Secure+ Parameters File Auditing
IBM Connect:Direct® provides auditing of Secure+ parameters files and certificates for archival purposes.
The Connect:Direct Secure Plus Administration Tool (Secure+ Admin Tool) and the Connect:Direct Secure Plus Command Line Interface (Secure+ CLI) log changes made to the Connect:Direct Secure Plus parameters file (Secure+ parameters file). The following events are logged:
- Application Startup
- Init Parmfile
- Open Parmfile
- Sync Netmap
- Rekey Parmfile
- Create Node
- Update Node
- Delete Node
The Secure+ parameters file logging feature has the following operational characteristics:
- The logging feature is always enabled and cannot be disabled.
- If errors occur when the log is being updated, the application terminates.
- Each log entry contains a timestamp, user ID, and a description of the action/event.
- When an existing node is updated, any changed fields are reported.
- When a node is created or deleted, the values of all non-empty fields are reported.
- Any commands that modify a node are logged.
Access Secure+ Parameters File Audit Logs
The Secure+ parameters file audit logs are stored in a dedicated directory, ...\secure+\log. The log file naming convention is SP[YYYY][MM][DD].001 (using local time), and the contents of a log file are limited to a single calendar date. You can view these log files using any text editor. Log files are not deleted by IBM Connect:Direct.
Secure+ Parameters File Audit Log Entries
Each audit log has the following header:
[YYYYMMDD][HH:MM:SS:mmm][userid] |
When a parameter file is created or opened, an ID is generated that associates the change with the node being updated as shown in the following:
[YYYYMMDD][HH:MM:SS:mmm][userid][ParmFileID] |
The following fields may appear in a create, update, or delete audit record.
Field Name | Description |
---|---|
Name | Name of the node |
BaseRecord | Name of the base record |
Type | Record type of local, remote, or alias |
Protocol | Enables Connect:Direct Secure Plus protocol |
Override | Enables overriding the current node |
AuthTimeOut | Authentication timeout |
SslTlsTrustedRootCertFile | Pathname to trusted roots file |
SslTlsCertFile | Pathname to key certificate file |
SslTlsCertPassphrase | Key certificate passphrase (masked) |
SslTlsEnableClientAuth | Enable client authentication |
SslTlsCertCommonName | Common name of the remote certificate to verify |
SslTlsEnableCipher | List of SSL/TLS cipher suites |
SslTlsSeaEnable | Enable external authentication |
SslTlsSeaCacheEnable | Enable caching External Authentication Server certificate validation response. |
SeaCacheValidityTime | Time duration during which the local cache entry is valid for certificates |
SeaGraceValidityTime | Number of hours when the local cache entry of certificate expires and External Authentication Server is unavailable such that Connect:Direct Secure Plus can accept it from its cache. |
SeaCertValDef | External authentication validation definition |
SeaHost | External authentication host name |
SeaPort | External authentication port number |
Secure+ Parameters File Audit Log Error Reporting
Errors are reported for the following logging functions: open log, write log, and lock log. If an error occurs during one of these functions, an error message is displayed, and the application is terminated. The lock function times out after 30 seconds. Typically, Secure+ Admin Tool or the Secure+ CLI hold the lock for less than one second per update.
IBM Connect:Direct Secure Plus Certificate Auditing
In a TLS session, audit information about the identity certificate and its signing certificate is logged in the statistics log in the Session Start (SSTR) and Copy Termination (CTRC) records. The audit information is included in the response data from a select statistics command in the SSTR and CTRC records. In a TLS session, the PNODE (client) always logs the audit information. The SNODE (server) only logs the information when client authentication is enabled. For logging to occur, the session handshake must succeed and progress to the point of logging the SSTR and CTRC records.
Certificate Audit Log Entries
The audit consists of the subject name and serial number of the identity and its signing certificate. The identity certificate also contains an issuer attribute, which is identical to the signing certificate subject name. Although many signing certificates may exist between the identity and final root certificate, the audit includes only the last two certificates in a chain: an intermediate certificate and an end certificate.
In the SSTR and CTRC records, the CERT contains the common name and serial number of the key certificate, and the CERI contains the common name of the issuer and the serial number of an intermediate or root CA. They may also contain the certificate serial number, for example:
CERT=(/C=US/ST=MA/L=Marshfield/O=test.org/OU=Dev/CN=Test
ID/SN=99c0ce01382e6c83)| CERI=(/C=US/ST=MA/L=Marshfield/O=test.org/CN=root CA/SN=da870666bbfb5538) |
Connect:Direct Secure Plus certificate audits may contain the following fields:
Field Name | Abbreviation | Max Lengths (RFC 2459) |
---|---|---|
Common Name | CN | 64 |
Country | C | 2 |
Locality | L | 128 |
State | ST | 128 |
Organization | O | 64 |
Organization Unit | OU | 64 |
Email Address | emailAddress | 128 |
Serial Number | SN | 128 (estimated) |
Access Certificate Audit Logs
Certificate audit information located in the SSTR and CTRC records cannot be accessed directly using Connect:Direct Requester or Sterling Connect:Direct Browser User Interface. To access certificate information, you can issue a query directly to the database or use an SDK-based or JAI-based program to issue a Select Statistics command. The response to the Select Statistics command contains the AuditInfo field of the statistics records, including the SSTR and CTRC records. This field contains certificate audit information.
The following example was generated using a database query. The certificate audit information is highlighted in bold.
'2007-05-21 14:50:27', 2, 'SSTR', 'CAEV', '',
0, '2007-05-21 14:50:26', '2007-05-21 14:50:27', '', '', 'JLYON-XP.4400',
0, 'MSGI=LSMI004I|SBST=(&NODE=JLYON-XP.4400)|PNOD=JLYON-XP.4400|CSPE=Y|CSPP=TLSv1|CSPS=TLS_RSA_WITH_AES_256_CBC_SHA| CERT=(/C=US/ST=MA/L=Marshfield/O=test.org/OU=Dev/ '2007-05-21 14:50:28', 2, 'CTRC', 'CAPR', 'SAMPLE', 1,
'2007-05-21 14:50:27', '2007-05-21 14:50:28', 'JLYON-XP.4400', 'jlyon',
'JLYON-XP.4400', 0, 'MSGI=SCPA000I|LCCD=0|LMSG=SCPA000I|OCCD=0|OMSG=SCPA000I|PNAM=SAMPLE|PNUM=1| |PCRC=N|ETMC=60|ETMK=10|ETMU=0|STSD=2|TZDI=-14400|' |
Certificate Audit Log Error Reporting
If an error occurs when the subject name is extracted from the identity (CERT) or issuer's (CERI) certificates, the following message ID is logged:
CERT=(MSGI=CSPA310E)|CERI=(MSGI=CSPA310E) |
Only the message ID is displayed with the CERT or CERI tokens; the standard IBM Connect:Direct error function is not used. After the error occurs, the session continues.