Signing security audit data
We can use wsadmin.sh to configure the security auditing system to sign security audit records. Security auditing provides tracking and archiving of auditable events.
Verify that we have the appropriate administrative role. To complete this topic, you must have the auditor and administrator administrative roles.
When configuring the signing of audit data, the auditor can choose between the following options:
- Allow the application server to automatically generate a certificate.
- Use an existing self-signed certificate that the auditor previously generated.
- Use the same self-signed certificate as the system uses to encrypt the audit records.
- Use an existing keystore to store this certificate.
- Create a new keystore to store this certificate.
- Use an existing self-signed certificate in an existing keystore.
Use the following task steps to configure the signing of security audit data:
- Launch the wsadmin scripting tool using the Jython scripting language. See the Starting the wsadmin scripting client article for more information.
- Configure signing settings for security audit data.
Use the createAuditSigningConfig command to create the signing model to sign the audit records.
We can import the certificate from an existing key file name containing that certificate, automatically generate the certificate, or use the same certificate as used to encrypt the audit records. The signing keystore must exist in security.xml. The system updates this keystore with the certificate to use to sign the audit records.
command. Specify the -enableAuditSigning, -certAlias, and
Parameter Description Data Type Required -enableAuditSigning Whether to sign audit records. This parameter modifies the audit policy configuration. Boolean Yes -certAlias Alias name identifying generated or imported certificate. String Yes -signingKeyStoreRef Reference ID of the keystore to import the certificate to. String Yes -useEncryptionCert Whether to use the same certificate for encryption and signing. Specify the -useEncryptionCert, -autogenCert, or -importCert parameter. Boolean No -autogenCert Whether to automatically generate the certificate used to sign the audit records. Specify the -useEncryptionCert, -autogenCert, or -importCert parameter. Boolean No -importCert Whether to import an existing certificate to sign the audit records. Specify the -useEncryptionCert, -autogenCert, or -importCert parameter. Boolean No -certKeyFileName Unique name of the key file for the certificate to import. String No -certKeyFilePath Key file location for the certificate to import. String No -certKeyFileType Key file type for the certificate to import. String No -certKeyFilePassword Key file password for the certificate to import. String No -certAliasToImport Alias of the certificate to import. String No The following command example configures signing and allows the system to automatically generate the certificate:
AdminTask.createAuditSigningConfig('-enableAuditSigning true -certAlias auditSigningCert -autogenCert true -signingKeyStoreRef Ref_Id_of_KeyStoreInSecurityXML')
The following command example configures signing and imports a certificate:
AdminTask.createAuditSigningConfig('-enableAuditSigning true -certAlias auditSigningCert -importCert true -certKeyFileName MyServerKeyFile.p12 -certKeyFilePath install_root/etc/MyServerKeyFile.p12 -certKeyFileType PKCS12 -certKeyFilePassword password4key -certAliasToImport defaultCertificate -signingKeyStoreRef Ref_Id_of_KeyStoreInSecurityXML')
The following command example uses the same certificate for signing and encryption:
AdminTask.createAuditSigningConfig('-enableAuditSigning true -certAlias auditSigningCert -useEncryptionCert true -signingKeyStoreRef Ref_Id_of_KeyStoreInSecurityXML')
- Save the configuration changes.
Use the following command example to save the configuration changes:
AdminConfig.save()
- Restart the server to apply the configuration changes.
Results
Signing is configured for the security audit data. If we set the -enableAuditSigning parameter to true, the security auditing system signs security audit data when security auditing is enabled.
What to do next
Once you configure the signing model for the first time, use the enableAuditSigning and disableAuditSigning commands to quickly turn signing on and off. The following example uses the enableAuditSigning command to turn signing on:
AdminTask.enableAuditSigning()
The following example uses the disableAuditSigning command to turn signing off:
AdminTask.disableAuditSigning()
Related tasks
Configure auditable events Encrypting security audit data Enable security auditing Configure security audit notifications Configure security auditing Start the wsadmin scripting client
AuditKeyStoreCommands (AdminTask) AuditEmitterCommands (AdminTask) AuditSigningCommands (AdminTask) AuditEncryptionCommands (AdminTask) AuditEventFactoryCommands (AdminTask) AuditFilterCommands (AdminTask) AuditNotificationCommands (AdminTask) AuditPolicyCommands (AdminTask) AuditEventFormatterCommands (AdminTask)