AuditEncryptionCommands (AdminTask)

We can use the Jython scripting language to configure the security auditing system with wsadmin.sh. Use commands in the AuditEncryptionCommands group to encrypt audit records.

createAuditEncryptionConfig

Encrypt audit records. We can import the certificate from an existing key file name containing that certificate or automatically generate a certificate. User must have auditor role.

Target object: None

Required parameters

-enableAuditEncryption

Whether to encrypt audit records. Modifies the audit policy configuration. (Boolean, required)

-certAlias

Alias name identifying generated or imported certificate. (String, required)

-encryptionKeyStoreRef

Reference ID of the keystore to import the certificate to. (String, required)

Optional parameters

-autogenCert

Whether to automatically generate the certificate used to encrypt the audit records. Specify either this parameter or the -importCert parameter, but we cannot specify both. (Boolean, optional)

-importCert

Whether to import an existing certificate to encrypt the audit records. Specify either this parameter or the -autogenCert parameter, but we cannot specify both. (Boolean, optional)

-certKeyFileName

Unique name of the key file for the certificate to import. (String, optional)

-certKeyFilePath

Key file location for the certificate to import. (String, optional)

-certKeyFileType

Key file type for the certificate to import. (String, optional)

-certKeyFilePassword

Key file password for the certificate to import. (String, optional)

-certAliasToImport

Alias of the certificate to import. (String, optional)

Return value

The command returns the shortened form of the reference ID of the created encryption keystore if the system successfully creates the audit encryption configuration, as the following example output displays:

KeyStore_1173199825578

Batch mode example

• Jython string...
  AdminTask.createAuditEncryptionConfig('-enableAuditEncryption true -certAlias auditCertificate -autogenCert true -encryptionKeyStoreRef auditKeyStore')

• Jython list:
  AdminTask.createAuditEncryptionConfig(['-enableAuditEncryption', 'true', '-certAlias', 'auditCertificate', '-autogenCert', 'true', '-encryptionKeyStoreRef', 'auditKeyStore'])

Interactive mode

• Jython string...
  AdminTask.createAuditEncryptionConfig('-interactive')

createAuditSelfSignedCertificate

Create a self-signed certificate. Automatically generate a certificate for encryption and signing or to import that certificate into the keystore. User must have auditor role.

Target object: None

Required parameters

-keyStoreName

Unique name of the keystore where the system imports the self-signed certificate to. (String, optional)

-certificateAlias

Unique alias name for the certificate. (String, required)

-certificateSize

Size that the private key uses for the personal certificate. The default value is 1024. (Integer, required)

-certificateCommonName

Common name portion of the distinguished name. (String, required)

Optional parameters

-certificateOrganization

Specifies the organizational part of the distinguished name. (String, optional)

-keyStoreScope

Scope of the keystore that the system imports the self-signed certificate to. (String, optional)

-certificateVersion

Version of the personal certificate. (String, optional)

-certificateOrganizationalUnit

Specifies the organization unit part of the distinguished name. (String, optional)

-certificateLocality

Locality portion of the distinguished name. (String, optional)

-certificateState

State portion of the distinguished name. (String, optional)

-certificateZip

Specifies the zip code portion of the distinguished name. (String, optional)

-certificateCountry

Country portion of the distinguished name. The default value is US. (String, optional)

-certificateValidDays

Length of time, in days, which the certificate is valid. The default value is 365 days. (Integer, optional)

Return value

True if the system successfully creates the self-signed certificate.

Batch mode example

• Jython string...
  AdminTask.createAuditSelfSignedCertificate('-keyStoreName AuditDefaultKeyStore -keyStoreScope (cell):Node04Cell -certificateAlias myNew -certificateCommonName cn=oet -certificateOrganization mycompany')

• Jython list:
  AdminTask.createAuditSelfSignedCertificate(['-keyStoreName', 'AuditDefaultKeyStore', '-keyStoreScope', '(cell):Node04Cell', '-certificateAlias', 'myNew', '-certificateCommonName', 'cn=oet', '-certificateOrganization', 'mycompany'])

Interactive mode

• Jython:
  AdminTask.createAuditSelfSignedCertificate('-interactive')

deleteAuditCertificate

Delete a self-signed certificate from an audit keystore. User must have auditor role.

