Secure+ Parameters File Auditing

IBM Connect:Direct® provides auditing of Secure+ parameters files and certificates for archival purposes.

The Connect:Direct Secure Plus Administration Tool (Secure+ Admin Tool) and the Connect:Direct Secure Plus Command Line Interface (Secure+ CLI) log changes made to the Connect:Direct Secure Plus parameters file (Secure+ parameters file). The following events are logged:

  • Application Startup
  • Init Parmfile
  • Open Parmfile
  • Sync Netmap
  • Rekey Parmfile
  • Create Node
  • Update Node
  • Delete Node

The Secure+ parameters file logging feature has the following operational characteristics:

  • The logging feature is always enabled and cannot be disabled.
  • If errors occur when the log is being updated, the application terminates.
  • Each log entry contains a timestamp, user ID, and a description of the action/event.
  • When an existing node is updated, any changed fields are reported.
  • When a node is created or deleted, the values of all non-empty fields are reported.
  • Any commands that modify a node are logged.
Note: The certificates used by Connect:Direct Secure Plus are individual files that can be stored anywhere on the system. As a result, the logging feature cannot detect when existing certificate files are modified. Connect:Direct Secure Plus only stores the certificate path name and detects changes to this field only.

Access Secure+ Parameters File Audit Logs

The Secure+ parameters file audit logs are stored in a dedicated directory, ...\secure+\log. The log file naming convention is SP[YYYY][MM][DD].001 (using local time), and the contents of a log file are limited to a single calendar date. You can view these log files using any text editor. Log files are not deleted by IBM Connect:Direct.

Secure+ Parameters File Audit Log Entries

Each audit log has the following header:

[YYYYMMDD][HH:MM:SS:mmm][userid]

When a parameter file is created or opened, an ID is generated that associates the change with the node being updated as shown in the following:

[YYYYMMDD][HH:MM:SS:mmm][userid][ParmFileID]

The following fields may appear in a create, update, or delete audit record.

Field Name Description
Name Name of the node
BaseRecord Name of the base record
Type Record type of local, remote, or alias
Protocol Enables Connect:Direct Secure Plus protocol
Override Enables overriding the current node
AuthTimeOut Authentication timeout
SslTlsTrustedRootCertFile Pathname to trusted roots file
SslTlsCertFile Pathname to key certificate file
SslTlsCertPassphrase Key certificate passphrase (masked)
SslTlsEnableClientAuth Enable client authentication
SslTlsCertCommonName Common name of the remote certificate to verify
SslTlsEnableCipher List of SSL/TLS cipher suites
SslTlsSeaEnable Enable external authentication
SslTlsSeaCacheEnable Enable caching External Authentication Server certificate validation response.
SeaCacheValidityTime Time duration during which the local cache entry is valid for certificates
SeaGraceValidityTime Number of hours when the local cache entry of certificate expires and External Authentication Server is unavailable such that Connect:Direct Secure Plus can accept it from its cache.
SeaCertValDef External authentication validation definition
SeaHost External authentication host name
SeaPort External authentication port number

Secure+ Parameters File Audit Log Error Reporting

Errors are reported for the following logging functions: open log, write log, and lock log. If an error occurs during one of these functions, an error message is displayed, and the application is terminated. The lock function times out after 30 seconds. Typically, Secure+ Admin Tool or the Secure+ CLI hold the lock for less than one second per update.

IBM Connect:Direct Secure Plus Certificate Auditing

In a TLS session, audit information about the identity certificate and its signing certificate is logged in the statistics log in the Session Start (SSTR) and Copy Termination (CTRC) records. The audit information is included in the response data from a select statistics command in the SSTR and CTRC records. In a TLS session, the PNODE (client) always logs the audit information. The SNODE (server) only logs the information when client authentication is enabled. For logging to occur, the session handshake must succeed and progress to the point of logging the SSTR and CTRC records.

Certificate Audit Log Entries

The audit consists of the subject name and serial number of the identity and its signing certificate. The identity certificate also contains an issuer attribute, which is identical to the signing certificate subject name. Although many signing certificates may exist between the identity and final root certificate, the audit includes only the last two certificates in a chain: an intermediate certificate and an end certificate.

