Network Deployment (Distributed operating systems), v8.0 > Scripting the application serving environment (wsadmin) > Scripting for security > Configure security with scripting > Configure security auditing using scripting

Encrypting security audit data using scripting

We can use wsadmin.sh to configure the security auditing system to encrypt security audit records. Security auditing provides tracking and archiving of auditable events.

Before configuring encryption, set up the security auditing subsystem. We can enable security auditing before or after completing the steps in this topic.

Verify that we have the appropriate administrative role.

To complete this topic, have the auditor administrative role. If you are importing a certificate from a keystore that exists in the security.xml file, have the auditor and administrator administrative roles.

When configuring encryption, the auditor can select one of the following choices:

• Allow the application server to automatically generate a certificate or use an existing self-signed certificate generated by the auditor.

• Use an existing keystore to store this certificate, or create a new keystore to store this certificate.

To ensure that there is a separation of privileges between the administrator role and the auditor role, the auditor can create a self-signed certificate outside of the application server process and maintain the private key of that certificate.

Use the following task steps to encrypt security audit data:

Procedure

1. Launch wsadmin.sh using the Jython scripting language. See the Starting the wsadmin scripting client article for more information.

2. Configure encryption settings for security audit data.

   Use the createAuditEncryptionConfig command and the following parameters to create the audit encryption model to encrypt your audit records. We must specify the -enableAuditEncryption, -certAlias, and -encryptionKeyStoreRef parameters, and either the -autogenCert or -importCert parameters.

   Command parameters. This table describes the createAuditEncryptionConfig command and its parameters:

   Parameter	Description	Data Type	Required
   -enableAuditEncryption	Whether to encrypt audit records. This parameter modifies your audit policy configuration.	Boolean	Yes
   -certAlias	Alias name that identifies the generated or imported certificate.	String	Yes
   -encryptionKeyStoreRef	Reference ID of the keystore to import the certificate to.	String	Yes
   -autogenCert	Whether to automatically generate the certificate used to encrypt the audit records. We must specify either this parameter or the -importCert parameter, but you cannot specify both.	Boolean	No
   -importCert	Whether to import an existing certificate to encrypt the audit records. We must specify either this parameter or the -autogenCert parameter, but you cannot specify both.	Boolean	No
   -certKeyFileName	Unique name of the key file from which the certificate is imported.	String	No
   -certKeyFilePath	Key file location from which the certificate is imported.	String	No
   -certKeyFileType	Key file type from which the certificate is imported.	String	No
   -certKeyFilePassword	Key file password from which the certificate is imported.	String	No
   -certAliasToImport	Alias from which the certificate is imported.	String	No

   The following command example configures encryption and supports the system to automatically generate the certificate:

   AdminTask.createAuditEncryptionConfig('-enableAuditEncryption true -certAlias auditCertificate
   -autogenCert true -encryptionKeyStoreRef auditKeyStore')
   

   The following command example configures encryption and imports a certificate:

   AdminTask.createAuditEncryptionConfig('-enableAuditEncryption true -certAlias auditCertificate
   -importCert true -certKeyFileName MyServerKeyFile.p12 -certKeyFilePath
   install_root/etc/MyServerKeyFile.p12 -certKeyFileType PKCS12 -certKeyFilePassword password4key
   -certAliasToImport defaultCertificate -encryptionKeyStoreRef auditKeyStore')
   

3. We must restart the server to apply configuration changes.

Results

Encryption is configured for security audit data. If you set the -enableAuditEncryption parameter to true, then your security auditing system encrypts security audit data when security auditing is enabled.

What to do next

After you configure the encryption model for the first time, then you may use the enableAuditEncryption and disableAuditEncryption commands to turn encryption on and off.

The following example uses the enableAuditEncryption command to turn on encryption:

AdminTask.enableAuditEncryption()

Use the disableAuditEncryption command to turn off encryption:

AdminTask.disableAuditEncryption()

Configure auditable events using scripting
Enable security auditing using scripting
Signing security audit data using scripting
Configure security audit notifications using scripting
Configure security auditing using scripting
Start the wsadmin scripting client using wsadmin.sh

Related

AuditKeyStoreCommands command group
AuditEmitterCommands
AuditSigningCommands command group
AuditEncryptionCommands command group
AuditEventFactoryCommands
AuditFilterCommands command group
AuditNotificationCommands command group
AuditPolicyCommands command group
AuditEventFormatterCommands command group

+

Search Tips   |   Advanced Search