You can enable audit signing and encrypt audit logs to audit the security of your Liberty environment.
Before you begin
Important:
- The SHA256withRSA hashing algorithm is used as the default cryptographic algorithm for both
encryption and signing.
- The ability to encrypt and sign audit data is only available for data that is created with the
default audit service provider, the audit file emitter.
- Only the
JKS
, PKCS12
, and JCEKS
keystore
types are supported.
- To decrypt and unsign audit data, use the auditUtility auditReader command.
About this task
Use the security auditing feature to protect your security audit data. It can increase the
assurance that the audit data is not tampered with or modified outside of the auditing facility. It
also protects the confidentiality of the data.
The practice of auditing requires assurances that your audit data is accurate and uncompromised.
With the security auditing feature, your audit data can be encrypted, signed, or encrypted and
signed. Use these options to protect your audit data and provide assurances that your data is viewed
only by authorized users and is not untraceably modified.
Procedure
-
Enable audit log encryption in a server.xml file.
Encrypt audit logs to protect your audit data. To encrypt the audit logs, use a certificate that
is saved to a keystore. Specify the keystore in the server.xml file. After
encryption, only users with the password to the keystore can view or update the audit logs.
To enable encryption, specify a keystore configuration that defines the location of the keystore
containing the certificate that is used to encrypt the audit data. Also, specify an
auditFileHandler
element to enable the encryption.
<keyStore
id="auditEncKeyStore"
password="Liberty"
location="${server.config.dir}/resources/security/AuditEncryptionKeyStore.jks"
type="JKS" />
<auditFileHandler
encrypt="true"
encryptAlias="auditencryption"
encryptKeyStoreRef="auditEncKeyStore">
</auditFileHandler>
-
Enable audit log signing in a server.xml file.
Sign audit logs to protect your audit data. The audit logs are signed by using a personal
certificate that is saved to a keystore in the server.xml file. After audit
records are signed, only users with the password to the keystore can view or update the audit
logs.
To enable signing, specify a keystore configuration that defines the location of the keystore
containing the certificate that is used to sign the audit data. Also, specify an
auditFileHandler
element to enable the signing.
<keyStore
id="auditSignKeyStore"
password="Liberty"
location="${server.config.dir}/resources/security/AuditSigningKeyStore.jks"
type="JKS" />
<auditFileHandler
sign="true"
signingAlias="auditsigning"
signingKeyStoreRef="auditSignKeyStore">
</auditFileHandler>
-
Enable both encryption and signing of audit data in a server.xml
file.
<keyStore
id="auditEncKeyStore"
password="Liberty"
location="${server.config.dir}/resources/security/AuditEncryptionKeyStore.jks"
type="JKS" />
<keyStore
id="auditSignKeyStore"
password="Liberty"
location="${server.config.dir}/resources/security/AuditSigningKeyStore.jks"
type="JKS" />
<auditFileHandler
encrypt="true"
encryptAlias="auditencryption"
encryptKeyStoreRef="auditEncKeyStore"
sign="true"
signingAlias="auditsigning"
signingKeyStoreRef="auditSignKeyStore">
</auditFileHandler>