Target object: None

Required parameters

-keyStoreName

Unique name of the keystore from which the system deletes the self-signed certificate. (String, required)

-certificateAlias

Unique alias name for the certificate to delete. (String, required)

Optional parameters

-keyStoreScope

Unique alias name for the certificate. (String, optional)

Return value

Returns true if the system successfully deletes the audit certificate.

Batch mode example

• Jython string...
  AdminTask.deleteAuditCertificate('-keyStoreName myKeystore -certificateAlias oldCertificate')

• Jython list:
  AdminTask.deleteAuditCertificate(['-keyStoreName', 'myKeystore', '-certificateAlias', 'oldCertificate'])

Interactive mode

• Jython:
  AdminTask.deleteAuditCertificate('-interactive')

deleteAuditEncryptionConfig

Delete the encryption model used to encrypt the audit records. The command does not remove keystore files or the certificates. User must have auditor role.

Target object: Non.

Return value

Returns true if the system successfully deletes the audit encryption configuration.

Batch mode example

• Jython string...
  AdminTask.deleteAuditEncryptionConfig()

• Jython list:
  AdminTask.deleteAuditEncryptionConfig()

Interactive mode

• Jython:
  AdminTask.deleteAuditEncryptionConfig('-interactive')

disableAuditEncryption

Disable the encryption of audit records. User must have auditor role.

Target object: None

Return value

Returns true if the system successfully disables audit record encryption.

Batch mode example

• Jython string...
  AdminTask.disableAuditEncryption()

• Jython list:
  AdminTask.disableAuditEncryption()

Interactive mode

• Jython string...
  AdminTask.disableAuditEncryption('-interactive')

enableAuditEncryption

Enable the encryption of audit records. User must have auditor role.

Target object: None

Return value

Returns true if the system successfully enables audit record encyption.

Batch mode example

• Jython string...
  AdminTask.enableAuditEncryption()

• Jython list:
  AdminTask.enableAuditEncryption()

Interactive mode

• Jython:
  AdminTask.enableAuditEncryption()

exportAuditCertificate

Export a self-signed certificate from a keystore. To use this command...

• We must have audit privileges to export the certificate from an audit keystore.
• We must have the auditor and administrator roles to export the certificate to a security keystore.

Target object: None

Required parameters

-keyStoreName

Unique name of the keystore. (String, required)

-keyStorePassword

Password that the system uses to access the keystore specified with the -keyStoreName parameter. (String, required)

-keyFilePath

Key store path name containing the certificate to export. (String, required)

-keyFilePassword

Password of the keystore containing the certificate to export. (String, required)

-keyFileType

Type of the keystore. (String, required)

-certificateAlias

Alias of the certificate to export from the keystore. (String, required)

Optional parameters

-keyStoreScope

Scope name of the keystore. (String, optional)

-aliasInKeyStore

New unique name to identify the exported certificate. (String, optional)

Return value

Returns true if the system successfully exports the audit certificate.

Batch mode example

• Jython string...
  AdminTask.exportAuditCertificate('-keyStoreName AuditDefaultKeyStore -keyStoreScope (cell):Node04Cell -keyFilePath c:/wasinstall/appserver/profiles/AppSrv01/config/cells/Node04Cell/nodes/Node04/trust.p12 -keyFilePassword myPwd -keyFileType PKCS12 -certificateAlias root')

• Jython list:
  AdminTask.exportAuditCertificate(['-keyStoreName', 'AuditDefaultKeyStore', '-keyStoreScope', '(cell):Node04Cell', '-keyFilePath', 'c:/wasinstall/appserver/profiles/AppSrv01/config/cells/Node04Cell/nodes/Node04/trust.p12', '-keyFilePassword', 'myPwd', '-keyFileType', 'PKCS12', '-certificateAlias', 'root'])

Interactive mode

• Jython:
  AdminTask.exportAuditCertificate('-interactive')

exportAuditCertToManagedKS

Export a self-signed certificate from an audit keystore to a managed audit keystore. User must have auditor role.

