Logging Features

The Logging Service has a number of special features which can be enabled for additional functionality.

• Secure Logging

• Logging Level Attributes and Properties

• Database Logging

• Remote Logging

Secure Logging

This optional feature adds additional security to the logging function. Secure Logging enables detection of unauthorized changes to, or tampering of, the security logs. No special coding is required to leverage this feature. Secure Logging is accomplished by using a preregistered certificate configured by the system administrator. A Manifest Analysis and Certification (MAC) is generated and stored for every log record. A special signature log record is periodically inserted that represents the signature for the contents of the log written to that point. The combination of the two records ensures that the logs have not been tampered with. There are two methods to enable secure logging; through a through a Java Cryptography Extension (JCE) provider and through a Java Security Server (JSS) provider.

Secure logging can only be used for flat files. This option does not work for Database (DB) logging.

To Enable Secure Logging through a JSS Provider

1. Create a certificate with the name Logger and install it in the key store specified by the Logging Service configuration's Logging Certificate Store Location.

   The key store's password is expected to be the same as the top-level administrator password. The default location set during OpenSSO Enterprise configuration time is ConfigurationDirectory/uri/Logger.jks/, where ConfigurationDirectory is the configuration directory, and uri is the OpenSSO deployment URI specified during OpenSSO configuration and deployment time. These tags are interpreted at run time, such that each deployed OpenSSO instance has its own key store. It is particularly useful when there are multiple OpenSSO instances per system. Information on getting certificates can be found in Obtaining Secure Socket Layer Certificates in Deployment Example: Single Sign-On, Load Balancing and Failover Using Sun OpenSSO Enterprise 8.0.

2. Turn on Secure Logging in the Logging Service configuration using the OpenSSO Enterprise administration console and save the change. The administrator can also modify the default values for the other Logging Service attributes.

   If the logging directory is changed from the default /log directory, make sure that the directory is writable by the user ID and that the OpenSSO Enterprise's web application is running. Also set the directory's permissions to 0700, as the logging service will create the directory, if it does not exist, with permissions set to 0755.

3. Verify Secure Log Archives.

   To detect unauthorized changes or tampering of the secure logs, look for error messages that are written by the Logging Service's periodic verification process to ConfigurationDirectory/uri/debug/amLog. To manually check for tampering, run the amverifyarchive command-line utility, which is included in the ssoAdminTools.zip file.

4. Changing from a JCE Provider to a JSS Provider

   The default secure log helper provider is the JCE provider, com.sun.identity.log.secure.impl.SecureLogHelperJCEImpl, as specified by the iplanet-am-logging-secure-log-helper attribute in the iPlanetAMLoggingService's schema. Refer to the opensso/xml/amLogging.xml file from the opensso.zip file.

   To change to the JSS provider, use the ssoadm command-line utility:

   ./ssoadm set-attr-defs --servicename iPlanetAMLoggingService --schematype global --attributevalues iplanet-am-logging-secure-log-helper-class-name= com.sun.identity.log.secure.SecureLogHelperJSSImpl --adminid amadmin --password-file amadminpass

   To verify the change:

   ./ssoadm get-attr-defs --servicename iPlanetAMLoggingService --attributenames iplanet-am-logging-secure-log-helper-class-name --schematype global --adminid amadmin --password-file amadminpass

Logging Level Attributes and Properties

There are attributes in the Logging Service configuration that affect logging output. The Log Status can be set to Inactive to disable all logging output. The Logging Level can be set to one of the java.util.logging.Level values other than the default INFO to get more or less detailed logging output.

Additionally, an individual log file's logging level can be specified in the Configuration > Servers and Sites > server-name > Advanced page. For a given log file, for exampleamSAML.access, add a property name, iplanet-am-logging.amSAML.access.level with Property Value FINER (or any of the java.util.logging.Levelvalues). The logging level specified here for the log file will take precedence over the Logging Service's Logging Level setting.

Database Logging

This feature provides logging to Oracle or MySQL databases. No special coding is required to enable this feature. In the Logging Service configuration (Configuration > System > Logging), set the Logging Type to DB, set the Database User Name, Database User Password, and Database Driver Name. oracle.jdbc.driver.OracleDriver is the default driver name set for Oracle. For MySQL, it is typically com.mysql.jdbc.Driver. Be sure to put the JDBC driver's .zip or .jar file in the OpenSSO Enterprise web application's classpath (for example, WEB-INF/lib or jre/lib/ext).

The DB Failure Memory Buffer Size specifies how many records per table to buffer if the connection to the database fails. If more records are queued before the connection is reestablished, older records will be discarded.

The ssoadm command line interface cannot log to the database directly. In addition to adding the JDBC driver to the web application's classpath, remove -D"com.sun.identity.log.dir=<the_specified_log_dir>.

Remote Logging

OpenSSO Enterprise supports remote logging. This allows a remote client application using the OpenSSO client SDK, or another OpenSSO Enterprise server (in the same Site) to use an OpenSSO Enterprise server's Logging Services.

Remote Client Logging

A remote client using the OpenSSO Enterprise client SDK may log to an OpenSSO Enterprise server. For example, the OpenSSO Enterprise client sdk samples refer to the samples/sdk/resources/AMConfig.properties set up by the samples/sdk/scripts/setup.sh script. In particular, the com.iplanet.am.naming.url property's value points to the target OpenSSO Enterprise server's Naming service, which provides the location of the Logging Service. In order for the remote client to successfully log to the target OpenSSO Enterprise server, the entity making the logging request must have Log Writing permission on the target OpenSSO Enterprise server.

Remote OpenSSO Enterprise Server Logging

Another OpenSSO Enterprise server may use an OpenSSO Enterprise server's Logging Services if both are in the same Site. The remote OpenSSO Enterprise server sets its Logging Service URL in the administration console (Configuration > System > Naming) to the target OpenSSO Enterprise server's Logging Service, by changing the attribute's protocol, host, port, and uri values accordingly. Logginservice does not usually need to be changed.