigning true -certAlias auditSigningCert -importCert true -certKeyFileName MyServerKeyFile.p12 -certKeyFilePath install_root/etc/MyServerKeyFile.p12 -certKeyFileType PKCS12 -certKeyFilePassword password4key -certAliasToImport defaultCertificate -signingKeyStoreRef Ref_Id_of_KeyStoreInSecurityXML')
The following command example uses the same certificate for signing and encryption:
AdminTask.createAuditSigningConfig('-enableAuditSigning true -certAlias auditSigningCert -useEncryptionCert true -signingKeyStoreRef Ref_Id_of_KeyStoreInSecurityXML')- Save the configuration changes...
AdminConfig.save()- Restart the server to apply the configuration changes.
Results
Signing is configured for the security audit data. If we set the -enableAuditSigning parameter to true, the security auditing system signs security audit data when security auditing is enabled.
What to do next
Once you configure the signing model for the first time, use the enableAuditSigning and disableAuditSigning commands to quickly turn signing on and off.The following example uses the enableAuditSigning command to turn signing on:
AdminTask.enableAuditSigning()
The following example uses the disableAuditSigning command to turn signing off:
AdminTask.disableAuditSigning()
Related tasks
Set auditable events using scripting
Encrypting security audit data using scripting
Enable security auditing using scripting
Set security audit notifications using scripting
Set security auditing using scripting
Related
AuditKeyStoreCommands
AuditEmitterCommands for AdminTask
AuditSigningCommands
AuditEncryptionCommands
AuditEventFactoryCommands for AdminTask
AuditFilterCommands
AuditNotificationCommands
AuditPolicyCommands
AuditEventFormatterCommands