Configuring external storage servers

Configure an external storage server so that Cloud Pak System Software can automatically push audit record packages to an external storage area when the internal database has reached its threshold. Saving audit record packages externally lets you analyze data offline and also archive data to meet various compliance and regulation requirements.

Before you begin

You must be assigned the Auditing role with permission to Manage auditing (Full permission) to perform these steps.

About this task

Event log utilization is normally less than 100% but it might exceed 100% at times. This scenario typically occurs when more than the expected number of audit records are being generated, and the rate at which audit records are written to disk exceeds the rate at which they are being archived. When this scenario is temporary, it is harmless. However, the event log utilization can sometimes remain in excess of 100%. If it does, and the log utilization continues to increase, the space that the audit records require can exceed the volume of the system database. If this scenario occurs and an external storage server is not configured, you must manually download all audit package files before they are cleaned up.

You also have to manually download audit records if there are any issues with copying files from the system to an external storage server. If the audit package files are not downloaded, audit records can be lost. Configuring an external storage server allows the system to move archived audit record packages to the external storage server automatically. Configuring an external storage server decreases the possibility of audit records being lost by the cleanup task. An external storage server has more storage capacity than the system database. This additional capacity can be instrumental in storing larger amounts of archives. The additional capacity can be important for record retention.
Note: Use Rivest Shamir Adleman (RSA) key encryption instead of user ID and password authentication to better secure your external storage server.

The system administrator and the security auditor should make sure that the external storage server has enough space to store archived security audit packages according to the audit policy. Cloud Pak System Software does not perform storage management for external servers. Therefore, the system administrator and security auditor must occasionally back up the audit file packages on the external storage server to other external storage devices. In addition, they must make sure that the external storage server that is used by Cloud Pak System Software security audit has enough space .

Procedure

  1. Click System > Auditing. If you are on 2.3.3.3 or later, click Security and access > Auditing.
  2. Expand External Storage Server, and complete the following fields:
    1. In the Host or IP address: field, enter the host name or IP address of the external server that is configured to store audit log packages.
      Note: This host must be resolvable and pingable from IBM Cloud Pak System. Click System > System Settings > Domain Name Service (DNS) (or click System > Configure > System Settings > Domain Name Service (DNS) if in 2.3.3.3 or later) and then click Lookup to verify the host name or IP address.
    2. In the Download path: field, enter the path of the external server for the audit log packages.
    3. In the Port number: field, enter the Secure copy (scp) port number of the external server. This port is usually the default sshd port 22.
    4. In the Maximum number of records per auto generated record package: field, enter the number of records.
      When an auto-generated record package or a user-requested record package is created, this value is used to limit the size of the generated package. If the number of records to be packaged exceeds this value, then multiple packages are generated until all the audit records have been packaged. The default value is 20,000 audit records.
  3. Upload the public key from the external storage server to the Public key (external storage server): field. The system uses the public key to verify the identify of the external storage server.
    Note: The Secure Shell (SSH) server RSA public key size cannot exceed 4096 bits.
    1. Use the command line to log in to the external storage server.
    2. Navigate to the /etc/ssh directory on the external storage server. The /etc/ssh directory is usually the location of the public key, but the location can vary depending on the system.
    3. Open the ssh_host_rsa_key.pub file, which contains the public key on the external storage server.
    4. Copy the public key from the external storage server.
    5. Paste the public key into the Public key (external storage server): field on the system.
  4. In the User ID: field, type the user ID for the external storage server that the system uses to log in.
  5. Select one of the following security options:
    • Specify a user ID and password.
    1. Click Use password.
    2. Enter a password for the user ID in the Password: field.
      Note: audit_config_external_storage_password_place_holder_string is a reserved word. Do not make this your password.
    • Specify a public key. This option installs the system public key onto the storage system so that the system can log into the given account by using its private key instead of a password.
    1. Click Use key authentication.
    2. Click Refresh Public key (system) to refresh the public key.
    3. Copy the public key from the Public key (system) field.
    4. Use the command-line interface to log in to the external storage server with the designated User ID provided in step 4.
    5. Navigate to the .ssh directory located in the user home directory. If the directory does not exist, create it by using the following command:
      mkdir .ssh && chmod 777 .ssh
    6. Paste the public key from the system into the authorized_keys file located in the .ssh directory. If the authorized_keys file does not exist, create it.
    7. Optional: Select the Run a ping test before submitting the new configuration or testing connection check box.
  6. Click Test connection to test your system connection.
    • A green check mark displays if the test is successful. Click Submit to save your changes.
    • The Cannot connect to the external server. error message displays if the test or submit is unsuccessful. Use the following information to identify the cause of each error message code:
      CWZIP0201E
      Miscellaneous failure. Check the ipas.audit trace log.

      Cause: This error occurs if the user is invalid, the user exceeded the allowable failed logins on the external server, an SCP file copy failure, or other miscellaneous failures.

      CWZIP0202E
      Authentication failed.

      Cause: This error occurs if there is an authentication failure. Check the user's password and private/public keys.

      CWZIP0203E
      The external storage public key is not valid. The key might have changed.

      Cause: This error occurs if the host key has changed. Confirm that the external storage server public key that is configured in Cloud Pak System matches the public key from the storage server's /etc/ssh/ssh_host_rsa_key.pub file.

      CWZIP0204E
      The format of the external storage public key might be incorrect.

      Cause: This error occurs if the host key is rejected. This problem can occur when there is an SSH configuration problem on the external storage server. Consult with the storage server system administrator or security administrator.

      CWZIP0205E
      Permission is denied, or the file or directory does not exist.

      Cause: This error occurs if the "download path" does not exist, is not a directory, or has incorrect permissions to allow the "User ID" to copy files.

      1. For additional diagnostic information, click System > System troubleshooting.
      2. Expand Trace Setting.
      3. Click Add trace setting and type com.ibm.jsch.JschLogger FINE in the Name: field.
      4. Click OK.
      5. Click System > Auditing (or Security and access > Auditing if you are on 2.3.3.3 or later) to return to the auditing configuration page.
      6. Expand External Storage Server and click Test connection.
      7. Collect the Management log collection set and examine the log messages in the /var/log/purescale/ipas.audit/trace.log file.