Sun Java System Access Manager 7 2005Q4 Administration Guide

ProcedureTo Enable Secure Logging

  1. Create a certificate with the name Logger and install it in the deployment container running Access Manager. See the documentation for the deployment container for details.

  2. Turn on Secure Logging in the Logging Service configuration using the Access Manager console and save the change. The administrator can also modify the default values for the other attributes in the Logging Service.

    If the logging directory is changed from the default (/var/opt/SUMWam/logs), make sure that the permissions are set to 0700. The logging service will create the directory, if it does not exist, but it will create the directory with permissions set to 0755.

    Additionally, if you specify a different directory from the default, you must change the following parameter to the new directory in the web container's server.policy file:

    permission “/var/opt/SUNWam/logs/*”,”delete,write”

  3. Create a file in the AccessManager-base/SUNWam/config directory that contains the certificate database password and name it .wtpass.

    Note –

    The file name and the path to it is configurable in the file. For more information see the "Certificate Database" in Appendix A, File.

    Ensure that the deployment container user is the only administrator with read permissions to this file for security reasons.

  4. Restart the server.

    The secure log directory should be cleared, as some misleading verification errors may be written to the /var/opt/SUNWam/debug/amLog file when the secure logging was started.

    To detect unauthorized changes or tampering of the security logs, look for error messages that are written by the verification process to /var/opt/SUNWam/debug/amLog. To manually check for tampering, run the VerifyArchive utility. See Chapter 19, The VerifyArchive Command Line Tool for more information.