-
Notifications
You must be signed in to change notification settings - Fork 138
KRA Audit Events
KRA audit events can be configured in log.instance.SignedAudit.events property.
These events are triggered when an archival request is received through the REST interface or from the CA. Since they are generated by different threads, they may be created in reversed order.
There are additional events that are generated when keys are archived from the CA, when CRMF requests are submitted to the CA. In particular, the CA request ID is passed through and logged to allow the audit flow through the CA → KRA to be tracked.
The additional events are:
PROFILE_CERT_REQUEST:
-
subjectID: userID for the agent initiating the request. This is the user (trusted agent) mapped to the CA subsystem cert in the KRA.
-
outcome: success/failure
-
ReqID: the enrollment request in the CA. This is used to track the request and link it to the CA audit logs.
-
ProfileID: set to kraConnector
-
CertSubject: subject name of the certificate request
PROFILE_CERT_REQUEST:
-
subjectID: userID for the agent initiating the request. This is the user (trusted agent) mapped to the CA subsystem cert in the KRA.
-
outcome: success/failure
-
ReqID: the enrollment request in the CA
-
ProfileID: set to kraConnector
-
CertSubject: subject name of the certificate request
For example, archive a private key from the CA:
$ pki -d alias -c redhat123 client-cert-request uid=testuser --profile caDualCert --type crmf --transport transport.pem
TODO: add pki command to approve cert request
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=][Outcome=Success] access session establish success [AuditEvent=AUTHZ_SUCCESS][SubjectID=$Unidentified$][Outcome=Success][aclResource=null][Op=null][Info=ACL mapping not found; OK:KRAInfoResource.getInfo] authorization success [AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,E=caadmin@example.com,OU=pki-tomcat,O=example.com Security Domain][Outcome=Success] access session establish success [AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,E=caadmin@example.com,OU=pki-tomcat,O=example.com Security Domain][Outcome=Success] access session establish success [AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,E=caadmin@example.com,OU=pki-tomcat,O=example.com Security Domain][Outcome=Success] access session establish success [AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,E=caadmin@example.com,OU=pki-tomcat,O=example.com Security Domain][Outcome=Success] access session establish success [AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,E=caadmin@example.com,OU=pki-tomcat,O=example.com Security Domain][Outcome=Success] access session establish success [AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,E=caadmin@example.com,OU=pki-tomcat,O=example.com Security Domain][Outcome=Success] access session establish success [AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=][Outcome=Success] access session establish success [AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=Subsystem Certificate,OU=pki-tomcat,O=example.com Security Domain][Outcome=Success] access session establish success [AuditEvent=AUTH_SUCCESS][SubjectID=CA-aleelaptop.example.com-8443][Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success [AuditEvent=AUTHZ_SUCCESS][SubjectID=CA-aleelaptop.example.com-8443][Outcome=Success][aclResource=certServer.kra.connector][Op=submit] authorization success [AuditEvent=ROLE_ASSUME][SubjectID=CA-aleelaptop.example.com-8443][Outcome=Success][Role=Data Recovery Manager Agents, Trusted Managers] assume privileged role [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=CA-aleelaptop.example.com-8443][Outcome=Success][ReqID=38][ProfileID=kraConnector][CertSubject=UID=testuser] certificate request made with certificate profiles [AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST][SubjectID=CA-aleelaptop.example.com-8443][Outcome=Success][ArchivalRequestID=38][RequestId=325][ClientKeyID=null] security data archival request made [AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED][SubjectID=CA-aleelaptop.example.com-8443][Outcome=Success][ArchivalRequestID=38][RequestId=325][ClientKeyID=null][KeyID=161][FailureReason=null][PubKey=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPwOzhpNANr4KdmRJ341Rp5k15xHWdTYQ3r5gf8Xx+ugQRmx7m4q1ot2X4AGbru0K3WIuIb04liSup8fuTPslGngS/vLcfHo1rdZBOz/DWMV/tW/5uURNVZCbwiiV+b97gRxpoKb+TJfp2qU9S35oUkAx11dwPZzRzpl4j1Gb7uQIDAQAB] security data archival request processed [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=CA-aleelaptop.example.com-8443][Outcome=Success][ReqID=38][InfoName=certificate][InfoValue=<null>] certificate request processed [AuditEvent=INTER_BOUNDARY][SubjectID=CA-aleelaptop.example.com-8443][Outcome=Success][ProtectionMethod=ssl][ReqType=enrollment][ReqID=38] inter-CIMC_Boundary communication (data exchange) [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=Subsystem Certificate,OU=pki-tomcat,O=example.com Security Domain][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |