+

Search Tips   |   Advanced Search

AuditSigningCommands


Use Jython to configure the signing of audit records with wsadmin. Use the commands and parameters in the AuditSigningCommands group to enable, disable, and configure the security audit system to sign audit records.

Use the following commands to configure audit signing:

 

createAuditSigningConfig

The createAuditSigningConfig command creates the signing model that the system uses to sign the audit records. Use this command to configure the audit signing configuration for the first time. If we have already configured audit signing, use the enableAuditSigning and disableAuditSigning commands to turn audit signing on and off.

We can import the certificate from an existing key file name containing that certificate, automatically generate the certificate, or use the same certificate as the appserver uses encrypt the audit records. To use an existing certificate in an existing keystore, specify input values for the -enableAuditEncryption, -certAlias, and –signingKeyStoreRef parameters. Also, set the value of the -useEncryptionCert, –autogenCert, and –importCert parameters as false for this scenario.

The user must have the administrator and auditor administrative roles to run this command.

Target object

None.

Required parameters

-enableAuditSigning

Specifies whether to sign audit records. This parameter modifies the audit policy configuration. (Boolean, required)

-certAlias

Alias name that identifies the generated or imported certificate. (String, required)

-signingKeyStoreRef

Reference ID of the key store that system imports the certificate to. The signing keystore must already exist in security.xml. The system updates this keystore with the certificate used to sign the audit records. (String, required)

Optional parameters

-useEncryptionCert

Specifies whether to use the same certificate for encryption and signing. (Boolean, optional)

-autogenCert

Specifies whether to automatically generate the certificate used to sign the audit records. (Boolean, optional)

-importCert

Specifies whether to import an existing certificate to sign the audit records. (Boolean, optional)

-certKeyFileName

Unique name of the key file for the certificate to import. (String, optional)

-certKeyFilePath

Specifies the key file location for the certificate to import. (String, optional)

-certKeyFileType

Specifies the key file type for the certificate to import. (String, optional)

-certKeyFilePassword

Specifies the key file password for the certificate to import. (String, optional)

-certAliasToImport

Alias of the certificate to import. (String, optional)

Return value

If successful, returns the shortened from of the keystore where the signing certificate has been added to. Remember, this keystore is in security.xml, not the audit.xml file.

Batch mode example usage

Interactive mode example usage

 

deleteAuditSigningConfig

The deleteAuditSigningConfig command deletes the signing model that the system uses to sign the audit records. When the system deletes the audit signing configuration, it does not delete the key store file in the security.xml or the signer certificate for the keystore.

The user must have the auditor admin role to run this command.

Target object

None.

Return value

The command returns a value of true if the system successfully removes the audit signing configuration.

Batch mode example usage

Interactive mode example usage

 

disableAuditSigning

The disableAuditSigning command disables audit record signing for the security auditing system.

The user must have the auditor admin role to run this command.

Target object

None.

Return value

The command returns a value of true if the system successfully disables audit signing.

Batch mode example usage

Interactive mode example usage

 

enableAuditSigning

The enableAuditSigning command enables audit record signing in the security auditing system.

The user must have the auditor admin role to run this command.

Target object

None.

Return value

The command returns a value of true if the system successfully enables audit signing in the security auditing system.

Batch mode example usage

Interactive mode example usage

 

getAuditSigningConfig

The getAuditSigningConfig command retrieves the signing model that the system uses to sign the audit records.

The user must have the monitor admin role to run this command.

Target object

None.

Return value The command returns a list of attributes that are associated with the signing model, as the following sample output displays: 

{{securityXmlSignerScopeName (cell):Node04Cell:(node):Node04}
{securityXmlSignerCertAlias mysigningcert}
{securityXmlSignerKeyStoreName NodeDefaultRootStore}
{signerKeyStoreRef KeyStore_Node04_4}
{enabled true}}

Batch mode example usage

Interactive mode example usage

 

importEncryptionCertificate

The importEncryptionCertificate command imports the self-signed certificate used for encrypting audit data from the encryption keystore into another keystore. Use this command internally to automatically generate a certificate for either encryption or signing. We can also use this command to import the certificate into the keystore by specifying the keyStoreName and keyStoreScope parameters.

Target object

None.

Required parameters

-keyStoreName

Unique name to identify the keystore. (String, required)

-keyFilePath

Specifies the keystore path name that contains the certificate to import. (String, required)

-keyFilePassword

Password of the keystore that contains the certificate to import. (String, required)

-keyFileType

Type of the keystore. (String, required)

-certificateAliasFromKeyFile

Alias of the certificate to import from the keystore file. (String, required)

Optional parameters

-keyStoreScope

Scope name of the keystore. (String, optional)

-certificateAlias

Specifies a unique name to identify the imported certificate. (String, optional)

Return value

The command returns a value of true if the system successfully imports the encryption certificate.

Batch mode example usage

Interactive mode example usage

 

isAuditSigningEnabled

The isAuditSigningEnabled command indicates whether audit signing is enabled or disable in the security audit system.

The user must have the monitor admin role to run this command.

Target object

None.

Return value

The command returns a value of true if signing is configured in the security auditing system.

Batch mode example usage

Interactive mode example usage

 

modifyAuditSigningConfig

The modifyAuditSigningConfig command modifies the signing model that the system uses to sign the audit records.

The certificate may either be imported from an existing key file name containing that certificate, automatically generated, or be the same certificate used to encrypt the audit records. To use an existing certificate in an existing keystore, specify input values for the -enableAuditEncryption, -certAlias, and –signingKeyStoreRef parameters. Also, set the value the -useEncryptionCert, –autogenCert, and –importCert parameters as false for this scenario.

The user must have the administrator and auditor administrative roles to run this command.

Target object

None.

Required parameters

-enableAuditSigning

Specifies whether to sign audit records. This parameter modifies the audit policy configuration. (Boolean, required)

-certAlias

Alias name that identifies the generated or imported certificate. (String, required)

-signingKeyStoreRef

Reference ID of the key store that system imports the certificate to. The signing keystore must already exist in security.xml. The system updates this keystore with the certificate used to sign the audit records. (String, required)

Optional parameters

-useEncryptionCert

Specifies whether to use the same certificate for encryption and signing. (Boolean, optional)

-autogenCert

Specifies whether to automatically generate the certificate used to sign the audit records. (Boolean, optional)

-importCert

Specifies whether to import an existing certificate to sign the audit records. (Boolean, optional)

-certKeyFileName

Unique name of the key file for the certificate to import. (String, optional)

-certKeyFilePath

Specifies the key file location for the certificate to import. (String, optional)

-certKeyFileType

Specifies the key file type for the certificate to import. (String, optional)

-certKeyFilePassword

Specifies the key file password for the certificate to import. (String, optional)

-certAliasToImport

Alias of the certificate to import. (String, optional)

Return value

The command returns a value of true if the system successfully modifies the security auditing system configuration.

Batch mode example usage

Interactive mode example usage




 

Related


AuditKeyStoreCommands
AuditEmitterCommands for AdminTask
AuditEncryptionCommands
AuditEventFactoryCommands for AdminTask
AuditFilterCommands
AuditNotificationCommands
AuditPolicyCommands
AuditEventFormatterCommands