In the SSTR and CTRC records, the CERT contains the common name and serial number of the key certificate, and the CERI contains the common name of the issuer and the serial number of an intermediate or root CA. They may also contain the certificate serial number, for example:

CERT=(/C=US/ST=MA/L=Marshfield/O=test.org/OU=Dev/CN=Test ID/SN=99c0ce01382e6c83)|

CERI=(/C=US/ST=MA/L=Marshfield/O=test.org/CN=root CA/SN=da870666bbfb5538)

Connect:Direct Secure Plus certificate audits may contain the following fields:

Field Name Abbreviation Max Lengths (RFC 2459)
Common Name CN 64
Country C 2
Locality L 128
State ST 128
Organization O 64
Organization Unit OU 64
Email Address emailAddress 128
Serial Number SN 128 (estimated)

Access Certificate Audit Logs

Certificate audit information located in the SSTR and CTRC records cannot be accessed directly using Connect:Direct Requester or Sterling Connect:Direct Browser User Interface. To access certificate information, you can issue a query directly to the database or use an SDK-based or JAI-based program to issue a Select Statistics command. The response to the Select Statistics command contains the AuditInfo field of the statistics records, including the SSTR and CTRC records. This field contains certificate audit information.

The following example was generated using a database query. The certificate audit information is highlighted in bold.

'2007-05-21 14:50:27', 2, 'SSTR', 'CAEV', '', 0, '2007-05-21 14:50:26', '2007-05-21 14:50:27', '', '', 'JLYON-XP.4400', 0, 'MSGI=LSMI004I|SBST=(&NODE=JLYON-XP.4400)|PNOD=JLYON-XP.4400|CSPE=Y|CSPP=TLSv1|CSPS=TLS_RSA_WITH_AES_256_CBC_SHA|

CERT=(/C=US/ST=MA/L=Marshfield/O=test.org/OU=Dev/
CN=Example Test ID/SN=a9febbeb4f59d446)|
CERI=(/C=US/ST=MA/L=Marshfield/O=test.org/OU=Dev/CN=Example
IntermediateCA/SN=a69634a8a7830268)
|STSD=2|TZDI=-14400|'

'2007-05-21 14:50:28', 2, 'CTRC', 'CAPR', 'SAMPLE', 1, '2007-05-21 14:50:27', '2007-05-21 14:50:28', 'JLYON-XP.4400', 'jlyon', 'JLYON-XP.4400', 0, 'MSGI=SCPA000I|LCCD=0|LMSG=SCPA000I|OCCD=0|OMSG=SCPA000I|PNAM=SAMPLE|PNUM=1|
SNAM=STEP1|SBND=JLYON-XP.4400|SBID=jlyon|PNOD=JLYON-XP.4400|SNOD=JLYON-XP.4400|LNOD=P|FROM=P|XLAT=N|ECZI=N|ECMP=N|SCMP=N|OERR=N|CKPT=Y|LKFL=N|RSTR=N|
RUSZ=65535|PACC=|SACC=|PPMN=|SFIL=C:\Program Files\Sterling Commerce\Connect Direct v4.4.00\Server\Process\Sample.html|SDS1= |SDS2= |SDS3= |SFSZ=0|SBYR=861|SRCR=1|SBYX=863|SRUX=1|SNVL=-1|SVOL=|DFIL=C:\Program Files\Sterling Commerce\Connect Direct v4.4.00\Server\Process\Verify.html|PPMN=|DDS1=R|DDS2= |DDS3= |DBYW=861|DRCW=1|DBYX=863|DRUX=1|DNVL=0|DVOL=|CSPE=Y|CSPP=TLSv1|CSPS=
TLS_RSA_WITH_AES_256_CBC_SHA|CERT=(/C=US/ST=MA/L=Marshfield/O=test.org/OU=Dev/CN=Example Test ID/SN=a9febbeb4f59d446)|CERI=(/C=US/ST=MA/L=Marshfield/O=test.org/OU=Dev/CN=Example Intermediate CA/SN=a69634a8a7830268)

|PCRC=N|ETMC=60|ETMK=10|ETMU=0|STSD=2|TZDI=-14400|'

Certificate Audit Log Error Reporting

If an error occurs when the subject name is extracted from the identity (CERT) or issuer's (CERI) certificates, the following message ID is logged:

CERT=(MSGI=CSPA310E)|CERI=(MSGI=CSPA310E)

Only the message ID is displayed with the CERT or CERI tokens; the standard IBM Connect:Direct error function is not used. After the error occurs, the session continues.