AuditSigningCommands command group for the AdminTask object

You can use the Jython scripting language to configure the signing of audit records with the wsadmin tool. Use the commands and parameters in the AuditSigningCommands group to enable, disable, and configure the security audit system to sign audit records.

Use the following commands to configure audit signing:

createAuditSigningConfig
deleteAuditSigningConfig
disableAuditSigning
enableAuditSigning
getAuditSigningConfig
importEncryptionCertificate
isAuditSigningEnabled
modifyAuditSigningConfig

createAuditSigningConfig

The createAuditSigningConfig command creates the signing model that the system uses to sign the audit records. Use this command to configure your audit signing configuration for the first time. If you have already configured audit signing, use the enableAuditSigning and disableAuditSigning commands to turn audit signing on and off.

You can import the certificate from an existing key file name containing that certificate, automatically generate the certificate, or use the same certificate as the application server uses encrypt the audit records. To use an existing certificate in an existing keystore, specify input values for the -enableAuditEncryption, -certAlias, and -signingKeyStoreRef parameters. Also, set the value of the -useEncryptionCert, -autogenCert, and -importCert parameters as false for this scenario.

The user must have the administrator and auditor administrative roles to run this command.

Target object

None.

Required parameters

-enableAuditSigning: Specifies whether to sign audit records. This parameter modifies your audit policy configuration. (Boolean, required)
-certAlias: Specifies the alias name that identifies the generated or imported certificate. (String, required)
-signingKeyStoreRef: Specifies the reference ID of the key store that system imports the certificate to. The signing keystore must already exist in the security.xml file. The system updates this keystore with the certificate that is used to sign the audit records. (String, required)

Optional parameters

-useEncryptionCert: Specifies whether to use the same certificate for encryption and signing. (Boolean, optional)
-autogenCert: Specifies whether to automatically generate the certificate used to sign the audit records. (Boolean, optional)
-importCert: Specifies whether to import an existing certificate to sign the audit records. (Boolean, optional)
-certKeyFileName: Specifies the unique name of the key file for the certificate to import. (String, optional)
-certKeyFilePath: Specifies the key file location for the certificate to import. (String, optional)
-certKeyFileType: Specifies the key file type for the certificate to import. (String, optional)
-certKeyFilePassword: Specifies the key file password for the certificate to import. (String, optional)
-certAliasToImport: Specifies the alias of the certificate to import. (String, optional)

Return value

If successful, returns the shortened from of the keystore where the signing certificate has been added to. Remember, this keystore is in the security.xml file, not the audit.xml file.

Batch mode example usage

Using Jython string:

AdminTask.createAuditSigningConfig('-enableAuditSigning true -certAlias 
auditSigningCert -autogenCert true -signingKeyStoreRef Ref_Id_of_KeyStoreInSecurityXML')

Using Jython list:

AdminTask.createAuditSigningConfig(['-enableAuditSigning', 'true', '-certAlias', 
'auditSigningCert', '-autogenCert', 'true -signingKeyStoreRef', 
'Ref_Id_of_KeyStoreInSecurityXML'])

Interactive mode example usage

Using Jython :

AdminTask.createAuditSigningConfig('-interactive')

deleteAuditSigningConfig

The deleteAuditSigningConfig command deletes the signing model that the system uses to sign the audit records. When the system deletes the audit signing configuration, it does not delete the key store file in the security.xml or the signer certificate for the keystore.

The user must have the auditor administrative role to run this command.

Target object

None.

Return value

The command returns a value of true if the system successfully removes the audit signing configuration.

Batch mode example usage

Using Jython string:
```
AdminTask.deleteAuditSigningConfig()
```
Using Jython list:
```
AdminTask.deleteAuditSigningConfig()
```

Interactive mode example usage

Using Jython:

AdminTask.deleteAuditSigningConfig('-interactive')

disableAuditSigning

The disableAuditSigning command disables audit record signing for the security auditing system.

The user must have the auditor administrative role to run this command.

Target object

None.

Return value

The command returns a value of true if the system successfully disables audit signing.

Batch mode example usage

Using Jython string:
```
AdminTask.disableAuditSigning()
```
Using Jython list:
```
AdminTask.disableAuditSigning()
```

Interactive mode example usage

Using Jython:

AdminTask.disableAuditSigning('-interactive')

enableAuditSigning

The enableAuditSigning command enables audit record signing in the security auditing system.

The user must have the auditor administrative role to run this command.

Target object

None.

Return value

The command returns a value of true if the system successfully enables audit signing in the security auditing system.

Batch mode example usage

Using Jython string:
```
AdminTask.enableAuditSigning()
```
Using Jython list:
```
AdminTask.enableAuditSigning()
```

Interactive mode example usage

Using Jython:
```
AdminTask.enableAuditSigning()
```

getAuditSigningConfig

The getAuditSigningConfig command retrieves the signing model that the system uses to sign the audit records.

The user must have the monitor administrative role to run this command.

Target object

None.