Target object: None

Required parameters

-keyStoreName

Unique name of the managed keystore. (String, required)

-keyStorePassword

Password of the managed keystore containing the certificate to export. (String, required)

-toKeyStoreName

Unique name of the managed keystore containing the certificate to export. (String, required)

-certificateAlias

Unique name to identify the exported certificate. (String, required)

Optional parameters

-keyStoreScope

Scope name of the keystore. (String, optional)

-toKeyStoreScope

Scope of the managed keystore containing the certificate to export. (String, optional)

-aliasInKeyStore

New unique name to identify the exported certificate. If we do not specify a value for this parameter, the system sets the unique name to the value specified for the -certificateAlias parameter. (String, optional)

Return value

Returns true if the system successfully exports the audit certificate.

Batch mode example

• Jython string...
  AdminTask.exportAuditCertToManagedKS('-keyStoreName auditEncryptionKeyStore -keyStorePassword myPwd -toKeyStoreName AuditTrustStore -toKeyStoreScope (cell):my03Cell -certificateAlias newauditcert -aliasInKeyStore newauditcert1')

• Jython list:
  AdminTask.exportAuditCertToManagedKS(['-keyStoreName', 'auditEncryptionKeyStore', '-keyStorePassword', 'myPwd', '-toKeyStoreName', 'AuditTrustStore', '-toKeyStoreScope', '(cell):my03Cell', '-certificateAlias', 'newauditcert', '-aliasInKeyStore', 'newauditcert1'])

Interactive mode

• Jython:
  AdminTask.exportAuditCertToManagedKS('-interactive')

getAuditCertificate

Retrieve the attributes for an audit self-signed certificate in an audit keystore. The user must have the monitor administrative role to run this command.

Target object: Non.

Required parameters

-keyStoreName

Unique name of the managed keystore of interest. (String, required)

-certificateAlias

Unique name to identify the exported certificate of interest. (String, required)

Optional parameters

-keyStoreScope

Scope name of the keystore of interest. (String, optional)

Return value

The command returns a list of attributes associated with the audit certificate.

Batch mode example

• Jython string...
  AdminTask.getAuditCertificate('-keyStoreName auditEncryptionKeyStore -certificateAlias newauditcert')

• Jython list:
  AdminTask.getAuditCertificate(['-keyStoreName', 'auditEncryptionKeyStore', '-certificateAlias', 'newauditcert'])

Interactive mode

• Jython:
  AdminTask.getAuditCertificate('-interactive')

getAuditEncryptionConfig

Retrieve the encryption model that the system uses to encrypt the audit records. The user must have the monitor administrative role to run this command.

Target object: None

Return value

The command returns a list of attributes associated with the encryption model, as the following example output displays:

{{certRef Certificate_1184698729015}
{keystoreRef KeyStore_1173199825578}
{keyStore AuditDefaultKeyStore(cells/CHEYENNENode04Cell|audit.xml#KeyStore_1173199825578)}
{enabled true}
{alias mycertalias}
{_Websphere_Config_Data_Version {}}
{_Websphere_Config_Data_Id cells/CHEYENNENode04Cell|audit.xml#Certificate_1184698729015}
{_Websphere_Config_Data_Type Certificate}}

Batch mode example

• Jython string...
  AdminTask.getAuditEncryptionConfig()

• Jython list:
  AdminTask.getAuditEncryptionConfig()

Interactive mode

• Jython:
  AdminTask.getAuditEncryptionConfig('-interactive')

getEncryptionKeyStore

Retrieve the attributes for the keystore containing the certificate that the system uses to encrypt the audit records. The user must have the monitor administrative role to run this command.

