This blog series will cover the basics of WebSphere Security Auditing. This is a feature of WAS that is often not implemented and so I thought it would be a good mini-series to discuss. I shall be producing 9 small bit-size blog items and some may be more detailed than others. Below is the main outline of what I will be delivering in the 9 part series.

1. ENABLE ADMINISTRATIVE SECURITY FOR THE PROFILE

2. CREATE AN USER

3. MAP USER TO AUDITOR ROLE

4. CONFIGURE AUDIT MONITOR

5. VERIFYING GENERATION OF AUDIT MESSAGES

6. GENERATE A HTML REPORT USING BINARYAUDITLOGREADER

7. CREATING AN EVENT FILTER

7A. CONFIGURING AUDIT SERVICE PROVIDER

7B. CONFIGURING AUDIT EVENT FACTORY

8. SIGNING YOUR SECURITY AUDIT RECORDS

9. ENCRYPTING THE SECURITY AUDIT LOG

9.A CONFIGURING KEYSTORE AND CERTIFICATE REQUIRED FOR ENCRYPTION

9.B AUDIT RECORD ENCRYPTION CONFIGURATION

Introduction

This document explains the steps involved in turning on security auditing feature in WebSphere application server.

Security Auditing feature enables logging of security events like successful/failed login attempts of users. Remember, this is a not a mechanism to control who can access what. The events are logged to a text file which can be read through a text editor. WebSphere also provides a tool called binaryAuditLogReader which can convert this text file into an html file for easier reading.

WebSphere also helps in making sure that this audit log is not tampered with, by allowing the log to be digitally signed with a Digital certificate, if this is really required. A digitally signed log is Base-64 encoded and is tamper-proof, but is still not encrypted, so can be read by anyone. To make it completely unavailable to intruders, the log can also be encrypted using a key held in a key store. To decrypt the log back, the binaryAuditLogReader tool can be used.

The dependency diagram shows what configuration is dependent on what. For example, if Security Auditing is disabled, then everything under that will not work.

Steps Involved

1. Enable Administrative Security for the profile

Administrative Security has to be enabled for the Security Audit feature to work. So to turn on Administrative Security, do the following.

  • Start the server if it is not running.
  • Open WebSphere Administrative console.
  • Expand Security and click on Global Security

  • Select Enable administrative security as shown in the screen capture.

Restart the server. (If this was already enabled, then the server need not be restarted)

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Leave a Reply