test

Sun Java System Access Manager 7.1 Administration Guide

Secure Logging

This optional feature adds additional security to the logging function. Secure Logging enables detection of unauthorized changes to, or tampering of, the security logs. No special coding is required to leverage this feature. Secure Logging is accomplished by using a pre-registered certificate configured by the system administrator. This Manifest Analysis and Certification (MAC) is generated and stored for every log record. A special "signature" log record is periodically inserted that represents the signature for the contents of the log written to that point. The combination of the two records ensures that the logs have not been tampered with. There are to methods to enable secure logging; through a Java Security Server (JSS) provider and through a Java Cryptography Extension (JCE) provider.

ProcedureTo Enable Secure Logging through a JSS Provider

  1. Create a certificate with the name Logger and install it in the deployment container running Access Manager.

    For instructions for Application Server, see Working with Certificates and SSL in Sun Java System Application Server Enterprise Edition 8.2 Administration Guide in the Sun Java System Application Server Enterprise Edition 8.2 Administration Guide.

    For instructions for Web Server, see Managing Certificates in Sun Java System Web Server 7.0 Administrator’s Guide in the Sun Java System Web Server 7.0 Administration Guide.

  2. Turn on Secure Logging in the Logging Service configuration using the Access Manager console and save the change. The administrator can also modify the default values for the other attributes in the Logging Service.

    If the logging directory is changed from the default (/var/opt/SUNWam/logs), make sure that the permissions are set to 0700. The logging service will create the directory, if it does not exist, but it will create the directory with permissions set to 0755.

    Additionally, if you specify a different directory from the default, you must change the following parameter to the new directory in the web container's server.policy file:

    permission java.io.FilePermission “/var/opt/SUNWam/logs/*”,”delete,write”

  3. Create a file in the AccessManager-base/SUNWam/config directory that contains the certificate database password and name it .wtpass.

    Note –

    The file name and the path to it is configurable in the AMConfig.properties file. For more information see the "Certificate Database" in AMConfig.properties file reference chapter in the Access Manager Administration Reference.

    Ensure that the deployment container user is the only administrator with read permissions to this file for security reasons.

  4. Restart the server.

    The secure log directory should be cleared, as some misleading verification errors may be written to the /var/opt/SUNWam/debug/amLog file when the secure logging was started.

    To detect unauthorized changes or tampering of the security logs, look for error messages that are written by the verification process to /var/opt/SUNWam/debug/amLog. To manually check for tampering, run the VerifyArchive utility. See The VerifyArchive command line chapter in the Access Manager Administration Reference for more information.

ProcedureTo Enable Secure Logging Through a JCE Provider

  1. Create a certificate named Logger with Java keytool command and install it in JKS keystore. For example:

    JAVA-HOME/jre/lib/security/Logger.jks

    For instructions for Application Server, see Working with Certificates and SSL in Sun Java System Application Server Enterprise Edition 8.2 Administration Guide in the Sun Java System Application Server Enterprise Edition 8.2 Administration Guide.

    For instructions for Web Server, see Managing Certificates in Sun Java System Web Server 7.0 Administrator’s Guide in the Sun Java System Web Server 7.0 Administration Guide.

  2. Turn on Secure Logging in the Logging Service configuration using the Access Manager console and save the change. The administrator can also modify the default values for the other attributes in the Logging Service.

    If the logging directory is changed from the default (/var/opt/SUNWam/logs), make sure that the permissions are set to 0700. The logging service will create the directory, if it does not exist, but it will create the directory with permissions set to 0755.

    Additionally, if you specify a different directory from the default, you must change the following parameter to the new directory in the web container's server.policy file:

    permission java.io.FilePermission “/var/opt/SUNWam/logs/*”,”delete,write”

  3. Create a file in the AccessManager-base/SUNWam/config directory that contains the JKS keystore password and name it .wtpass.

    Note –

    The file name and the path to it is configurable in the AMConfig.properties file. For more information see the "Certificate Database" in the AMConfig.properties file reference chapter in the Access Manager Administration Reference.

    Ensure that the deployment container user is the only administrator with read permissions to this file for security reasons.

  4. Edit the following entries in the amLogging.xml, located in the AccessManager-base/config/xml directory:


    sun-am-logging-secure-log-helper

                <AttributeSchema name="iplanet-am-logging-secure-log-helper"
                    type="single"
                    syntax="string"
                    i18nKey="">
                    <DefaultValues>
                        <Value>com.sun.identity.log.secure.impl.SecureLogHelperJCEImpl</Value>
                    </DefaultValues>
                </AttributeSchema>

 sun-am-logging-secure-certificate-store

                <AttributeSchema name="iplanet-am-logging-secure-certificate-store"
                    type="single"
                    syntax="string"
                    i18nKey="">
                    <DefaultValues>
                        <Value>/dir-to-signing-cert-store/Logger.jks</Value>
                    </DefaultValues>
                </AttributeSchema>

  5. Delete the existing service schema, iPlanetAMLoggingService. For example:

    ./amadmin -u amadmin -w netscape -r iPlanetAMLoggingService

  6. Load the edited amLoging.xml to Access Manager using the amadmin command line tool. For example:

    ./amadmin -u amadmin -w netscape -s /etc/opt/SUNWam/config/xml/amLogging.xml

  7. Restart the server.

    To detect unauthorized changes or tampering of the security logs, look for error messages that are written by the verification process to /var/opt/SUNWam/debug/amLog. To manually check for tampering, run the VerifyArchive utility. See The VerifyArchive command line chapter in the Access Manager Administration Reference for more information.