Target object: None

Return value

The command returns a list of attributes for the keystore of interest, as the following example displays:

{{location ${CONFIG_ROOT}/audittrust.p12}
{password *****}
{_Websphere_Config_Data_Id cells/CHEYENNENode04Cell|audit.xml#KeyStore_1173199825578}
{_Websphere_Config_Data_Version {}}
{useForAcceleration false}
{slot 0}
{type PKCS12}
{additionalKeyStoreAttrs {}}
{fileBased true}
{_Websphere_Config_Data_Type KeyStore}
{customProviderClass {}}
{hostList {}}
{keystoreRef KeyStore_1173199825578}
{createStashFileForCMS false}
{description {keyStore description}}
{managementScope (cells/CHEYENNENode04Cell|audit.xml#ManagementScope_1173199825608)}
{readOnly false}
{initializeAtStartup true}
{usage {}}
{provider IBMJCE}
{name AuditDefaultKeyStore}}

Batch mode example

• Jython string...
  AdminTask.getEncryptionKeyStore()

• Jython list:
  AdminTask.getEncryptionKeyStore()

Interactive mode

• Jython:
  AdminTask.getEncryptionKeyStore('-interactive')

importAuditCertFromManagedKS

Import a self-signed certificate into a keystore from a managed audit keystore. Use this command internally to automatically generate a certificate for encryption or signing and to import a certificate into the keystore. User must have auditor role.

Target object: None

Required parameters

-keyStoreName

Unique name of the managed keystore. (String, required)

-fromKeyStoreName

Unique name of the managed keystore containing the certificate to import. (String, required)

-fromKeyStorePassword

Password of the managed keystore containing the certificate to import. (String, required)

-certificateAliasFromKeyFile

Alias of the certificate to import from the managed keystore file. (String, required)

Optional parameters

-keyStoreScope

Scope name of the keystore. (String, optional)

-fromKeyStoreScope

Scope of the managed keystore containing the certificate to import. (String, optional)

-certificateAlias

Unique name to identify the imported certificate. (String, optional)

Return value

Returns true if the system successfully imports the audit certificate.

Batch mode example

• Jython string...
  AdminTask.importAuditCertFromManagedKS('-keyStoreName AuditDefaultKeyStore -keyStoreScope (cell):myNode03Cell -fromKeyStoreName AuditSecondDefaultKeyStore -fromKeyStoreScope (cell):myNode03Cell -fromKeyStorePassword myPwd -certificateAliasFromKeyFile root -certificateAlias myimportcert')

• Jython list:
  AdminTask.importAuditCertFromManagedKS(['-keyStoreName', 'AuditDefaultKeyStore', '-keyStoreScope', '(cell):Node04Cell', '-fromKeyStoreName', 'AuditSecondDefaultKeyStore', '-fromKeyStoreScope', '(cell):myNode03Cell', '-fromKeyStorePassword', 'myPwd', '-certificateAliasFromKeyFile', 'root', '-certificateAlias', 'myimportcert'])

Interactive mode

• Jython:
  AdminTask.importAuditCertFromManagedKS('-interactive')

importAuditCertificate

Import a self-signed certificate into a keystore. Use this command internally to automatically generate a certificate for encryption or signing and to import a certificate into the keystore. To use this command

• We must have audit privileges to import the certificate to an audit keystore.
• We must have the auditor and administrator roles to import the certificate to a security keystore.

Target object: None

Required parameters

-keyStoreName

Unique name of the keystore. (String, required)

-keyFilePath

Key store path name containing the certificate to import. (String, required)

-keyFilePassword

Password of the keystore containing the certificate to import. (String, required)

-keyFileType

Type of the keystore. (String, required)

-certificateAliasFromKeyFile

Alias of the certificate to import from the keystore file. (String, required)

Optional parameters

-keyStoreScope

Scope name of the keystore. (String, optional)

-certificateAlias

Unique name to identify the imported certificate. (String, optional)

Return value

Returns true if the system successfully imports the audit certificate.

