iPlanet Trustbase Transaction Manager 2.2.1 Developer Guide: Chapter 7 Identrus logging

Previous Contents DocHome Index Next

iPlanet Trustbase Transaction Manager 2.2.1 Developer Guide

Chapter 7 Identrus logging

The Identrus Transaction Coordinator specifications identify two specific logging actions, these being:

Logging of all messages sent and received by the Transaction Coordinator (Raw logging)

Generation of data for billing purposes

Overview

The iPlanet Trustbase Transaction Manager fulfils both of these requirements as a default action of processing an Identrus message. The data is stored within the RDBMS specified at installation time, and the tables are available for developers via standard JDBC to provide services that use this information.The following sections define the tables stored in the RDBMS and identify the relationships between each table. The iPlanet Trustbase Transaction Manager will utilise all of the tables described below for all Identrus messages; there should be no requirement for a developer to write to any of these tables.

Data definitions

Connection information

The SSL proxy and the SMTP mail listener both log data about the connections made through them. Table 7-1 provides the column definitions for the SSL Proxy:
Table 7-1    SSL Connection

ssl_connection table

ConnectionId

Unique connection identifier

ClientCertIssuerDN

The connecting clients certificate Issuer DN

ClientCertSerialNumber

The connecting clients certificate serial number

CipherSuite

The cipher suite used for the SSL session

ConnectTime

The time at which the connection was made, this is an ORACLE DateTime field

TimeStampType

The type of timestamp

ConnectIPAddr

The connecting client's IP address

ConnectionFailed

Integer value indicating if the connection failed - a value of 1 indicates a failure.

ConnectionFailedReason

If a failure occurred, what was the SSL error code

The tables below provide the column definitions for the SMTP/SMIME connection logs: Data in Table 7-2 is extracted from the SMIME v2 signature body part on the message.
Table 7-2    SMIME Transport

smime_transport table

ConnectionId

Provides a link back to the smtp_message table

peer_issuer_dn

The issuer_dn of the certificate that was used to verify the message

peer_cert_serial_number

The serial number of the certificate used to verify the message.

message_protection

The type of protection used to secure the message

time_stamp_type

The type of timestamp LOCAL or NETWORK

time_stamp

The time at which the entry was made

Table 7-3    SMTP Connection

smtp_connection table

stream_id

Provides a link back to the smtp_message table

peer_ip_addr

The ip address of the submitting SMTP agent

timestamptype

The type of timestamp LOCAL or NETWORK

timestamp

The time at which the entry was made

Table 7-4    SMTP Message

smtp_message table

stream_id

A unique id for the smime_transport

connection_id

A unique id for the smtp connection

recipients

The recipients of this message

sender

The sender of this message

timestamptype

The type of timestamp LOCAL or NETWORK

message_valid

Is the message valid? 1 indicates it is valid

message_invalid_reason

The reason for the invalidity of the message

timestamp

The date and time at which the entry was made

The ssl_connection and smtp_message tables both have connection_id fields that are passed to the iPlanet Trustbase Transaction Manager running in the application server. This connection_id is stored within the Raw Log table allowing queries that link the originator information with the actual requests made.
Table 7-5    OCSP

ocsp_data table

ocspid

A unique identifier for the record

type

OCSPREQUEST or OCSPRESPONSE

message

A text summary of the contents of the request or response

machine

The URL to which the request was submitted to or the response was received from

timestamp

The date and time that the entry was made

data

Base64 encoding of the request or response

Raw log tables

The default presentation handlers for Identrus messages record the following data for each message that is sent or received:
Table 7-6    Raw log

raw_data table

Sessionid

The id of the raw log session that wrote this record

Logconnectionid

The id of the connection within the session

Recordid

The id of the record within the connection

msggrpid

The Identrus MsgGrpId from the NIB of the message

msgid

The Identrus MsgId from the NIB of the message

doctype

The DOCTYPE of the message. e.g. CSCRequest, PingRequest etc.

recordmarker

A unique monotonically increasing identifier

connectionid

The connection id to link this record to the SSL or SMIME connection logs.

protocoltype

The protocol over which the message arrived. e.g. HTTP or SMTP

input

Was this message inbound to the iPlanet Trustbase Transaction Manager or outbound? A value of 1 indicates it was incoming.

timestamp

An integer which represents the UNIX time at which the record was logged.

rawdata

The Identrus Message XML, without the CertBundle fields. The certificates from the bundle are logged separately in the cert_data table.

digestofrecord

A SHA-1 digest of this record.

signeddigestofcalculation

An RSA signature of this record and data from the previous record.

servercertissuerdn

The issuer DN of the certificate used to verify the signature

servercertserialnumber

The serial number of the certificate used to verify the signature.

In order to reduce the volume of data logged with each Identrus message the certificates contained with the message header are stripped out and stored in a certificate table. If the iPlanet Trustbase Transaction Manager has already logged a particular certificate in the table it will not be logged again. The information stored within the table is:
Table 7-7    Certdata

cert_data table

IssuerDN

The issuer distinguished name of the certificate, RFC 2253 format string.

