+

Search Tips   |   Advanced Search

Signing security audit data using scripting

Use the wsadmin tool to configure the security auditing system to sign security audit records. Security auditing provides tracking and archiving of auditable events.

Verify that we have the appropriate administrative role. To complete this topic, we must have the auditor and administrator administrative roles.

When configuring the signing of audit data, the auditor can choose between the following options:

Use the following task steps to configure the signing of security audit data:


Tasks

  1. Launch the wsadmin scripting tool using the Jython scripting language. See the Starting the wsadmin scripting client article for more information.

  2. Configure signing settings for security audit data.

    Use the createAuditSigningConfig command to create the signing model to sign our audit records.

    We can import the certificate from an existing key file name containing that certificate, automatically generate the certificate, or use the same certificate as used to encrypt the audit records. The signing keystore must exist in the security.xml file. The system updates this keystore with the certificate to use to sign the audit records.

    Parameter Description Data Type Required
    -enableAuditSigning Specifies whether to sign audit records. This parameter modifies our audit policy configuration. Boolean Yes
    -certAlias Alias name that identifies the generated or imported certificate. String Yes
    -signingKeyStoreRef Reference ID of the keystore to import the certificate to. String Yes
    -useEncryptionCert Specifies whether to use the same certificate for encryption and signing. Specify the -useEncryptionCert, -autogenCert, or -importCert parameter. Boolean No
    -autogenCert Specifies whether to automatically generate the certificate used to sign the audit records. Specify the -useEncryptionCert, -autogenCert, or -importCert parameter. Boolean No
    -importCert Specifies whether to import an existing certificate to sign the audit records. Specify the -useEncryptionCert, -autogenCert, or -importCert parameter. Boolean No
    -certKeyFileName Unique name of the key file for the certificate to import. String No
    -certKeyFilePath Key file location for the certificate to import. String No
    -certKeyFileType Key file type for the certificate to import. String No
    -certKeyFilePassword Key file password for the certificate to import. String No
    -certAliasToImport Alias of the certificate to import. String No

    The following command example configures signing and allows the system to automatically generate the certificate:

    AdminTask.createAuditSigningConfig('-enableAuditSigning true -certAlias auditSigningCert 
    -autogenCert true -signingKeyStoreRef Ref_Id_of_KeyStoreInSecurityXML') 
    

    The following command example configures signing and imports a certificate:

    AdminTask.createAuditSigningConfig('-enableAuditSigning true -certAlias auditSigningCert 
    -importCert true -certKeyFileName MyServerKeyFile.p12 -certKeyFilePath install_root/etc/MyServerKeyFile.p12 
    -certKeyFileType PKCS12 -certKeyFilePassword password4key -certAliasToImport defaultCertificate 
    -signingKeyStoreRef Ref_Id_of_KeyStoreInSecurityXML') 
    

    The following command example uses the same certificate for signing and encryption:

    AdminTask.createAuditSigningConfig('-enableAuditSigning true -certAlias auditSigningCert 
    -useEncryptionCert true -signingKeyStoreRef Ref_Id_of_KeyStoreInSecurityXML')
    

  3. Save the configuration changes.
    AdminConfig.save()
    

  4. Restart the server to apply the configuration changes.

Signing is configured for our security audit data. If we set the -enableAuditSigning parameter to true, our security auditing system signs security audit data when security auditing is enabled.


What to do next

Once we configure the signing model for the first time, use the enableAuditSigning and disableAuditSigning commands to quickly turn signing on and off. The following example uses the enableAuditSigning command to turn signing on:

AdminTask.enableAuditSigning()

The following example uses the disableAuditSigning command to turn signing off:

AdminTask.disableAuditSigning()

  • Configure auditable events using scripting
  • Encrypting security audit data using scripting
  • Enable security auditing using scripting
  • Configure security audit notifications using scripting
  • Configure security auditing using scripting
  • Start the wsadmin scripting client
  • AuditKeyStoreCommands
  • AuditEmitterCommands for the AdminTask object
  • AuditSigningCommands
  • AuditEncryptionCommands
  • AuditEventFactoryCommands for the AdminTask object
  • AuditFilterCommands
  • AuditNotificationCommands
  • AuditPolicyCommands
  • AuditEventFormatterCommands