Batch mode example

• Jython string...
  AdminTask.importAuditCertificate('-keyStoreName AuditDefaultKeyStore -keyStoreScope (cell):Node04Cell -keyFilePath c:/wasinstall/appserver/profiles/AppSrv01/config/cells/Node04Cell/nodes/Node04/trust.p12 -keyFilePassword myPwd -keyFileType PKCS12 -certificateAliasFromKeyFile root -certificateAlias myimportcert')

• Jython list:
  AdminTask.importAuditCertificate(['-keyStoreName', 'AuditDefaultKeyStore', '-keyStoreScope', '(cell):Node04Cell', '-keyFilePath', 'c:/wasinstall/appserver/profiles/AppSrv01/config/cells/Node04Cell/nodes/Node04/trust.p12', '-keyFilePassword', 'myPwd', '-keyFileType', 'PKCS12', '-certificateAliasFromKeyFile', 'root', '-certificateAlias', 'myimportcert'])

Interactive mode

• Jython:
  AdminTask.importAuditCertificate('-interactive')

importEncryptionCertificate

Import the self-signed certificate that the system uses to encrypt audit data from the encryption keystore into a managed keystore in security.xml. User must have auditor role.

Target object: None

Required parameters

-keyStoreName

Unique name of the keystore. (String, required)

-keyFilePath

Key store path name containing the certificate to import. (String, required)

-keyFilePassword

Password of the keystore containing the certificate to import. (String, required)

-keyFileType

Type of the keystore. (String, required)

-certificateAliasFromKeyFile

Alias of the certificate to import from the keystore file. (String, required)

Optional parameters

-keyStoreScope

Scope name of the keystore. (String, optional)

-certificateAlias

Unique name to identify the imported certificate. (String, optional)

Return value

Returns true if the system successfully imports the encryption certificate.

Batch mode example

• Jython string...
  AdminTask.importEncryptionCertificate('-keyStoreName DefaultKeyStore -keyStoreScope (cell):Node04Cell -keyFilePath c:/wasinstall/appserver/profiles/AppSrv01/config/cells/Node04Cell/nodes/Node04/trust.p12 -keyFilePassword myPwd -keyFileType PKCS12 -certificateAliasFromKeyFile root -certificateAlias myimportcert')

• Jython list:
  AdminTask.importEncryptionCertificate(['-keyStoreName', 'DefaultKeyStore', '-keyStoreScope', '(cell):Node04Cell', '-keyFilePath', 'c:/wasinstall/appserver/profiles/AppSrv01/config/cells/Node04Cell/nodes/Node04/trust.p12', '-keyFilePassword', 'myPwd', '-keyFileType', 'PKCS12', '-certificateAliasFromKeyFile', 'root', '-certificateAlias', 'myimportcert'])

Interactive mode

• Jython:
  AdminTask.importEncryptionCertificate('-interactive')

isAuditEncryptionEnabled

Determine if audit record encryption is enabled. The user must have the monitor administrative role to run this command.

Target object: None

Return value

Returns true if audit record encryption is enabled.

Batch mode example

• Jython string...
  AdminTask.isAuditEncryptionEnabled()

• Jython list:
  AdminTask.isAuditEncryptionEnabled()

Interactive mode

• Jython:
  AdminTask.isAuditEncryptionEnabled('-interactive')

listAuditEncryptionKeyStores

Retrieve the attributes for each configured encryption keystore from the audit.xml file. The command returns attributes for active and inactive keystores. The user must have the monitor administrative role to run this command.

Target object: None

Return value

The command returns a list of attributes for each configured keystore, as the following example output displays:

{{location ${CONFIG_ROOT}/audittrust.p12}
{password *****}
{_Websphere_Config_Data_Id cells/CHEYENNENode04Cell|audit.xml#KeyStore_1173199825578}
{useForAcceleration false}
{slot 0}
{type PKCS12}
{additionalKeyStoreAttrs {}}
{fileBased true}
{_Websphere_Config_Data_Type KeyStore}
{customProviderClass {}}
{hostList {}}
{keystoreRef KeyStore_1173199825578}
{createStashFileForCMS false}
{description {keyStore description}}
{readOnly false}
{initializeAtStartup true}
{managementScope (cells/CHEYENNENode04Cell|audit.xml#ManagementScope_1173199825608)}
{usage {}}
{provider IBMJCE}
{name AuditDefaultKeyStore}}

Batch mode example

• Jython string...
  AdminTask.listAuditEncryptionKeyStores()

• Jython list:
  AdminTask.listAuditEncryptionKeyStores()

Interactive mode

• Jython:
  AdminTask.listAuditEncryptionKeyStores('-interactive')

listCertAliases

Retrieve a list of the personal certificates in the keystore, as specified by the keystore name and scope of interest. The user must have the monitor administrative role to run this command.

