Skip to content

Signed Audit Events

Jump to bottom
Endi S. Dewata edited this page Dec 1, 2020 · 22 revisions

Overview

This page describes audit events that are common in all PKI subsystems. The complete list of events, the message format, and the event description are stored in LogMessages.properties.

Subsystem-specific audit events are described in the following pages:

Authentication Events

AUTH_SUCCESS

This event is triggered when authentication succeeded.

Properties:

  • Outcome should always be "success" in this event

  • AuthMgr must be the authentication manager instance name that did this authentication

For example, use CLI to authenticate as admin user:

$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin ca-user-find

The server will generate the following logs:

[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success] access session establish success
[AuditEvent=AUTH_SUCCESS][SubjectID=caadmin][Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.ca.account][Op=login][Info=AccountResource.login] authorization success
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success] access session establish success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.ca.users][Op=execute][Info=UserResource.findUsers] authorization success
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success] access session establish success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.ca.account][Op=logout][Info=AccountResource.logout] authorization success
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated

In PKI 10.5 this event is renamed to AUTH.

AUTH_FAIL

This event is triggered when authentication fails (in case of SSL-client auth, only webserver env can pick up the SSL violation; CS authMgr can pick up certificate mis-match, so this event is used).

Properties:

  • Outcome should always be "failure" in this event (obviously, if authentication failed, you won’t have a valid SubjectID, so in this case, SubjectID should be $Unidentified$)

  • AuthMgr must be the authentication manager instance name that did this authentication

  • AttemptedCred must be the credential attempted and failed

For example, start PKI console and login with a wrong password. The server will generate the following logs:

[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=][Outcome=Success] access session establish success
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=][Outcome=Success] access session establish success
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=][Outcome=Success] access session establish success
[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=passwdUserDBAuthMgr][AttemptedCred=caadmin] authentication failure
[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=passwdUserDBAuthMgr][AttemptedCred=caadmin] authentication failure
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated

In PKI 10.5 this event is renamed to AUTH.

AUTH

In PKI 10.5 the AUTH_SUCCESS and AUTH_FAIL events have been merged into AUTH event.

Authorization Events

AUTHZ_SUCCESS

This event is triggered when authorization is successful.

Properties:

  • Outcome must be success for this event

  • aclResource must be the ACL resource ID as defined in ACL resource list

  • Op must be one of the operations as defined with the ACL statement, e.g. "read" for an ACL statement containing "(read,write)"

For example, use CLI to authenticate as admin user:

$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin ca-user-find

The server will generate the following logs:

[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success] access session establish success
[AuditEvent=AUTH_SUCCESS][SubjectID=caadmin][Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.ca.account][Op=login][Info=AccountResource.login] authorization success
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success] access session establish success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.ca.users][Op=execute][Info=UserResource.findUsers] authorization success
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success] access session establish success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.ca.account][Op=logout][Info=AccountResource.logout] authorization success
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated

In PKI 10.5 this event is renamed to AUTHZ.

AUTHZ_FAIL

This event is triggered when authorization has failed.

Properties:

  • Outcome must be failure for this event

  • aclResource must be the ACL resource ID as defined in ACL resource list

  • Op must be one of the operations as defined with the ACL statement, e.g. "read" for an ACL statement containing "(read,write)"

For example, execute the following command:

$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin ca-audit-file-find

The server will generate the following logs:

[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success] access session establish success
[AuditEvent=AUTH_SUCCESS][SubjectID=caadmin][Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.ca.account][Op=login][Info=AccountResource.login] authorization success
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success] access session establish success
[AuditEvent=AUTHZ_FAIL][SubjectID=caadmin][Outcome=Failure][aclResource=certServer.log.content.signedAudit][Op=read][Info=Authorization Error] authorization failure
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated

In PKI 10.5 this event is renamed to AUTHZ.

AUTHZ

In PKI 10.5 the AUTHZ_SUCCESS and AUTHZ_FAIL events have been merged into AUTHZ event.

ROLE_ASSUME

This event is triggered when user assumes a role (in current CS that’s when one accesses a role port).

Properties:

  • Role must be be one of the valid roles, by default: "Administrators", "Certificate Manager Agents", and "Auditors". Note that customized role names can be used once configured.

For example, start PKI Console and login as admin user. The server will generate the following logs:

[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=][Outcome=Success] access session establish success
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=][Outcome=Success] access session establish success
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=][Outcome=Success] access session establish success
[AuditEvent=AUTH_SUCCESS][SubjectID=caadmin][Outcome=Success][AuthMgr=passwdUserDBAuthMgr] authentication success
[AuditEvent=AUTH_SUCCESS][SubjectID=caadmin][Outcome=Success][AuthMgr=passwdUserDBAuthMgr] authentication success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.log.configuration][Op=read] authorization success
[AuditEvent=ROLE_ASSUME][SubjectID=caadmin][Outcome=Success][Role=Certificate Manager Agents, Administrators, Security Domain Administrators, Enterprise CA Administrators, Enterprise KRA Administrators, Enterprise OCSP Administrators, Enterprise TKS Administrators, Enterprise RA Administrators, Enterprise TPS Administrators] assume privileged role
[AuditEvent=AUTH_SUCCESS][SubjectID=caadmin][Outcome=Success][AuthMgr=passwdUserDBAuthMgr] authentication success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.general.configuration][Op=read] authorization success
[AuditEvent=ROLE_ASSUME][SubjectID=caadmin][Outcome=Success][Role=Certificate Manager Agents, Administrators, Security Domain Administrators, Enterprise CA Administrators, Enterprise KRA Administrators, Enterprise OCSP Administrators, Enterprise TKS Administrators, Enterprise RA Administrators, Enterprise TPS Administrators] assume privileged role
[AuditEvent=AUTH_SUCCESS][SubjectID=caadmin][Outcome=Success][AuthMgr=passwdUserDBAuthMgr] authentication success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.ca.configuration][Op=read] authorization success
[AuditEvent=ROLE_ASSUME][SubjectID=caadmin][Outcome=Success][Role=Certificate Manager Agents, Administrators, Security Domain Administrators, Enterprise CA Administrators, Enterprise KRA Administrators, Enterprise OCSP Administrators, Enterprise TKS Administrators, Enterprise RA Administrators, Enterprise TPS Administrators] assume privileged role
[AuditEvent=AUTH_SUCCESS][SubjectID=caadmin][Outcome=Success][AuthMgr=passwdUserDBAuthMgr] authentication success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.general.configuration][Op=read] authorization success
[AuditEvent=ROLE_ASSUME][SubjectID=caadmin][Outcome=Success][Role=Certificate Manager Agents, Administrators, Security Domain Administrators, Enterprise CA Administrators, Enterprise KRA Administrators, Enterprise OCSP Administrators, Enterprise TKS Administrators, Enterprise RA Administrators, Enterprise TPS Administrators] assume privileged role

Configuration Events

CONFIG_ROLE

This event is triggered when configuring role information (anything under users/groups) add/remove/edit a role, etc).

Properties:

  • ParamNameValPairs must be a name;;value pair (where name and value are separated by the delimiter ;;) separated by + (if more than one name;;value pair) of config params changed

For example, use CLI to add a member to a group:

$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin ca-group-member-add Administrators testuser

The server will generate the following logs:

[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success] access session establish success
[AuditEvent=AUTH_SUCCESS][SubjectID=caadmin][Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.ca.account][Op=login][Info=AccountResource.login] authorization success
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success] access session establish success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.ca.groups][Op=execute][Info=GroupResource.addGroupMember] authorization success
[AuditEvent=CONFIG_ROLE][SubjectID=caadmin][Outcome=Success][ParamNameValPairs=Scope;;members+Operation;;OP_ADD+Resource;;Administrators+user;;testuser] role configuration parameter(s) change
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success] access session establish success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.ca.account][Op=logout][Info=AccountResource.logout] authorization success
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated

CONFIG_SIGNED_AUDIT

This event is triggered when configuring signedAudit.

  • ParamNameValPairs must be a name;;value pair (where name and value are separated by the delimiter ;;) separated by + (if more than one name;;value pair) of config params changed

For example, use CLI to disable audit:

$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin ca-audit-mod --action disable

The server will generate the following logs:

[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success] access session establish success
[AuditEvent=AUTH_SUCCESS][SubjectID=caadmin][Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.ca.account][Op=login][Info=AccountResource.login] authorization success
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success] access session establish success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.log.configuration][Op=modify][Info=AuditResource.changeAuditStatus] authorization success
[AuditEvent=CONFIG_SIGNED_AUDIT][SubjectID=caadmin][Outcome=Success][ParamNameValPairs=+Action;;disable] signed audit configuration parameter(s) change
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success] access session establish success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.ca.account][Op=logout][Info=AccountResource.logout] authorization success
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated

CONFIG_TRUSTED_PUBLIC_KEY

This event is triggered when:

  • "Manage Certificate" is used to edit the trustness of certificates and deletion of certificates

  • "Certificate Setup Wizard" is used to import CA certificates into the certificate database (Although CrossCertificatePairs are stored within internaldb, audit them as well)

Properties:

  • ParamNameValPairs must be a name;;value pair (where name and value are separated by the delimiter ;;) separated by + (if more than one name;;value pair) of config params changed

For example, run PKI Console and execute the following operations:

  • Click System Keys and Certificates

  • Click Add

  • Click Next

  • Select Trusted CA Certificate Chain

  • Click Next

  • Select The certificate is located in the text are below

  • Paste a CA Certificate

  • Click Next

  • Click Next

[AuditEvent=CONFIG_TRUSTED_PUBLIC_KEY][SubjectID=caadmin][Outcome=Success][ParamNameValPairs=Scope;;installCert+Operation;;OP_MODIFY+Resource;;trustedCACert+pkcs10;;-----BEGIN CERTIFICATE-----
MIIDFTCCAf2gAwIBAgICWakwDQYJKoZIhvcNAQELBQAwMzEQMA4GA1UEChMHRVhB
TVBMRTEfMB0GA1UEAxMWQ0EgU2lnbmluZyBDZXJ0aWZpY2F0ZTAeFw0xNzA0MjYx
NzQzMjRaFw0xNzA3MjYxNzQzMjRaMDMxEDAOBgNVBAoTB0VYQU1QTEUxHzAdBgNV
BAMTFkNBIFNpZ25pbmcgQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDOlxlvYGfx1xGD9ZUMu1smdVJFbpvt+oQ6Sfk6S0fUgNe+vsr/
SYVGKvCAFPp+94I70auxFFO3XQhfn3ZKohfuOt1rGLPwYIx3sS4ldU6wWENGYZLi
qA8yQJEGBldql7OKVfC0WCHkKS9b3BJBVqogz7BnO86nxN3g3cmzzWKSAt2Rp5jm
YJT/Lr4xm5vKWtq+rdiDmc36LJ8Wi23tAfUyWoOodBxfYQBMPUGLMA7EaQwWm8oe
vd7wljq3AsX4AWwdBPvsi9QvnSZKpSMZIJj94lSE6O0R3CkHWR0ZNVoBj/XpDqm2
I8ygswbObUeLzTnOJzs8rStvKf4/hNgD0rn/AgMBAAGjMzAxMBEGCWCGSAGG+EIB
AQQEAwIABzAPBgNVHRMBAf8EBTADAQH/MAsGA1UdDwQEAwICBDANBgkqhkiG9w0B
AQsFAAOCAQEAp1SAHv6qoWd30vEHSVLJwh/RKFh60Dj4ON29KtiploCxiwZk9tZa
Klca+xbtEhK2pVV8UmiUzkbnqNpWB58i1bxoPP316En0DyqjTRodInKt5Y9Jpn89
OuL3o+hTYuQtkQqWknkqxpQi/rbzwEeqEfDcLOLPWbhp4yQXFZySJJPPMSsl0vNN
64ZJdmbzS0/1lNb86aHzoeBUvEwAcHCqnoN5/vXCk0P/DAImIXwugP2cjKH8V8DX
ZEbIOznWyNmNq5gqSIYwt2RUREf6NUjXWWzayrVL2hBq90ukFtMuSf/Pka/Uk3HC
MtQfIFm9RMdb8mdpQxqikxQ49G7pHT+zYA==
-----END CERTIFICATE-----+nickname;;<null>+pathname;;<null>+serverRoot;;<null>+serverID;;instanceID] certificate database configuration

Access Session Events

ACCESS_SESSION_ESTABLISH_SUCCESS

This event is triggered when PKI client managed to establish a secure connection to PKI server successfully.

Properties:

  • ClientIP: Client’s IP address

  • ServerIP: Server’s IP address

  • SubjectID: Client certificate’s subject DN

  • Outcome: Success

For example, use CLI to authenticate as admin user:

$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin ca-user-find

The server will generate the following logs:

[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success] access session establish success
[AuditEvent=AUTH_SUCCESS][SubjectID=caadmin][Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.ca.account][Op=login][Info=AccountResource.login] authorization success
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success] access session establish success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.ca.users][Op=execute][Info=UserResource.findUsers] authorization success
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success] access session establish success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.ca.account][Op=logout][Info=AccountResource.logout] authorization success
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated

In PKI 10.5 this event is renamed to ACCESS_SESSION_ESTABLISH.

ACCESS_SESSION_ESTABLISH_FAILURE

This event is triggered when PKI client failed to establish a secure connection to PKI server.

Properties:

  • ClientIP: Client’s IP address

  • ServerIP: Server’s IP address

  • SubjectID: Client certificate’s subject DN if known

  • Outcome: Failure

  • Info: <failure reason>

For example, configure CLI to use a cipher that is disabled on the server:

SSL_CIPHERS="TLS_RSA_WITH_AES_128_CBC_SHA256"
SSL_DEFAULT_CIPHERS="false"

Then execute a CLI command that uses SSL:

$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin ca-user-find

The operation will fail and the server will generate the following log:

[AuditEvent=ACCESS_SESSION_ESTABLISH_FAILURE][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=][Outcome=Failure][Info=HANDSHAKE_FAILURE] access session establish failure

In PKI 10.5 this event is renamed to ACCESS_SESSION_ESTABLISH.

ACCESS_SESSION_ESTABLISH

In PKI 10.5 the ACCESS_SESSION_ESTABLISH_SUCCESS and ACCESS_SESSION_ESTABLISH_FAIL events are merged into ACCESS_SESSION_ESTABLISH event.

ACCESS_SESSION_TERMINATED

This event is triggered when the secure connection between PKI client and PKI server is terminated.

Properties:

  • ClientIP: Client’s IP address

  • ServerIP: Server’s IP address

  • SubjectID: Client certificate’s subject DN

  • Outcome: Success

For example, use CLI to authenticate as admin user:

$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin ca-user-find

The server will generate the following logs:

[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success] access session establish success
[AuditEvent=AUTH_SUCCESS][SubjectID=caadmin][Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.ca.account][Op=login][Info=AccountResource.login] authorization success
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success] access session establish success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.ca.users][Op=execute][Info=UserResource.findUsers] authorization success
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success] access session establish success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.ca.account][Op=logout][Info=AccountResource.logout] authorization success
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated

Outbound Connection Events

OUTBOUND_CONNECTION_ESTABLISH

OUTBOUND_CONNECTION_TERMINATED

Random Number Generator Events

RANDOM_GENERATION

Since version 10.5 a RANDOM_GENERATION event will be generated for any random number generated on the server (including Random Certificate Serial Numbers). The event will include the information about the caller of the random number generator and the size of the random number in bytes.

By default only failed events will be logged. To log all events, change the filter in CS.cfg as follows:

log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=*)

then restart the server.

For example, submit a certificate request with this command:

$ pki -c Secret.123 client-cert-request uid=testuser

Then approve the request with this command:

$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin ca-cert-request-review 7 --action approve

During the approval process the server will generate an 8-byte nonce, which generated from two 4-byte random numbers, so there will be two RANDOM_GENERATION events:

[AuditEvent=RANDOM_GENERATION][SubjectID=caadmin][Outcome=Success][Info=Caller;;com.netscape.cms.servlet.cert.CertRequestDAO.reviewRequest(CertRequestDAO.java:151)+Size;;4] Random number generation
[AuditEvent=RANDOM_GENERATION][SubjectID=caadmin][Outcome=Success][Info=Caller;;com.netscape.cms.servlet.cert.CertRequestDAO.reviewRequest(CertRequestDAO.java:151)+Size;;4] Random number generation

The Info attribute contains parameters separated by +, and each parameter consists of name-value pair separated with ;;. So the above Info contains:

  • Caller: com.netscape.cms.servlet.cert.CertRequestDAO.reviewRequest(CertRequestDAO.java:151)

  • Size: 4

If Random Certificate Serial Numbers is enabled, there will be an additional RANDOM_GENERATION event:

[AuditEvent=RANDOM_GENERATION][SubjectID=caadmin][Outcome=Success][Info=Caller;;com.netscape.cmscore.dbs.CertificateRepository.getRandomNumber(CertificateRepository.java:192)+Size;;4] Random number generation

References

Tip
 To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis.
Clone this wiki locally