test

Sun Java System Access Manager 7.1 Administration Guide

ProcedureTo Enable Secure Logging through a JSS Provider

  1. Create a certificate with the name Logger and install it in the deployment container running Access Manager.

    For instructions for Application Server, see Working with Certificates and SSL in Sun Java System Application Server Enterprise Edition 8.2 Administration Guide in the Sun Java System Application Server Enterprise Edition 8.2 Administration Guide.

    For instructions for Web Server, see Managing Certificates in Sun Java System Web Server 7.0 Administrator’s Guide in the Sun Java System Web Server 7.0 Administration Guide.

  2. Turn on Secure Logging in the Logging Service configuration using the Access Manager console and save the change. The administrator can also modify the default values for the other attributes in the Logging Service.

    If the logging directory is changed from the default (/var/opt/SUNWam/logs), make sure that the permissions are set to 0700. The logging service will create the directory, if it does not exist, but it will create the directory with permissions set to 0755.

    Additionally, if you specify a different directory from the default, you must change the following parameter to the new directory in the web container's server.policy file:

    permission java.io.FilePermission “/var/opt/SUNWam/logs/*”,”delete,write”

  3. Create a file in the AccessManager-base/SUNWam/config directory that contains the certificate database password and name it .wtpass.

    Note –

    The file name and the path to it is configurable in the AMConfig.properties file. For more information see the "Certificate Database" in AMConfig.properties file reference chapter in the Access Manager Administration Reference.

    Ensure that the deployment container user is the only administrator with read permissions to this file for security reasons.

  4. Restart the server.

    The secure log directory should be cleared, as some misleading verification errors may be written to the /var/opt/SUNWam/debug/amLog file when the secure logging was started.

    To detect unauthorized changes or tampering of the security logs, look for error messages that are written by the verification process to /var/opt/SUNWam/debug/amLog. To manually check for tampering, run the VerifyArchive utility. See The VerifyArchive command line chapter in the Access Manager Administration Reference for more information.