Target object: None

Required parameters

-keyStoreName

Unique name of the keystore. (String, required)

Optional parameters

-keyStoreScope

Scope of the keystore. The default value is the cell scope. (String, optional)

Return value

The command returns a list of certificate aliases for the personal certificates configured for the keystore, as the following sample output displays:

mycertalias

Batch mode example

• Jython string...
  AdminTask.listCertAliases('-keyStoreName AuditDefaultKeyStore -keyStoreScope (cell):Node04Cell')

• Jython list:
  AdminTask.listCertAliases(['-keyStoreName AuditDefaultKeyStore -keyStoreScope (cell):Node04Cell'])

Interactive mode

• Jython:
  AdminTask.listCertAliases('-interactive')

modifyAuditEncryptionConfig

Modify the encryption model that the system uses to encrypt the audit records. Specify values for the -enableAuditEncryption, -certAlias, and encryptionKeyStoreRef parameters to use an existing keystore. Do not specify the -importCert or -autogenCert parameters if you use an existing keystore. User must have auditor role.

Target object: None

Required parameters None

Optional parameters

-enableAuditEncryption

Whether to encrypt audit records. Modifies the audit policy configuration. (Boolean, optional)

-autogenCert

Whether to automatically generate the certificate used to encrypt the audit records. Specify either this parameter or the -importCert parameter, but we cannot specify both. (Boolean, optional)

-importCert

Whether to import an existing certificate to encrypt the audit records. Specify either this parameter or the -autogenCert parameter, but we cannot specify both. (Boolean, optional)

-certKeyFileName

Unique name of the key file for the certificate to import. (String, optional)

-certKeyFilePath

Key file location for the certificate to import. (String, optional)

-certKeyFileType

Key file type for the certificate to import. (String, optional)

-certKeyFilePassword

Key file password for the certificate to import. (String, optional)

-certAliasToImport

Alias of the certificate to import. (String, optional)

-certAlias

Alias name identifying generated or imported certificate. (String, optional)

-encryptionKeyStoreRef

Reference ID of the keystore to import the certificate to. (String, optional)

Return value

Returns true if the system successfully updates the configuration.

Batch mode example

• Jython string...
  AdminTask.modifyAuditEncryptionConfig('-enableAuditEncryption true -certAlias mycertalias -encryptionKeyStoreRef KeyStore_1173199825578')

• Jython list:
  AdminTask.modifyAuditEncryptionConfig(['-enableAuditEncryption', 'true', '-certAlias', 'mycertalias', '-encryptionKeyStoreRef', 'KeyStore_1173199825578'])

Interactive mode

• Jython:
  AdminTask.modifyAuditEncryptionConfig('-interactive')

renewAuditCertificate

Renew a self signed certificate in an audit keystore. User must have auditor role.

Target object None

-keyStoreName

Unique name of the managed keystore of interest. (String, required)

-certificateAlias

Unique name to identify the exported certificate to renew. (String, required)

Optional parameters

-keyStoreScope

Scope name of the keystore of interest. (String, optional)

Return value

Returns true if the system successfully updates the configuration.

Batch mode example

• Jython string...
  AdminTask.renewAuditCertificate('-keyStoreName auditEncryptionKeyStore -certificateAlias newauditcert')

• Jython list:
  AdminTask.renewAuditCertificate(['-keyStoreName', 'auditEncryptionKeyStore', '-certificateAlias', 'newauditcert'])

Interactive mode

• Jython:
  AdminTask.renewAuditCertificate('-interactive')

AuditKeyStoreCommands (AdminTask)

AuditEmitterCommands (AdminTask)

AuditSigningCommands (AdminTask)

AuditEventFactoryCommands (AdminTask)

AuditFilterCommands (AdminTask)

AuditNotificationCommands (AdminTask)

AuditPolicyCommands (AdminTask)

AuditEventFormatterCommands (AdminTask)