IBM Support

Enable Security Auditing in Dashboard Application Service Hub (DASH)

Technote (FAQ)


Question

How can I track users who login to JazzSM/DASH along with their IP address and other information?

Cause

The security auditing has been introduced in DASH as a part of the security infrastructure. The primary responsibility of the security infrastructure is to prevent unauthorized access and usage of resources. Security auditing achieves these goals by providing the infrastructure that allows you to capture and store supported auditable security events. Each time a DASH application/end user accesses a secured resource or any internal application server process it can be recorded as an auditable event.

The security auditing has the ability to capture the following types of auditable events:
a. Authentication
b. Authorization

These types of events can be recorded into audit log files. Each audit log has the option to be signed and encrypted to ensure data integrity. These audit logs can be analyzed to discover breaches over the existing security mechanisms and to discover potential weaknesses in the current security infrastructure.

Answer

DASH provides a script “configureConsoleAudit.sh/.bat “ to enable audit capability in Websphere. By using this script you can enable or disable security auditing.

Usage:

configureConsoleAudit.sh smadmin password [true|false]

Where smadmin is userid which is DASH Administrator user, and password is the password for this user.
true/false : enable/disable audit feature.

Example;
cd <JazzSMHOME>/ui/bin
$ ./configureConsoleAudit.sh smadmin password true

Note : JazzSM server needs to be restarted after enabling/disabling the audit capability.

DASH Audit Log files

Websphere generates a Binary Audit log file, which contains the audit records for various actions that is performed in DASH. The log file is created in the following directory:

<JazzSMHOME>/profile/logs/server1

The log file is named as “BinaryAudit_JazzSMNode01Cell_JazzSMNode01_server1.log”. Binary Audit log file can be signed/encrypted for protection of audit data. Please refer to Websphere documentation in IBM Knowledge center for details on this :

Audit Record and Event Types

Following are Audit event types and audit Filters:

SECURITY_AUTHN : This event type represents the authentication flow:

For example : when an end user login, a SECURITY_AUTHN event type will be recorded in audit log files.

Example : Seq = 12751 | Event Type = SECURITY_AUTHN | Outcome = SUCCESSFUL | OutcomeReason = SUCCESS | OutcomeReasonCode = 5 | SessionId = 2EEYlMJY_5faSiMYNkTtlNJ | RemoteHost = RUCHIRA-009027144166.raleigh.ibm.com | RemoteAddr = 9.27.144.166 | RemotePort = 1171 | ProgName = /kts.do | Action = webAuth | AppUserName = smadmin | ResourceName = POST | RegistryUserName = defaultWIMFileBasedRealm/smadmin | AccessDecision = authnSuccess | ResourceType = web | ResourceUniqueId = 0 | PermissionsChecked = null | PermissionsGranted = null | RolesChecked = null | RolesGranted = null | CreationTime = Thu Jul 07 08:35:27 EDT 2014 | GlobalInstanceId = 0 | EventTrailId = null | FirstCaller = /UNAUTHENTICATED | Realm = defaultWIMFileBasedRealm | RegistryType = WIMUserRegistry | AuthnType = challengeResponse | Provider = WebSphere | ProviderStatus = providerSuccess

SECURITY_AUTHN_TERMINATE : This event type represents the logout action. For example : when a user logout from DASH console, an audit record is recorded.

Example : Seq = 18516 | Event Type = SECURITY_AUTHN_TERMINATE | Outcome = SUCCESS | OutcomeReason = SUCCESS | OutcomeReasonCode = 9 | SessionId = cdkX1qziTdc2NcCIEfuNhKr | RemoteHost = localhost.localdomain | RemoteAddr = 0:0:0:0:0:0:0:1 | RemotePort = 32825 | ProgName = isclite | Action = logout | AppUserName = smadmin | ResourceName = GET | RegistryUserName = null | AccessDecision = logoutSuccess | ResourceType = web | ResourceUniqueId = 0 | PermissionsChecked = null | PermissionsGranted = null | RolesChecked = null | RolesGranted = null | CreationTime = Fri Jul 08 09:20:39 EDT 2014 | GlobalInstanceId = 0 | EventTrailId = -20674659 | FirstCaller = smadmin | Realm = defaultWIMFileBasedRealm | RegistryType = WIMUserRegistry | AuthnType = challengeResponse | TerminateReason = logout | Provider = TIPLogout | ProviderStatus = providerSuccess | LogoutAction:29bhE1--dc9Cjm0vsA2gr-g = Logout SuccessFully

SECURITY_MGMT_REGISTRY : The audit event represents the “authorization”. Various access control operations on DASH resources such as role management, page management, portlet management actions are all recorded as this event. Please see below sections on what actions are reported as this event type.

Example : Seq = 22469 | Event Type = SECURITY_MGMT_REGISTRY | Outcome = SUCCESS | OutcomeReason = SUCCESS | OutcomeReasonCode = 7 | SessionId = null | RemoteHost = null | RemoteAddr = null | RemotePort = null | ProgName = isclite | Action = acl | AppUserName = smadmin | ResourceName = null | RegistryUserName = null | AccessDecision = RolesGranted | ResourceType = web | ResourceUniqueId = 0 | PermissionsChecked = null | PermissionsGranted = null | RolesChecked = null | RolesGranted = null | CreationTime = Fri Jul 15 08:26:52 EDT 2014 | GlobalInstanceId = 0 | EventTrailId = 1614842881 | FirstCaller = smadmin | Realm = defaultWIMFileBasedRealm | RegistryType = WIMUserRegistry | MgmtType = null | MgmtCommand = null | Removed subject (user) 'smadmin' from the roleAssignment object = SUCCESS

Seq = 22465 | Event Type = SECURITY_MGMT_REGISTRY | Outcome = SUCCESS | OutcomeReason = SUCCESS | OutcomeReasonCode = 7 | SessionId = null | RemoteHost = null | RemoteAddr = null | RemotePort = null | ProgName = isclite | Action = acl | AppUserName = smadmin | ResourceName = null | RegistryUserName = null | AccessDecision = RolesGranted | ResourceType = web | ResourceUniqueId = 0 | PermissionsChecked = null | PermissionsGranted = null | RolesChecked = null | RolesGranted = null | CreationTime = Fri Jul 15 08:26:52 EDT 2014 | GlobalInstanceId = 0 | EventTrailId = 1614842881 | FirstCaller = smadmin | Realm = defaultWIMFileBasedRealm | RegistryType = WIMUserRegistry | MgmtType = null | MgmtCommand = null | Update Argus Store = Role mapping update in Argus Store

Note:

You may notice slow performance from DASH with above traces enabled. In that case please make a backup copy of below file and then manually enable the features you need and disable the remaining ones. Restart TIP after this change.


<JazzSMHOME>/profile/config/cells/JazzSMNode01Cell/audit.xml

Document information

More support for: Tivoli Components
Jazz for Service Management

Software version: 1.1.1, 1.1.1.1, 1.1.2

Operating system(s): AIX, Linux, Platform Independent, Solaris, Windows

Software edition: All Editions

Reference #: 1958921

Modified date: 09 June 2016