Digital signing

Digital signing of audit data is used to show attempts at log tampering and provide for non-repudiation of the audit log.

Each file within each load gets a digital signature. The signature and the sequence information are stored in the audit database.

Digital signing on the system is done by setting up a public/private cryptographic pair of keys and setting the history configuration to use that key pair.

To set the audit digital signature key, use the syntax as in the following example:

ALTER HISTORY CONFIG
   KEY <keystore name>.<key name>;
To turn off signing, use the following command:
ALTER HISTORY CONFIG
   KEY NONE
To verify the signature, in addition to displaying the keys, the following sample script that checks the key against the signature is provided:
nzverifyauditsig.sh
The output returns a verification or a failure message, as in the following:
  • signature verified
  • signature could not be verified