You can use the wsadmin tool to configure the security
auditing system to encrypt security audit records. Security auditing
provides tracking and archiving of auditable events.
Before you begin
Before configuring encryption, set up your security auditing
subsystem. You can enable security auditing before or after completing
the steps in this topic.
Verify that you have the appropriate
administrative role. To complete this topic, you must have the auditor
administrative role. If you are importing a certificate from a keystore
that exists in the security.xml file, you must have the auditor and
administrator administrative roles.
About this task
When configuring encryption, the auditor can select one
of the following choices:
- Allow the application server to automatically generate a certificate
or use an existing self-signed certificate generated by the auditor.
- Use an existing keystore to store this certificate, or create
a new keystore to store this certificate.
Avoid trouble: To ensure that there is a separation
of privileges between the administrator role and the auditor role,
the auditor can create a self-signed certificate outside of the application
server process and maintain the private key of that certificate.
Use
the following task steps to encrypt security audit data:
Procedure
- Launch the wsadmin scripting tool using the Jython scripting
language. See the Starting the wsadmin scripting client article for
more information.
- Configure encryption settings for security audit data.
Use the createAuditEncryptionConfig command and the following
parameters to create the audit encryption model to encrypt your audit
records. You must specify the -enableAuditEncryption, -certAlias,
and -encryptionKeyStoreRef parameters, and either the -autogenCert
or -importCert parameters.
Table 1. Command
parameters. This table describes the createAuditEncryptionConfig
command and its parameters:
Parameter |
Description |
Data Type |
Required |
-enableAuditEncryption |
Specifies whether to encrypt audit records.
This parameter modifies your audit policy configuration. |
Boolean |
Yes |
-certAlias |
Specifies the alias name that identifies the
generated or imported certificate. |
String |
Yes |
-encryptionKeyStoreRef |
Specifies the reference ID of the keystore to
import the certificate to. |
String |
Yes |
-autogenCert |
Specifies whether to automatically generate
the certificate used to encrypt the audit records. You must specify
either this parameter or the -importCert parameter, but you cannot
specify both. |
Boolean |
No |
-importCert |
Specifies whether to import an existing certificate
to encrypt the audit records. You must specify either this parameter
or the -autogenCert parameter, but you cannot specify both. |
Boolean |
No |
-certKeyFileName |
Specifies the unique name of the key file from
which the certificate is imported. |
String |
No |
-certKeyFilePath |
Specifies the key file location from which the
certificate is imported. |
String |
No |
-certKeyFileType |
Specifies the key file type from which the certificate
is imported. |
String |
No |
-certKeyFilePassword |
Specifies the key file password from which the
certificate is imported. |
String |
No |
-certAliasToImport |
Specifies the alias from which the certificate
is imported. |
String |
No |
The following command example configures encryption
and supports the system to automatically generate the certificate:
AdminTask.createAuditEncryptionConfig('-enableAuditEncryption true -certAlias auditCertificate
-autogenCert true -encryptionKeyStoreRef auditKeyStore')
The
following command example configures encryption and imports a certificate:
AdminTask.createAuditEncryptionConfig('-enableAuditEncryption true -certAlias auditCertificate
-importCert true -certKeyFileName MyServerKeyFile.p12 -certKeyFilePath
install_root/etc/MyServerKeyFile.p12 -certKeyFileType PKCS12 -certKeyFilePassword password4key
-certAliasToImport defaultCertificate -encryptionKeyStoreRef auditKeyStore')
- You must restart the server to apply configuration changes.
Results
Encryption is configured for security audit data. If you
set the -enableAuditEncryption parameter to true, then your
security auditing system encrypts security audit data when security
auditing is enabled.
What to do next
After you configure the encryption model for the first
time, then you may use the enableAuditEncryption and disableAuditEncryption
commands to turn encryption on and off.
The following example
uses the enableAuditEncryption command to turn on encryption:
AdminTask.enableAuditEncryption()
The
following example uses the disableAuditEncryption command to turn
off encryption:
AdminTask.disableAuditEncryption()