+

Search Tips   |   Advanced Search

AuditSigningCommands (AdminTask)

We can use the Jython scripting language to configure the signing of audit records with wsadmin.sh. Use commands in the AuditSigningCommands group to enable, disable, and configure the security audit system to sign audit records.

Use the following commands to configure audit signing:


createAuditSigningConfig

The createAuditSigningConfig command creates the signing model that the system uses to sign the audit records. Use this command to configure the audit signing configuration for the first time. If we have already configured audit signing, use the enableAuditSigning and disableAuditSigning commands to turn audit signing on and off.

We can import the certificate from an existing key file name containing that certificate, automatically generate the certificate, or use the same certificate as the application server uses encrypt the audit records. To use an existing certificate in an existing keystore, specify input values for the -enableAuditEncryption, -certAlias, and -signingKeyStoreRef parameters. Also, set the value of the -useEncryptionCert, -autogenCert, and -importCert parameters as false for this scenario.

The user must have the administrator and auditor administrative roles to run this command.

Target object: None.

Required parameters

-enableAuditSigning

Whether to sign audit records. Modifies the audit policy configuration. (Boolean, required)

-certAlias

Alias name identifying generated or imported certificate. (String, required)

-signingKeyStoreRef

Reference ID of the key store that system imports the certificate to. The signing keystore must already exist in security.xml. The system updates this keystore with the certificate used to sign the audit records. (String, required)

Optional parameters

-useEncryptionCert

Whether to use the same certificate for encryption and signing. (Boolean, optional)

-autogenCert

Whether to automatically generate the certificate used to sign the audit records. (Boolean, optional)

-importCert

Whether to import an existing certificate to sign the audit records. (Boolean, optional)

-certKeyFileName

Unique name of the key file for the certificate to import. (String, optional)

-certKeyFilePath

Key file location for the certificate to import. (String, optional)

-certKeyFileType

Key file type for the certificate to import. (String, optional)

-certKeyFilePassword

Key file password for the certificate to import. (String, optional)

-certAliasToImport

Alias of the certificate to import. (String, optional)

Return value

If successful, returns the shortened from of the keystore where the signing certificate has been added to. Remember, this keystore is in security.xml, not the audit.xml file.

Batch mode example

Interactive mode


deleteAuditSigningConfig

The deleteAuditSigningConfig command deletes the signing model that the system uses to sign the audit records. When the system deletes the audit signing configuration, it does not delete the key store file in the security.xml or the signer certificate for the keystore.

User must have auditor role.

Target object: None.

Return value

Returns true if the system successfully removes the audit signing configuration.

Batch mode example

Interactive mode


disableAuditSigning

The disableAuditSigning command disables audit record signing for the security auditing system.

User must have auditor role.

Target object: None.

Return value

Returns true if the system successfully disables audit signing.

Batch mode example

Interactive mode


enableAuditSigning

The enableAuditSigning command enables audit record signing in the security auditing system.

User must have auditor role.

Target object: None.

Return value

Returns true if the system successfully enables audit signing in the security auditing system.

Batch mode example

Interactive mode


getAuditSigningConfig

The getAuditSigningConfig command retrieves the signing model that the system uses to sign the audit records.

The user must have the monitor administrative role to run this command.

Target object: None.

Return value

The command returns a list of attributes associated with the signing model, as the following sample output displays:

{{securityXmlSignerScopeName (cell):Node04Cell:(node):Node04}
{securityXmlSignerCertAlias mysigningcert}
{securityXmlSignerKeyStoreName NodeDefaultRootStore}
{signerKeyStoreRef KeyStore_Node04_4}
{enabled true}}

Batch mode example

Interactive mode


importEncryptionCertificate

The importEncryptionCertificate command imports the self-signed certificate used for encrypting audit data from the encryption keystore into another keystore. Use this command internally to automatically generate a certificate for either encryption or signing. We can also use this command to import the certificate into the keystore by specifying the keyStoreName and keyStoreScope parameters.

Target object: None.

Required parameters

-keyStoreName

Unique name to identify the keystore. (String, required)

-keyFilePath

Keystore path name containing the certificate to import. (String, required)

-keyFilePassword

Password of the keystore containing the certificate to import. (String, required)

-keyFileType

Type of the keystore. (String, required)

-certificateAliasFromKeyFile

Alias of the certificate to import from the keystore file. (String, required)

Optional parameters

-keyStoreScope

Scope name of the keystore. (String, optional)

-certificateAlias

Unique name to identify the imported certificate. (String, optional)

Return value

Returns true if the system successfully imports the encryption certificate.

Batch mode example

Interactive mode


isAuditSigningEnabled

The isAuditSigningEnabled command indicates whether audit signing is enabled or disable in the security audit system.

The user must have the monitor administrative role to run this command.

Target object: None.

Return value

Returns true if signing is configured in the security auditing system.

Batch mode example usage

Interactive mode


modifyAuditSigningConfig

The modifyAuditSigningConfig command modifies the signing model that the system uses to sign the audit records.

The certificate may either be imported from an existing key file name containing that certificate, automatically generated, or be the same certificate used to encrypt the audit records. To use an existing certificate in an existing keystore, specify input values for the -enableAuditEncryption, -certAlias, and -signingKeyStoreRef parameters. Also, set the value the -useEncryptionCert, -autogenCert, and -importCert parameters as false for this scenario.

The user must have the administrator and auditor administrative roles to run this command.

Target object: None.

Required parameters

-enableAuditSigning

Whether to sign audit records. Modifies the audit policy configuration. (Boolean, required)

-certAlias

Alias name identifying generated or imported certificate. (String, required)

-signingKeyStoreRef

Reference ID of the key store that system imports the certificate to. The signing keystore must already exist in security.xml. The system updates this keystore with the certificate used to sign the audit records. (String, required)

Optional parameters

-useEncryptionCert

Whether to use the same certificate for encryption and signing. (Boolean, optional)

-autogenCert

Whether to automatically generate the certificate used to sign the audit records. (Boolean, optional)

-importCert

Whether to import an existing certificate to sign the audit records. (Boolean, optional)

-certKeyFileName

Unique name of the key file for the certificate to import. (String, optional)

-certKeyFilePath

Key file location for the certificate to import. (String, optional)

-certKeyFileType

Key file type for the certificate to import. (String, optional)

-certKeyFilePassword

Key file password for the certificate to import. (String, optional)

-certAliasToImport

Alias of the certificate to import. (String, optional)

Return value

Returns true if the system successfully modifies the security auditing system configuration.

Batch mode example

Interactive mode

  • AuditKeyStoreCommands (AdminTask)
  • AuditEmitterCommands (AdminTask)
  • AuditEncryptionCommands (AdminTask)
  • AuditEventFactoryCommands (AdminTask)
  • AuditFilterCommands (AdminTask)
  • AuditNotificationCommands (AdminTask)
  • AuditPolicyCommands (AdminTask)
  • AuditEventFormatterCommands (AdminTask)