AuditSigningCommands command group for the AdminTask object
You can use the Jython scripting language to configure the signing of audit records with the wsadmin tool. Use the commands and parameters in the AuditSigningCommands group to enable, disable, and configure the security audit system to sign audit records.
createAuditSigningConfig
The createAuditSigningConfig command creates the signing model that the system uses to sign the audit records. Use this command to configure your audit signing configuration for the first time. If you have already configured audit signing, use the enableAuditSigning and disableAuditSigning commands to turn audit signing on and off.
You can import the certificate from an existing key file name containing that certificate, automatically generate the certificate, or use the same certificate as the application server uses encrypt the audit records. To use an existing certificate in an existing keystore, specify input values for the -enableAuditEncryption, -certAlias, and -signingKeyStoreRef parameters. Also, set the value of the -useEncryptionCert, -autogenCert, and -importCert parameters as false for this scenario.
The user must have the administrator and auditor administrative roles to run this command.
Target object
None.
Required parameters
- -enableAuditSigning
- Specifies whether to sign audit records. This parameter modifies your audit policy configuration. (Boolean, required)
- -certAlias
- Specifies the alias name that identifies the generated or imported certificate. (String, required)
- -signingKeyStoreRef
- Specifies the reference ID of the key store that system imports the certificate to. The signing keystore must already exist in the security.xml file. The system updates this keystore with the certificate that is used to sign the audit records. (String, required)
Optional parameters
- -useEncryptionCert
- Specifies whether to use the same certificate for encryption and signing. (Boolean, optional)
- -autogenCert
- Specifies whether to automatically generate the certificate used to sign the audit records. (Boolean, optional)
- -importCert
- Specifies whether to import an existing certificate to sign the audit records. (Boolean, optional)
- -certKeyFileName
- Specifies the unique name of the key file for the certificate to import. (String, optional)
- -certKeyFilePath
- Specifies the key file location for the certificate to import. (String, optional)
- -certKeyFileType
- Specifies the key file type for the certificate to import. (String, optional)
- -certKeyFilePassword
- Specifies the key file password for the certificate to import. (String, optional)
- -certAliasToImport
- Specifies the alias of the certificate to import. (String, optional)
Return value
If successful, returns the shortened from of the keystore where the signing certificate has been added to. Remember, this keystore is in the security.xml file, not the audit.xml file.
Batch mode example usage
- Using Jython string:
AdminTask.createAuditSigningConfig('-enableAuditSigning true -certAlias auditSigningCert -autogenCert true -signingKeyStoreRef Ref_Id_of_KeyStoreInSecurityXML')
- Using Jython list:
AdminTask.createAuditSigningConfig(['-enableAuditSigning', 'true', '-certAlias', 'auditSigningCert', '-autogenCert', 'true -signingKeyStoreRef', 'Ref_Id_of_KeyStoreInSecurityXML'])
Interactive mode example usage
- Using Jython :
AdminTask.createAuditSigningConfig('-interactive')
deleteAuditSigningConfig
The deleteAuditSigningConfig command deletes the signing model that the system uses to sign the audit records. When the system deletes the audit signing configuration, it does not delete the key store file in the security.xml or the signer certificate for the keystore.
The user must have the auditor administrative role to run this command.
Target object
None.
Return value
The command returns a value of true if the system successfully removes the audit signing configuration.
Batch mode example usage
- Using Jython string:
AdminTask.deleteAuditSigningConfig()
- Using Jython list:
AdminTask.deleteAuditSigningConfig()
Interactive mode example usage
- Using Jython:
AdminTask.deleteAuditSigningConfig('-interactive')
disableAuditSigning
The disableAuditSigning command disables audit record signing for the security auditing system.
The user must have the auditor administrative role to run this command.
Target object
None.
Return value
The command returns a value of true if the system successfully disables audit signing.
Batch mode example usage
- Using Jython string:
AdminTask.disableAuditSigning()
- Using Jython list:
AdminTask.disableAuditSigning()
Interactive mode example usage
- Using Jython:
AdminTask.disableAuditSigning('-interactive')
enableAuditSigning
The enableAuditSigning command enables audit record signing in the security auditing system.
The user must have the auditor administrative role to run this command.
Target object
None.
Return value
The command returns a value of true if the system successfully enables audit signing in the security auditing system.
Batch mode example usage
- Using Jython string:
AdminTask.enableAuditSigning()
- Using Jython list:
AdminTask.enableAuditSigning()
Interactive mode example usage
- Using Jython:
AdminTask.enableAuditSigning()
getAuditSigningConfig
The getAuditSigningConfig command retrieves the signing model that the system uses to sign the audit records.
The user must have the monitor administrative role to run this command.
Target object
None.
Return value
{{securityXmlSignerScopeName (cell):Node04Cell:(node):Node04}
{securityXmlSignerCertAlias mysigningcert}
{securityXmlSignerKeyStoreName NodeDefaultRootStore}
{signerKeyStoreRef KeyStore_Node04_4}
{enabled true}}
Batch mode example usage
- Using Jython string:
AdminTask.getAuditSigningConfig()
- Using Jython list:
AdminTask.getAuditSigningConfig()
Interactive mode example usage
- Using Jython string:
AdminTask.getAuditSigningConfig('-interactive')
importEncryptionCertificate
The importEncryptionCertificate command imports the self-signed certificate used for encrypting audit data from the encryption keystore into another keystore. Use this command internally to automatically generate a certificate for either encryption or signing. You can also use this command to import the certificate into the keystore by specifying the keyStoreName and keyStoreScope parameters.
