Network Deployment (Distributed operating systems), v8.0 > Reference > Commands (wsadmin scripting)


AuditSigningCommands command group

We can use Jython to configure the signing of audit records with wsadmin.sh. Use the commands and parameters in the AuditSigningCommands group to enable, disable, and configure the security audit system to sign audit records.

Use the following commands to configure audit signing:



createAuditSigningConfig

The createAuditSigningConfig command creates the signing model that the system uses to sign the audit records. Use this command to configure your audit signing configuration for the first time. If we have already configured audit signing, use the enableAuditSigning and disableAuditSigning commands to turn audit signing on and off.

We can import the certificate from an existing key file name containing that certificate, automatically generate the certificate, or use the same certificate as the application server uses encrypt the audit records.

To use an existing certificate in an existing keystore, specify input values for the -enableAuditEncryption, -certAlias, and –signingKeyStoreRef parameters. Also, set the value of the -useEncryptionCert, –autogenCert, and –importCert parameters as false for this scenario.

The user must have the administrator and auditor administrative roles to run this command.

Target object None


Required parameters

-enableAuditSigning

Whether to sign audit records. This parameter modifies your audit policy configuration. (Boolean, required)

-certAlias

Alias name that identifies the generated or imported certificate. (String, required)

-signingKeyStoreRef

Reference ID of the key store that system imports the certificate to. The signing keystore must already exist in the security.xml file. The system updates this keystore with the certificate used to sign the audit records. (String, required)


Optional parameters

-useEncryptionCert

Whether to use the same certificate for encryption and signing. (Boolean, optional)

-autogenCert

Whether to automatically generate the certificate used to sign the audit records. (Boolean, optional)

-importCert

Whether to import an existing certificate to sign the audit records. (Boolean, optional)

-certKeyFileName

Unique name of the key file for the certificate to import. (String, optional)

-certKeyFilePath

Key file location for the certificate to import. (String, optional)

-certKeyFileType

Key file type for the certificate to import. (String, optional)

-certKeyFilePassword

Key file password for the certificate to import. (String, optional)

-certAliasToImport

Alias of the certificate to import. (String, optional)


Return value

If successful, returns the shortened from of the keystore where the signing certificate has been added to. Remember, this keystore is in the security.xml file, not the audit.xml file.

Batch mode example usage


Interactive example...



deleteAuditSigningConfig

The deleteAuditSigningConfig command deletes the signing model that the system uses to sign the audit records. When the system deletes the audit signing configuration, it does not delete the key store file in the security.xml or the signer certificate for the keystore.

The user must have the auditor administrative role to run this command.

Target object None


Return value

The command returns a value of true if the system successfully removes the audit signing configuration.

Batch mode example usage


Interactive example...



disableAuditSigning

The disableAuditSigning command disables audit record signing for the security auditing system.

The user must have the auditor administrative role to run this command.

Target object None


Return value

The command returns a value of true if the system successfully disables audit signing.


Batch example...


Interactive example...



enableAuditSigning

The enableAuditSigning command enables audit record signing in the security auditing system.

The user must have the auditor administrative role to run this command.

Target object None


Return value

The command returns a value of true if the system successfully enables audit signing in the security auditing system.


Batch example...


Interactive example...



getAuditSigningConfig

The getAuditSigningConfig command retrieves the signing model that the system uses to sign the audit records.

The user must have the monitor administrative role to run this command.

Target object None


Return value

The command returns a list of attributes that are associated with the signing model, as the following sample output displays: 

{{securityXmlSignerScopeName (cell):Node04Cell:(node):Node04}
{securityXmlSignerCertAlias mysigningcert}
{securityXmlSignerKeyStoreName NodeDefaultRootStore}
{signerKeyStoreRef KeyStore_Node04_4}
{enabled true}}


Batch example...


Interactive example...



importEncryptionCertificate

The importEncryptionCertificate command imports the self-signed certificate used for encrypting audit data from the encryption keystore into another keystore. Use this command internally to automatically generate a certificate for either encryption or signing. We can also use this command to import the certificate into the keystore by specifying the keyStoreName and keyStoreScope parameters.

Target object None


Required parameters

-keyStoreName

Unique name to identify the keystore. (String, required)

-keyFilePath

Keystore path name that contains the certificate to import. (String, required)

-keyFilePassword

Password of the keystore that contains the certificate to import. (String, required)

-keyFileType

Type of the keystore. (String, required)

-certificateAliasFromKeyFile

Alias of the certificate to import from the keystore file. (String, required)


Optional parameters

-keyStoreScope

Scope name of the keystore. (String, optional)

-certificateAlias

Unique name to identify the imported certificate. (String, optional)


Return value

The command returns a value of true if the system successfully imports the encryption certificate.

Batch mode example usage


Interactive example...



isAuditSigningEnabled

The isAuditSigningEnabled command indicates whether audit signing is enabled or disable in the security audit system.

The user must have the monitor administrative role to run this command.

Target object None


Return value

The command returns a value of true if signing is configured in the security auditing system.


Batch example...


Interactive example...



modifyAuditSigningConfig

The modifyAuditSigningConfig command modifies the signing model that the system uses to sign the audit records.

The certificate may either be imported from an existing key file name containing that certificate, automatically generated, or be the same certificate used to encrypt the audit records.

To use an existing certificate in an existing keystore, specify input values for the -enableAuditEncryption, -certAlias, and –signingKeyStoreRef parameters. Also, set the value the -useEncryptionCert, –autogenCert, and –importCert parameters as false for this scenario.

The user must have the administrator and auditor administrative roles to run this command.

Target object None


Required parameters

-enableAuditSigning

Whether to sign audit records. This parameter modifies your audit policy configuration. (Boolean, required)

-certAlias

Alias name that identifies the generated or imported certificate. (String, required)

-signingKeyStoreRef

Reference ID of the key store that system imports the certificate to. The signing keystore must already exist in the security.xml file. The system updates this keystore with the certificate used to sign the audit records. (String, required)


Optional parameters

-useEncryptionCert

Whether to use the same certificate for encryption and signing. (Boolean, optional)

-autogenCert

Whether to automatically generate the certificate used to sign the audit records. (Boolean, optional)

-importCert

Whether to import an existing certificate to sign the audit records. (Boolean, optional)

-certKeyFileName

Unique name of the key file for the certificate to import. (String, optional)

-certKeyFilePath

Key file location for the certificate to import. (String, optional)

-certKeyFileType

Key file type for the certificate to import. (String, optional)

-certKeyFilePassword

Key file password for the certificate to import. (String, optional)

-certAliasToImport

Alias of the certificate to import. (String, optional)


Return value

The command returns a value of true if the system successfully modifies the security auditing system configuration.


Batch example...


Interactive example...


Related


AuditKeyStoreCommands command group
AuditEmitterCommands
AuditEncryptionCommands command group
AuditEventFactoryCommands
AuditFilterCommands command group
AuditNotificationCommands command group
AuditPolicyCommands command group
AuditEventFormatterCommands command group

+

Search Tips   |   Advanced Search