Escolar Documentos
Profissional Documentos
Cultura Documentos
Source: http://www.themiddlewareshop.com/2012/07/01/websphere-security-auditingpart-1/
Posted by Steve Robinson on Jul 1, 2012 in Blog, WebSphere, WebSphere Application Server
This blog series will cover the basics of WebSphere Security Auditing. This is a feature of WAS that is often not implemented and so I thought it would be a good mini-series to discuss. I shall be producing 9 small bit-size blog items and some may be more detailed than others. Below is the main outline of what I will be delivering in the 9 part series. 1. ENABLE ADMINISTRATIVE SECURITY FOR THE PROFILE 2. CREATE AN USER 3. MAP USER TO AUDITOR ROLE 4. CONFIGURE AUDIT MONITOR 5. VERIFYING GENERATION OF AUDIT MESSAGES 6. GENERATE A HTML REPORT USING BINARYAUDITLOGREADER 7. CREATING AN EVENT FILTER 7A. CONFIGURING AUDIT SERVICE PROVIDER 7B. CONFIGURING AUDIT EVENT FACTORY 8. SIGNING YOUR SECURITY AUDIT RECORDS 9. ENCRYPTING THE SECURITY AUDIT LOG 9.A CONFIGURING KEYSTORE AND CERTIFICATE REQUIRED FOR ENCRYPTION 9.B AUDIT RECORD ENCRYPTION CONFIGURATION
Introduction
This document explains the steps involved in turning on security auditing feature in WebSphere application server.
Security Auditing feature enables logging of security events like successful/failed login attempts of users. Remember, this is a not a mechanism to control who can access what. The events are logged to a text file which can be read through a text editor. WebSphere also provides a tool called binaryAuditLogReader which can convert this text file into an html file for easier reading. WebSphere also helps in making sure that this audit log is not tampered with, by allowing the log to be digitally signed with a Digital certificate, if this is really required. A digitally signed log is Base-64 encoded and is tamper-proof, but is still not encrypted, so can be read by anyone. To make it completely unavailable to intruders, the log can also be encrypted using a key held in a key store. To decrypt the log back, the binaryAuditLogReader tool can be used. The dependency diagram shows what configuration is dependent on what. For example, if Security Auditing is disabled, then everything under that will not work.
Start the server if it is not running. Open WebSphere Administrative console. Expand Security and click on Global Security
Restart the server. (If this was already enabled, then the server need not be restarted)
2. Create a User
WebSphere Application server supports role based access control to various features. Security Auditing is one such feature which can be configured by a user mapped to Auditor role. This role was introduced in WebSphere Application Server Version 7.0. Search and confirm that a user with the same name does not exist before creating a new one.
Expand Users and Groups in Administrative Console in the Navigation Pane. Click Manage Users To view all the users, enter * in the Search for field and then click on Search button.
Click Manage Users link under Users and Groups. Enter the following detail o User ID: An ID that will be used later on to login to WebSphere Administrative console o Password: Users password o First name: Users first name o Last name: Users last name o E-mail: Users Email ID Click on Create button Mandatory text fields are given a light brown background color in WebSphere
Now click on Administrative user roles link on the left navigation pane Click on the Add button
1. Select the role Auditor. 2. Then Click on Search to locate the user. Users are shown in the Available section. 3. Select the user from Available section and move it to Mapped to role section by clicking on the arrow that point to the right. 4. Click OK button. The OK button did not work properly in Google Chrome browser at the time of writing this course material. It worked properly in Mozilla Firefox browser.
10
Click Security auditing under Security from the left navigation pane Click Audit monitor Link under Related Items in the content pane
11
Enter a name to the notification Check Message log check box Click OK
12
Check Enable Monitoring option. Select the notification created previously. Click OK button.
Note that the server has to be restarted for these changes to take effect
13
Check Enable security auditing check box. Select Log warning in Audit subsystem failure action drop-down o If you select No warning, then no notification is given in case of audit subsystem failure o Terminate server option will make the server to shutdown gracefully Select the primary auditor user name Click Apply button.
Note: This change requires a server restart to come into effect. At this point of time, the Security Auditing feature is enabled, and further configuration is optional.
14
15
Restart Server
Go to <profile_root>/logs/<server_name> directory and open the file with the name o BinaryAudit_<cell_name>_<node_name>_<server_name>.log
Note: Every event starts with a sequence number. The event type is displayed next. The fields are separated by a | character. This is hard to read, but easy to grep.
16
Now let us generate a security event and check the audit log.
Logout of the console Try to Login with an incorrect user name, say hacker
17
A security event should be generated and written to the log file. Open the log file again and check.
18
19
20
21
Expand Security in Navigation pane Click Security auditing Click Event type filters under Related Items
Enabling Verbose Auditing will result in additional information being written to the audit log for every event.
22
Give a name to the Event Type filter Select the type of event, say SECURITY_AUTHZ Select the type of outcome, say DENIED Click OK button
23
24
Open Administrative console as Auditor Expand Security in Navigation pane Click Security Auditing hyperlink Click Audit service provider under Related Items
25
26
You will find the new Event Type filter under Selectable Filters
Select it and click on the right arrow to move it to Enabled Filters section Click OK button
27
The Audit event factory is responsible for receiving the audit event messages and created event objects and forwards them to the Audit Service Provider. So in a way the Audit service provider is dependent on the Audit event factory object.
Open Administrative console as Auditor Expand Security in Navigation pane Click Audit event factory configuration
28
Select the Event type filter created earlier Click the right arrow to move it from Selectable filters to Enabled filters Click OK button
29
Restart Application server Try to stop the server using Auditor credentials
30
Notice that a message ADMN0022E: Access is denied for the stop operation on Server MBean because of insufficient or empty credentials is displayed in the command line.
steve@steve-H67N-USB3-B3:/opt/IBM/WebSphere/AppServer/profiles/apprv01/bin$ sudo ./stopServer.sh server1 -username security_auditor -password websphere ADMU0116I: Tool information is being logged in file /opt/IBM/WebSphere/AppServer/profiles/apprv01/logs/server1/stopServer.log ADMU0128I: Starting tool with the appsrv01 profile ADMU3100I: Reading configuration for server: server1 ADMU0111E: Program exiting with error: javax.management.JMRuntimeException: ADMN0022E: Access is denied for the stop operation on Server MBean because of insufficient or empty credentials. ADMU4113E: Verify that username and password information is correct. If running tool from the command line, pass in the correct -username and -password. Alternatively, update the <conntype>.client.props file. ADMU1211I: To obtain a full trace of the failure, use the -trace option. ADMU0211I: Error details may be seen in the file: /opt/IBM/WebSphere/AppServer/profiles/apprv01/logs/server1/stopServer.log steve@steve-H67N-USB3-B3:/opt/IBM/WebSphere/AppServer/profiles/apprv01/bin$
Open audit log using a text editor Note the SECURITY_AUTHZ event written to the audit log
31
32
Check Enable signing Select a managed keystore (Accept the default value)
33
34
Note: The certification information used to sign is written under Signing_information element Also note that the event is base-64 encoded
35
Generate HTML report and check whether you are able to still see the events
steve@steve-H67N-USB3-B3:/opt/IBM/WebSphere/AppServer/profiles/apprv01/bin$ sudo ./wsadmin.sh -lang jython -username security_auditor -password websphere WASX7209I: Connected to process server1 on node node01 using SOAP connector; The type of process is: UnManagedProcess WASX7031I: For help, enter: print Help.help() wsadmin>AdminTask.binaryAuditLogReader(-interactive)
36
Binary Audit Log Reader Binary Audit Log Reader Command *File name of the Binary Audit log (fileName): /opt/IBM/WebSphere/AppServer/profiles/apprv01/logs/server1/BinaryAudit_steve-H67NUSB3-B3Node01Cell_node01_server1.log Report mode selection (reportMode): basic Event(s) filter (eventFilter): Outcome(s) filter (outcomeFilter): Sequence filter (sequenceFilter): Timestamp filter (timeStampFilter): Key Store Password (keyStorePassword): *Output HTML file location (outputLocation): /home/steve/Documents/report.html Data points to report (dataPoints): Binary Audit Log Reader F (Finish) C (Cancel) Select [F, C]: [F] F WASX7278I: Generated command line: AdminTask.binaryAuditLogReader([-fileName /opt/IBM/WebSphere/AppServer/profiles/apprv01/logs/server1/BinaryAudit_steve-H67N-USB3B3Node01Cell_node01_server1.log -reportMode basic -outputLocation /home/steve/Documents/report.html ]) true wsadmin>quit steve@steve-H67N-USB3-B3:/opt/IBM/WebSphere/AppServer/profiles/apprv01/bin$
37
38
Open Administrative Console and expand Security in Navigation pane Click Security auditing Click Audit encryption key stores and certificates
39
Click New
Enter the path where the keystore is to be created (Enter <profile_root>/properties/AuditKeyStore.p12) Give a password for the keystore (You need to keep this password safe) Confirm password by entering it again Select PKCS12 as keystore type Click OK button
41
Click on Personal certificates hyperlink under Additional Properties Click Create self-signed Certificate button (Note that for production use, you need to get this from a CA)
42
The encryption strength depends on the size of the key. The alias name is used to locate the certificate within the keystore.
Give an alias name Select 1024 bits as the key size Give a common name Give the validity period for the certificate (Accept default value of 365 days) Click OK button
43
Expand Security in Navigation Pane Click Security auditing hyperlink Click Audit record encryption configuration under Related Items
Check Enable Encryption Select the keystore name from the drop-down Select the alias name to locate the certificate within the keystore Click OK button
44
45
Note that the encryption information is written to the audit log confirming that the audit log is encrypted.
To view the contents of the encrypted audit log, the binaryAuditLogReader tool can be used to decrypt and generate an HTML report. Notice that this time you need to provide the keystore password to successfully generate the HTML report.
46
steve@steve-H67N-USB3-B3:/opt/IBM/WebSphere/AppServer/profiles/apprv01/bin$ sudo ./wsadmin.sh -lang jython -username security_auditor -password websphere WASX7209I: Connected to process server1 on node node01 using SOAP connector; The type of process is: UnManagedProcess WASX7031I: For help, enter: print Help.help() wsadmin>AdminTask.binaryAuditLogReader(-interactive) Binary Audit Log Reader Binary Audit Log Reader Command *File name of the Binary Audit log (fileName): /opt/IBM/WebSphere/AppServer/profiles/apprv01/logs/server1/BinaryAudit_steve-H67NUSB3-B3Node01Cell_node01_server1.log Report mode selection (reportMode): basic Event(s) filter (eventFilter): Outcome(s) filter (outcomeFilter): Sequence filter (sequenceFilter): Timestamp filter (timeStampFilter): Key Store Password (keyStorePassword): websphere *Output HTML file location (outputLocation): /home/steve/Documents/reportDecrypted.html Data points to report (dataPoints): Binary Audit Log Reader
F (Finish) C (Cancel)
47
48