Connect:Direct Secure Plus Certificate Auditing

In a TLS session, audit information about the identity certificate and its signing certificate is logged in the statistics log in the Session Start (SSTR) and Copy Termination (CTRC) records. The audit information is included in the response data from a Select Statistics command in the SSTR and CTRC records.

In an TLS session, the PNODE (client) always logs the audit information. The SNODE (server) only logs the information when client authentication is enabled. For logging to occur, the session handshake must succeed and progress to the point of logging the SSTR and CTRC records.

Certificate Audit Log Entries

The audit consists of the subject name and serial number of the identity and its signing certificate. The identity certificate also contains an issuer attribute, which is identical to the signing certificate subject name. Although many signing certificates may exist between the identity and final root certificate, the audit includes only the last two certificates in a chain: an intermediate certificate and an end certificate.

In the SSTR and CTRC records, the CERT contains the common name and serial number of the key certificate, and the CERI contains the common name of the issuer and the serial number of an intermediate or root CA. They may also contain the certificate serial number, for example:

`CERT=(/C=US/ST=MA/L=Marshfield/O=test.org/OU=Dev/CN=Test ID/SN=99c0ce01382e6c83)\| CERI=(/C=US/ST=MA/L=Marshfield/O=test.org/CN=root CA/SN=da870666bbfb5538)`

Connect:Direct® Secure Plus certificate audits may contain the following fields:

Field Name	Abbreviation	Max Lengths (RFC 2459)
Common Name	CN	64
Country	C	2
Locality	L	128
State	ST	128
Organization	O	64
Organization Unit	OU	64
Email Address	emailAddress	128
Serial Number	SN	128 (estimated)

Accessing Certificate Audit Logs

Certificate audit information located in the SSTR and CTRC records cannot be accessed directly using Connect:Direct Requester or Connect:Direct Browser User Interface. To access certificate information, you can issue a query directly to the database or use an SDK-based or JAI-based program to issue a Select Statistics command. The response to the Select Statistics command contains the AuditInfo field of the statistics records, including the SSTR and CTRC records. This field contains certificate audit information.

The following example was generated using a database query.

'2009-05-21 14:50:27', 2, 'SSTR', 'CAEV', '', 0, '2009-05-21 14:50:26', '2009-05-21 14:50:27', '', '', 'JLYON-XP.4500', 0, 'MSGI=LSMI004I\|SBST=(&NODE=JLYON-XP.4500)\|PNOD=JLYON-XP.4500\|CSPE=Y\|CSPP=TLSv1\|CSPS= TLS_RSA_WITH_AES_256_CBC_SHA\| CERT=(/C=US/ST=MA/L=Marshfield/O=test.org/OU=Dev/ CN=Example Test ID/SN=a9febbeb4f59d446)\| CERI=(/C=US/ST=MA/L=Marshfield/O=test.org/OU=Dev/CN=Example IntermediateCA/SN=a69634a8a7830268)\|STSD=2\|TZDI=-14400\|' '2009-05-21 14:50:28', 2, 'CTRC', 'CAPR', 'SAMPLE', 1, '2009-05-21 14:50:27', '2009-05-21 14:50:28', 'JLYON-XP.4500', 'jlyon', 'JLYON-XP.4500', 0, 'MSGI=SCPA000I\|LCCD=0\|LMSG=SCPA000I\|OCCD=0\|OMSG=SCPA000I\|PNAM=SAMPLE\|PNUM=1\|SNAM=STE P1\|SBND=JLYON-XP.4500\|SBID=jlyon\|PNOD=JLYON-XP.4500\|SNOD=JLYON-XP.4500\|LNOD=P\|FROM=P XLAT=N\|ECZI=N\|ECMP=N\|SCMP=N\|OERR=N\|CKPT=Y\|LKFL=N\|RSTR=N\|RUSZ=65535\|PACC=\|SACC=\|PPMN =\|SFIL=C:\Program Files\IBM\Connect Direct v4.6.00\Server\Process\Sample.html\|SDS1= \|SDS2= \|SDS3= \|SFSZ=0\|SBYR=861\|SRCR=1\|SBYX=863\|SRUX=1\|SNVL=-1\|SVOL=\|DFIL=C:\Program Files\IBM\ Connect Direct v4.5.00\Server\Process\Verify.html\|PPMN=\|DDS1=R\|DDS2= \|DDS3= \|DBYW=861\|DRCW=1\|DBYX=863\|DRUX=1\|DNVL=0\|DVOL=\|CSPE=Y\|CSPP=TLSv1\|CSPS=TLS_RSA_WITH_AE S_256_CBC_SHA\|CERT=(/C=US/ST=MA/L=Marshfield/O=test.org/OU=Dev/CN=Example Test ID/SN=a9febbeb4f59d446)\|CERI=(/C=US/ST=MA/L=Marshfield/O=test.org/OU=Dev/ CN=Example Intermediate CA/SN=a69634a8a7830268) \|PCRC=N\|ETMC=60\|ETMK=10\|ETMU=0\|STSD=2\|TZDI=-14400\|'