Return value

The command returns a list of attributes that are associated with the signing model, as the following sample output displays:

{{securityXmlSignerScopeName (cell):Node04Cell:(node):Node04}
{securityXmlSignerCertAlias mysigningcert}
{securityXmlSignerKeyStoreName NodeDefaultRootStore}
{signerKeyStoreRef KeyStore_Node04_4}
{enabled true}}

Batch mode example usage

Using Jython string:
```
AdminTask.getAuditSigningConfig()
```
Using Jython list:
```
AdminTask.getAuditSigningConfig()
```

Interactive mode example usage

Using Jython string:

AdminTask.getAuditSigningConfig('-interactive')

importEncryptionCertificate

The importEncryptionCertificate command imports the self-signed certificate used for encrypting audit data from the encryption keystore into another keystore. Use this command internally to automatically generate a certificate for either encryption or signing. You can also use this command to import the certificate into the keystore by specifying the keyStoreName and keyStoreScope parameters.

Target object

None.

Required parameters

-keyStoreName: Specifies the unique name to identify the keystore. (String, required)
-keyFilePath: Specifies the keystore path name that contains the certificate to import. (String, required)
-keyFilePassword: Specifies the password of the keystore that contains the certificate to import. (String, required)
-keyFileType: Specifies the type of the keystore. (String, required)
-certificateAliasFromKeyFile: Specifies the alias of the certificate to import from the keystore file. (String, required)

Optional parameters

-keyStoreScope: Specifies the scope name of the keystore. (String, optional)
-certificateAlias: Specifies a unique name to identify the imported certificate. (String, optional)

Return value

The command returns a value of true if the system successfully imports the encryption certificate.

Batch mode example usage

Using Jython string:

AdminTask.importEncryptionCertificate('{-keyStoreName AuditDefaultKeyStore -keyStoreScope 
(cell):Node04Cell -keyFilePath c:/install_root/appserver/profiles/AppSrv01/config/cells/Node04Cell/nodes/Node04/trust.p12 
-keyFilePassword WebAS -keyFileType PKCS12 -certificateAliasFromKeyFile root -certificateAlias myimportcert')

Using Jython list:

AdminTask.importEncryptionCertificate(['{-keyStoreName', 'AuditDefaultKeyStore', '-keyStoreScope', 
'(cell):Node04Cell', '-keyFilePath', 'c:/install_root/appserver/profiles/AppSrv01/config/cells/Node04Cell/nodes/Node04/trust.p12', 
'-keyFilePassword', 'WebAS', '-keyFileType', 'PKCS12', '-certificateAliasFromKeyFile', 
'root', '-certificateAlias', 'myimportcert'])

Interactive mode example usage

Using Jython:

AdminTask.importEncryptionCertificate('-interactive')

isAuditSigningEnabled

The isAuditSigningEnabled command indicates whether audit signing is enabled or disable in the security audit system.

The user must have the monitor administrative role to run this command.

Target object

None.

Return value

The command returns a value of true if signing is configured in the security auditing system.

Batch mode example usage

Using Jython string:
```
AdminTask.isAuditSigningEnabled()
```
Using Jython list:
```
AdminTask.isAuditSigningEnabled()
```

Interactive mode example usage

Using Jython:

AdminTask.isAuditSigningEnabled('-interactive')

modifyAuditSigningConfig

The modifyAuditSigningConfig command modifies the signing model that the system uses to sign the audit records.

The certificate may either be imported from an existing key file name containing that certificate, automatically generated, or be the same certificate used to encrypt the audit records. To use an existing certificate in an existing keystore, specify input values for the -enableAuditEncryption, -certAlias, and -signingKeyStoreRef parameters. Also, set the value the -useEncryptionCert, -autogenCert, and -importCert parameters as false for this scenario.

The user must have the administrator and auditor administrative roles to run this command.

Target object

None.

Required parameters

-enableAuditSigning: Specifies whether to sign audit records. This parameter modifies your audit policy configuration. (Boolean, required)
-certAlias: Specifies the alias name that identifies the generated or imported certificate. (String, required)
-signingKeyStoreRef: Specifies the reference ID of the key store that system imports the certificate to. The signing keystore must already exist in the security.xml file. The system updates this keystore with the certificate that is used to sign the audit records. (String, required)

Optional parameters

-useEncryptionCert: Specifies whether to use the same certificate for encryption and signing. (Boolean, optional)
-autogenCert: Specifies whether to automatically generate the certificate used to sign the audit records. (Boolean, optional)
-importCert: Specifies whether to import an existing certificate to sign the audit records. (Boolean, optional)
-certKeyFileName: Specifies the unique name of the key file for the certificate to import. (String, optional)
-certKeyFilePath: Specifies the key file location for the certificate to import. (String, optional)
-certKeyFileType: Specifies the key file type for the certificate to import. (String, optional)
-certKeyFilePassword: Specifies the key file password for the certificate to import. (String, optional)
-certAliasToImport: Specifies the alias of the certificate to import. (String, optional)

Return value

The command returns a value of true if the system successfully modifies the security auditing system configuration.

Batch mode example usage

Using Jython string:

AdminTask.modifyAuditSigningConfig('-enableAuditSigning true -certAlias auditSigningCert 
-autogenCert true -signingKeyStoreRef Ref_Id_of_KeyStoreInSecurityXML')

Using Jython list:

AdminTask.modifyAuditSigningConfig(['-enableAuditSigning', 'true', '-certAlias', 
'auditSigningCert', '-autogenCert', 'true', '-signingKeyStoreRef', 'Ref_Id_of_KeyStoreInSecurityXML'])

Interactive mode example usage

Using Jython:

AdminTask.modifyAuditSigningConfig('-interactive')