SerialNumber

The serial number of the certificate

CertData

The Base64 certificate data.

This data is designed to be tamper evident, and services should under no circumstances modify data within the Raw Log or Tamper tables. The tamper checking is achieved by producing a continuous hash that is stored with each record, and the current hash is stored within a signed record within a separate tamper table. The Tamper table fields are not described here, see the Installation and Configuration Guide for information on how to check the tamper status of records in the raw log.

Billing records

Billing records are a sub-set of the information within the raw message log that provides sufficient information to determine who made each transaction. These tables are designed for used by third party tools that generate the actual Bill for the customer. The definitions for the bill table columns are as follows:
Table 7-8    Bill data

bill_data table

RawRecordId

This will be the RawRecordId of the associated raw log table record.

SubjectDN

This will be the originator distinguished name extracted from the mandatory Identrus level 1 message signature. This will determine who should be billed.

IssuerDN

This will be the issuer distinguished name extracted from the mandatory Identrus level 1 message signature. This is to enable the identification of the exact key used to sign this message - in conjunction with the serial number field below.

SerialNumber

This will be the originator certificate serial number that may be used to identify the exact key used to sign the message - in conjunction with the issuer distinguished name.

ssl_connection table
ConnectionId	Unique connection identifier
ClientCertIssuerDN	The connecting clients certificate Issuer DN
ClientCertSerialNumber	The connecting clients certificate serial number
CipherSuite	The cipher suite used for the SSL session
ConnectTime	The time at which the connection was made, this is an ORACLE DateTime field
TimeStampType	The type of timestamp
ConnectIPAddr	The connecting client's IP address
ConnectionFailed	Integer value indicating if the connection failed - a value of 1 indicates a failure.
ConnectionFailedReason	If a failure occurred, what was the SSL error code

smime_transport table
ConnectionId	Provides a link back to the smtp_message table
peer_issuer_dn	The issuer_dn of the certificate that was used to verify the message
peer_cert_serial_number	The serial number of the certificate used to verify the message.
message_protection	The type of protection used to secure the message
time_stamp_type	The type of timestamp LOCAL or NETWORK
time_stamp	The time at which the entry was made

smtp_connection table
stream_id	Provides a link back to the smtp_message table
peer_ip_addr	The ip address of the submitting SMTP agent
timestamptype	The type of timestamp LOCAL or NETWORK
timestamp	The time at which the entry was made

smtp_message table
stream_id	A unique id for the smime_transport
connection_id	A unique id for the smtp connection
recipients	The recipients of this message
sender	The sender of this message
timestamptype	The type of timestamp LOCAL or NETWORK
message_valid	Is the message valid? 1 indicates it is valid
message_invalid_reason	The reason for the invalidity of the message
timestamp	The date and time at which the entry was made

ocsp_data table
ocspid	A unique identifier for the record
type	OCSPREQUEST or OCSPRESPONSE
message	A text summary of the contents of the request or response
machine	The URL to which the request was submitted to or the response was received from
timestamp	The date and time that the entry was made
data	Base64 encoding of the request or response

raw_data table
Sessionid	The id of the raw log session that wrote this record
Logconnectionid	The id of the connection within the session
Recordid	The id of the record within the connection
msggrpid	The Identrus MsgGrpId from the NIB of the message
msgid	The Identrus MsgId from the NIB of the message
doctype	The DOCTYPE of the message. e.g. CSCRequest, PingRequest etc.
recordmarker	A unique monotonically increasing identifier
connectionid	The connection id to link this record to the SSL or SMIME connection logs.
protocoltype	The protocol over which the message arrived. e.g. HTTP or SMTP
input	Was this message inbound to the iPlanet Trustbase Transaction Manager or outbound? A value of 1 indicates it was incoming.
timestamp	An integer which represents the UNIX time at which the record was logged.
rawdata	The Identrus Message XML, without the CertBundle fields. The certificates from the bundle are logged separately in the cert_data table.
digestofrecord	A SHA-1 digest of this record.
signeddigestofcalculation	An RSA signature of this record and data from the previous record.
servercertissuerdn	The issuer DN of the certificate used to verify the signature
servercertserialnumber	The serial number of the certificate used to verify the signature.

cert_data table
IssuerDN	The issuer distinguished name of the certificate, RFC 2253 format string.
SerialNumber	The serial number of the certificate
CertData	The Base64 certificate data.

bill_data table
RawRecordId	This will be the RawRecordId of the associated raw log table record.
SubjectDN	This will be the originator distinguished name extracted from the mandatory Identrus level 1 message signature. This will determine who should be billed.
IssuerDN	This will be the issuer distinguished name extracted from the mandatory Identrus level 1 message signature. This is to enable the identification of the exact key used to sign this message - in conjunction with the serial number field below.
SerialNumber	This will be the originator certificate serial number that may be used to identify the exact key used to sign the message - in conjunction with the issuer distinguished name.

Previous Contents DocHome Index Next
Copyright © 2001 Sun Microsystems, Inc. Some preexisting portions Copyright © 2001 Netscape Communications Corp. All rights reserved.

Last Updated April 19, 2001