'2009-05-21 14:50:27', 2, 'SSTR', 'CAEV', '', 0, '2009-05-21 14:50:26', '2009-05-21
14:50:27', '', '', 'JLYON-XP.4500', 0,
'MSGI=LSMI004I|SBST=(&NODE=JLYON-XP.4500)|PNOD=JLYON-XP.4500|CSPE=Y|CSPP=TLSv1|CSPS=
TLS_RSA_WITH_AES_256_CBC_SHA|
CERT=(/C=US/ST=MA/L=Marshfield/O=test.org/OU=Dev/
CN=Example Test ID/SN=a9febbeb4f59d446)|
CERI=(/C=US/ST=MA/L=Marshfield/O=test.org/OU=Dev/CN=Example
IntermediateCA/SN=a69634a8a7830268)|STSD=2|TZDI=-14400|'
'2009-05-21 14:50:28', 2, 'CTRC', 'CAPR', 'SAMPLE', 1, '2009-05-21 14:50:27',
'2009-05-21 14:50:28', 'JLYON-XP.4500', 'jlyon', 'JLYON-XP.4500', 0,
'MSGI=SCPA000I|LCCD=0|LMSG=SCPA000I|OCCD=0|OMSG=SCPA000I|PNAM=SAMPLE|PNUM=1|SNAM=STE
P1|SBND=JLYON-XP.4500|SBID=jlyon|PNOD=JLYON-XP.4500|SNOD=JLYON-XP.4500|LNOD=P|FROM=P
XLAT=N|ECZI=N|ECMP=N|SCMP=N|OERR=N|CKPT=Y|LKFL=N|RSTR=N|RUSZ=65535|PACC=|SACC=|PPMN
=|SFIL=C:\Program Files\IBM\Connect Direct
v4.6.00\Server\Process\Sample.html|SDS1= |SDS2= |SDS3=
|SFSZ=0|SBYR=861|SRCR=1|SBYX=863|SRUX=1|SNVL=-1|SVOL=|DFIL=C:\Program Files\IBM\
Connect Direct v4.5.00\Server\Process\Verify.html|PPMN=|DDS1=R|DDS2= |DDS3=                       
|DBYW=861|DRCW=1|DBYX=863|DRUX=1|DNVL=0|DVOL=|CSPE=Y|CSPP=TLSv1|CSPS=TLS_RSA_WITH_AE
S_256_CBC_SHA|CERT=(/C=US/ST=MA/L=Marshfield/O=test.org/OU=Dev/CN=Example Test
ID/SN=a9febbeb4f59d446)|CERI=(/C=US/ST=MA/L=Marshfield/O=test.org/OU=Dev/
CN=Example Intermediate CA/SN=a69634a8a7830268)
|PCRC=N|ETMC=60|ETMK=10|ETMU=0|STSD=2|TZDI=-14400|'

Certificate Audit Log Error Reporting

If an error occurs when the subject name is extracted from the identity (CERT) or issuer's (CERI) certificates, the following message ID is logged:

`CERT=(MSGI=CSPA310E)\|CERI=(MSGI=CSPA310E)`

Only the message ID is displayed with the CERT or CERI tokens; the standard Connect:Direct error function is not used. After the error occurs, the session continues.