Network Deployment (Distributed operating systems), v8.0 > Scripting the application serving environment (wsadmin) > Scripting for security > Configure security with scripting > Configure security auditing using scripting


Signing security audit data using scripting

We can use wsadmin.sh to configure the security auditing system to sign security audit records. Security auditing provides tracking and archiving of auditable events.

Verify that we have the appropriate administrative role. To complete this topic, have the auditor and administrator administrative roles.

When configuring the signing of audit data, the auditor can choose between the following options:

Use the following task steps to configure the signing of security audit data:


Procedure

  1. Launch wsadmin.sh using the Jython scripting language. See the Starting the wsadmin scripting client article for more information.

  2. Configure signing settings for security audit data.

    Use the createAuditSigningConfig command to create the signing model to sign your audit records.

    We can import the certificate from an existing key file name that contains that certificate, automatically generate the certificate, or use the same certificate as used to encrypt the audit records. The signing keystore must exist in the security.xml file. The system updates this keystore with the certificate to use to sign the audit records.

    Command parameters. Use the parameters in the following table with the createAuditSigningConfig command. We must specify the -enableAuditSigning, -certAlias, and -signingKeyStoreRef parameters.

    Parameter Description Data Type Required
    -enableAuditSigning Whether to sign audit records. This parameter modifies your audit policy configuration. Boolean Yes
    -certAlias Alias name that identifies the generated or imported certificate. String Yes
    -signingKeyStoreRef Reference ID of the keystore to import the certificate to. String Yes
    -useEncryptionCert Whether to use the same certificate for encryption and signing. We must specify the -useEncryptionCert, -autogenCert, or -importCert parameter. Boolean No
    -autogenCert Whether to automatically generate the certificate used to sign the audit records. We must specify the -useEncryptionCert, -autogenCert, or -importCert parameter. Boolean No
    -importCert Whether to import an existing certificate to sign the audit records. We must specify the -useEncryptionCert, -autogenCert, or -importCert parameter. Boolean No
    -certKeyFileName Unique name of the key file for the certificate to import. String No
    -certKeyFilePath Key file location for the certificate to import. String No
    -certKeyFileType Key file type for the certificate to import. String No
    -certKeyFilePassword Key file password for the certificate to import. String No
    -certAliasToImport Alias of the certificate to import. String No

    The following command example configures signing and allows the system to automatically generate the certificate:

    AdminTask.createAuditSigningConfig('-enableAuditSigning true -certAlias auditSigningCert
    -autogenCert true -signingKeyStoreRef Ref_Id_of_KeyStoreInSecurityXML')
    

    The following command example configures signing and imports a certificate:

    AdminTask.createAuditSigningConfig('-enableAuditSigning true -certAlias auditSigningCert
    -importCert true -certKeyFileName MyServerKeyFile.p12 -certKeyFilePath install_root/etc/MyServerKeyFile.p12
    -certKeyFileType PKCS12 -certKeyFilePassword password4key -certAliasToImport defaultCertificate
    -signingKeyStoreRef Ref_Id_of_KeyStoreInSecurityXML')
    

    The following command example uses the same certificate for signing and encryption:

    AdminTask.createAuditSigningConfig('-enableAuditSigning true -certAlias auditSigningCert
    -useEncryptionCert true -signingKeyStoreRef Ref_Id_of_KeyStoreInSecurityXML')
    

  3. Save the configuration changes.

    Save the configuration changes:

    AdminConfig.save()
    

  4. Restart the server to apply the configuration changes.


Results

Signing is configured for the security audit data. If you set the -enableAuditSigning parameter to true, the security auditing system signs security audit data when security auditing is enabled.


What to do next

Once you configure the signing model for the first time, use the enableAuditSigning and disableAuditSigning commands to quickly turn signing on and off. Use the enableAuditSigning command to turn signing on:

AdminTask.enableAuditSigning()

Use the disableAuditSigning command to turn signing off:

AdminTask.disableAuditSigning()

Configure auditable events using scripting
Encrypting security audit data using scripting
Enable security auditing using scripting
Configure security audit notifications using scripting
Configure security auditing using scripting
Start the wsadmin scripting client using wsadmin.sh


Related


AuditKeyStoreCommands command group
AuditEmitterCommands
AuditSigningCommands command group
AuditEncryptionCommands command group
AuditEventFactoryCommands
AuditFilterCommands command group
AuditNotificationCommands command group
AuditPolicyCommands command group
AuditEventFormatterCommands command group

+

Search Tips   |   Advanced Search