Target object
None.
Required parameters
- -keyStoreName
- Specifies the unique name to identify the keystore. (String, required)
- -keyFilePath
- Specifies the keystore path name that contains the certificate to import. (String, required)
- -keyFilePassword
- Specifies the password of the keystore that contains the certificate to import. (String, required)
- -keyFileType
- Specifies the type of the keystore. (String, required)
- -certificateAliasFromKeyFile
- Specifies the alias of the certificate to import from the keystore file. (String, required)
Optional parameters
- -keyStoreScope
- Specifies the scope name of the keystore. (String, optional)
- -certificateAlias
- Specifies a unique name to identify the imported certificate. (String, optional)
Return value
The command returns a value of true if the system successfully imports the encryption certificate.
Batch mode example usage
- Using Jython string:
AdminTask.importEncryptionCertificate('{-keyStoreName AuditDefaultKeyStore -keyStoreScope (cell):Node04Cell -keyFilePath c:/install_root/appserver/profiles/AppSrv01/config/cells/Node04Cell/nodes/Node04/trust.p12 -keyFilePassword WebAS -keyFileType PKCS12 -certificateAliasFromKeyFile root -certificateAlias myimportcert')
- Using Jython list:
AdminTask.importEncryptionCertificate(['{-keyStoreName', 'AuditDefaultKeyStore', '-keyStoreScope', '(cell):Node04Cell', '-keyFilePath', 'c:/install_root/appserver/profiles/AppSrv01/config/cells/Node04Cell/nodes/Node04/trust.p12', '-keyFilePassword', 'WebAS', '-keyFileType', 'PKCS12', '-certificateAliasFromKeyFile', 'root', '-certificateAlias', 'myimportcert'])
Interactive mode example usage
- Using Jython:
AdminTask.importEncryptionCertificate('-interactive')
isAuditSigningEnabled
The isAuditSigningEnabled command indicates whether audit signing is enabled or disable in the security audit system.
The user must have the monitor administrative role to run this command.
Target object
None.
Return value
The command returns a value of true if signing is configured in the security auditing system.
Batch mode example usage
- Using Jython string:
AdminTask.isAuditSigningEnabled()
- Using Jython list:
AdminTask.isAuditSigningEnabled()
Interactive mode example usage
- Using Jython:
AdminTask.isAuditSigningEnabled('-interactive')
modifyAuditSigningConfig
The modifyAuditSigningConfig command modifies the signing model that the system uses to sign the audit records.
The certificate may either be imported from an existing key file name containing that certificate, automatically generated, or be the same certificate used to encrypt the audit records. To use an existing certificate in an existing keystore, specify input values for the -enableAuditEncryption, -certAlias, and -signingKeyStoreRef parameters. Also, set the value the -useEncryptionCert, -autogenCert, and -importCert parameters as false for this scenario.
The user must have the administrator and auditor administrative roles to run this command.
Target object
None.
Required parameters
- -enableAuditSigning
- Specifies whether to sign audit records. This parameter modifies your audit policy configuration. (Boolean, required)
- -certAlias
- Specifies the alias name that identifies the generated or imported certificate. (String, required)
- -signingKeyStoreRef
- Specifies the reference ID of the key store that system imports the certificate to. The signing keystore must already exist in the security.xml file. The system updates this keystore with the certificate that is used to sign the audit records. (String, required)
Optional parameters
- -useEncryptionCert
- Specifies whether to use the same certificate for encryption and signing. (Boolean, optional)
- -autogenCert
- Specifies whether to automatically generate the certificate used to sign the audit records. (Boolean, optional)
- -importCert
- Specifies whether to import an existing certificate to sign the audit records. (Boolean, optional)
- -certKeyFileName
- Specifies the unique name of the key file for the certificate to import. (String, optional)
- -certKeyFilePath
- Specifies the key file location for the certificate to import. (String, optional)
- -certKeyFileType
- Specifies the key file type for the certificate to import. (String, optional)
- -certKeyFilePassword
- Specifies the key file password for the certificate to import. (String, optional)
- -certAliasToImport
- Specifies the alias of the certificate to import. (String, optional)
Return value
The command returns a value of true if the system successfully modifies the security auditing system configuration.
Batch mode example usage
- Using Jython string:
AdminTask.modifyAuditSigningConfig('-enableAuditSigning true -certAlias auditSigningCert -autogenCert true -signingKeyStoreRef Ref_Id_of_KeyStoreInSecurityXML')
- Using Jython list:
AdminTask.modifyAuditSigningConfig(['-enableAuditSigning', 'true', '-certAlias', 'auditSigningCert', '-autogenCert', 'true', '-signingKeyStoreRef', 'Ref_Id_of_KeyStoreInSecurityXML'])
Interactive mode example usage
- Using Jython:
AdminTask.modifyAuditSigningConfig('-interactive')