To Enable Secure Logging through a JSS Provider (Sun OpenSSO Enterprise 8.0 Administration Guide)

Sun OpenSSO Enterprise 8.0 Administration Guide

To Enable Secure Logging through a JSS Provider

Create a certificate with the name Logger and install it in the key store specified by the Logging Service configuration's Logging Certificate Store Location.

The key store's password is expected to be the same as the top-level administrator password. The default location set during OpenSSO Enterprise configuration time is ConfigurationDirectory/uri/Logger.jks/, where ConfigurationDirectory is the configuration directory, and uri is the OpenSSO deployment URI specified during OpenSSO configuration and deployment time. These tags are interpreted at run time, such that each deployed OpenSSO instance has its own key store. It is particularly useful when there are multiple OpenSSO instances per system. Information on getting certificates can be found in Obtaining Secure Socket Layer Certificates in Deployment Example: Single Sign-On, Load Balancing and Failover Using Sun OpenSSO Enterprise 8.0.

Turn on Secure Logging in the Logging Service configuration using the OpenSSO Enterprise administration console and save the change. The administrator can also modify the default values for the other Logging Service attributes.

If the logging directory is changed from the default /log directory, make sure that the directory is writable by the user ID and that the OpenSSO Enterprise's web application is running. Also set the directory's permissions to 0700, as the logging service will create the directory, if it does not exist, with permissions set to 0755.

Verify Secure Log Archives.

To detect unauthorized changes or tampering of the secure logs, look for error messages that are written by the Logging Service's periodic verification process to ConfigurationDirectory/uri/debug/amLog. To manually check for tampering, run the amverifyarchive command-line utility, which is included in the ssoAdminTools.zip file.