WAS v8.5 > Secure applications > Auditing the security infrastructure > Protecting your security audit data

Signing your security audit records

Audit logs can be signed to ensure the integrity of your audit data. By signing your audit records, modifications of the audit logs can be traced.

Restriction: Signing audit data is only available for data created using the default audit service provider. If we are using the SMF emitter or a 3rd party emitter you will not be able to sign your data. Before configuring your security audit records to be signed, enable global security and security auditing in the environment. You must be assigned the auditor role and the administrator role to configure audit record signing.

  1. Click Security > Security Auditing > Audit record signing configuration.

  2. Select the Enable signing check box to specify that your audit records should be signed. All other fields on this panel will be unavailable until this check box has been selected.

  3. Select the keystore containing the signing certificate from the Managed keystore containing the signing certificate dropdown menu.

  4. If we are using an existing certificate to sign your audit records, ensure Certificate in keystore is selected and specify the intended certificate in the Certificate alias dropdown menu.

  5. If you are generating a new certificate to sign your audit records, select Create a new certificate in the selected keystore and follow these steps:

    1. Enter the name of your new certificate in the Certificate alias field.

    2. Select on of the following options: Import the encryption certificate, Automatically generate certificate or Import a certificate. The certificate used to encrypt the data in the audit log files can either be created or imported.

      • If you selected Import the encryption certificate, then you will use the encryption certificate to also sign your audit records. Skip to the last step on this page to complete this configuration.

      • If you selected to generate a certificate, then skip to the last step on this page to complete this configuration.

      • If you selected to import a certificate from an existing keystore, then continue on with step c.

    3. Enter the name of the keystore file in the Key file name field.

    4. Enter the path to the keystore file in the Path field.

    5. Select the keystore type from the Type dropdown list. The default value of the Type dropdown list is PKCS12.

    6. Enter the password associated with the keystore in the Key File password field.

    7. Click Get key file aliases to populate the Certificate alias to import dropdown menu.

    8. Select the certificate to be imported from the Certificate alias to import dropdown menu.

  6. Click OK.


Results

After we have completed these steps, your audit logs will be digitally signed to ensure the integrity of the data.

After we have finished configuring your audit logs to be signed, we can ensure the confidentiality of your audit logs by configuring the audit subsystem to encrypt your audit records.


Related


Protecting your security audit data
Encrypting security audit data using scripting
Signing security audit data using scripting


Reference:

Audit encryption keystores and certificates page
Audit record encryption configuration settings
Audit record signing configuration settings
Audit record keystore settings


+

Search Tips   |   Advanced Search