summaryrefslogtreecommitdiffstats
path: root/base/server
diff options
context:
space:
mode:
authorAde Lee <alee@redhat.com>2017-05-16 17:29:45 -0400
committerAde Lee <alee@redhat.com>2017-05-23 14:31:54 -0400
commit1c8c61ef235bb57e744e9a8cfa5e1ff0cebb06a2 (patch)
tree67efbe323389114660ae79e918c9e621d61f86d7 /base/server
parent3249ddc2c19f6f5ded11823b345c9c58bae4750b (diff)
Encapsulate the archival audit log
This patch encapsulates the SECURITY_DATA_ARCHIVAL_REQUEST and PRIVATE_DATA_ARCHIVAL_REQUEST audit logs as audit events. The PRIVATE_DATA_ARCHIVAL_REQUEST events are mapped to the SECURITY_DATA ones to simplify the whole structure. They used to provide an archivalID parameter which was pretty much meaningless as it was at best just the same as the request id which is alreadty logged. So this is now dropped. Change-Id: I705d25ce716c73f2c954c5715b0aafdad80b99d2
Diffstat (limited to 'base/server')
-rw-r--r--base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java40
-rw-r--r--base/server/cms/src/com/netscape/cms/servlet/base/SubsystemService.java10
-rw-r--r--base/server/cmsbundle/src/LogMessages.properties14
3 files changed, 21 insertions, 43 deletions
diff --git a/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java
index 02aa8c8c0..85db2cb75 100644
--- a/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java
+++ b/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java
@@ -29,9 +29,9 @@ import com.netscape.certsrv.ca.AuthorityID;
import com.netscape.certsrv.ca.ICAService;
import com.netscape.certsrv.ca.ICertificateAuthority;
import com.netscape.certsrv.connector.IConnector;
-import com.netscape.certsrv.logging.AuditEvent;
import com.netscape.certsrv.logging.AuditFormat;
import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent;
import com.netscape.certsrv.profile.EProfileException;
import com.netscape.certsrv.profile.ERejectException;
import com.netscape.certsrv.profile.IProfileUpdater;
@@ -80,15 +80,10 @@ public class CAEnrollProfile extends EnrollProfile {
throw new EProfileException("Profile Not Enabled");
}
- String auditMessage = null;
String auditSubjectID = auditSubjectID();
String auditRequesterID = auditRequesterID(request);
- String auditArchiveID = ILogger.UNIDENTIFIED;
-
String id = request.getRequestId().toString();
- if (id != null) {
- auditArchiveID = id.trim();
- }
+
CMS.debug("CAEnrollProfile: execute request ID " + id);
@@ -117,29 +112,21 @@ public class CAEnrollProfile extends EnrollProfile {
CMS.debug("CAEnrollProfile: KRA connector " +
"not configured");
- auditMessage = CMS.getLogMessage(
- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
+ audit(new SecurityDataArchivalEvent(
auditSubjectID,
ILogger.FAILURE,
- auditRequesterID,
- auditArchiveID);
-
- audit(auditMessage);
-
+ auditRequesterID));
} else {
CMS.debug("CAEnrollProfile: execute send request");
kraConnector.send(request);
// check response
if (!request.isSuccess()) {
- auditMessage = CMS.getLogMessage(
- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
+ audit(new SecurityDataArchivalEvent(
auditSubjectID,
ILogger.FAILURE,
- auditRequesterID,
- auditArchiveID);
+ auditRequesterID));
- audit(auditMessage);
if (request.getError(getLocale(request)) != null &&
(request.getError(getLocale(request))).equals(CMS.getUserMessage("CMS_KRA_INVALID_TRANSPORT_CERT"))) {
CMS.debug("CAEnrollProfile: execute set request status: REJECTED");
@@ -150,14 +137,10 @@ public class CAEnrollProfile extends EnrollProfile {
request.getError(getLocale(request)));
}
- auditMessage = CMS.getLogMessage(
- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
+ audit(new SecurityDataArchivalEvent(
auditSubjectID,
ILogger.SUCCESS,
- auditRequesterID,
- auditArchiveID);
-
- audit(auditMessage);
+ auditRequesterID));
}
} catch (Exception e) {
@@ -167,14 +150,11 @@ public class CAEnrollProfile extends EnrollProfile {
CMS.debug("CAEnrollProfile: " + e);
CMS.debug(e);
- auditMessage = CMS.getLogMessage(
- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
+ audit(new SecurityDataArchivalEvent(
auditSubjectID,
ILogger.FAILURE,
- auditRequesterID,
- auditArchiveID);
+ auditRequesterID));
- audit(auditMessage);
throw new EProfileException(e);
}
}
diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/SubsystemService.java b/base/server/cms/src/com/netscape/cms/servlet/base/SubsystemService.java
index 30d6b9cdc..2bcde64e9 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/base/SubsystemService.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/base/SubsystemService.java
@@ -81,6 +81,16 @@ public class SubsystemService extends PKIService {
getClass().getSimpleName() + ": " + message);
}
+ protected void audit(AuditEvent event) {
+
+ String template = event.getMessage();
+ Object[] params = event.getParameters();
+
+ String message = CMS.getLogMessage(template, params);
+
+ auditor.log(message);
+ }
+
public void audit(String message, String scope, String type, String id, Map<String, String> params, String status) {
String auditMessage = CMS.getLogMessage(
diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties
index 6bc2d827a..03af2166a 100644
--- a/base/server/cmsbundle/src/LogMessages.properties
+++ b/base/server/cmsbundle/src/LogMessages.properties
@@ -1943,18 +1943,6 @@ LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4=<type=LOG_PATH_CHANGE>:[AuditEvent=LOG_PA
# -- feature disabled --
#LOGGING_SIGNED_AUDIT_LOG_EXPIRATION_CHANGE_4=<type=LOG_EXPIRATION_CHANGE>:[AuditEvent=LOG_EXPIRATION_CHANGE][SubjectID={0}][Outcome={1}][LogType={2}][ExpirationTime={3}] log expiration time change attempt
#
-# LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST
-# - used when user private key archive request is made
-# this is an option in a certificate enrollment request detected by RA or CA
-# so should be seen logged right following the certificate request, if selected
-# ReqID must be the certificate enrollment request ID associated with the
-# CA archive option (even if the request was originally submitted via
-# an RA) (this field is set to the "EntityID" in caase of server-side key gen)
-# ArchiveID must be the DRM request ID associated with the enrollment ID,
-# ReqID (this field will be "N/A" when logged by the CA)
-#
-LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4=<type=PRIVATE_KEY_ARCHIVE_REQUEST>:[AuditEvent=PRIVATE_KEY_ARCHIVE_REQUEST][SubjectID={0}][Outcome={1}][ReqID={2}][ArchiveID={3}] private key archive request
-#
# LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED
# - used when user private key archive request is processed
# this is when DRM receives and processed the request
@@ -2490,7 +2478,7 @@ LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED_6=<type=SECURITY_D
# RecoveryID must be the recovery request ID
# CientID is the ID of the security data to be archived
#
-LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_4=<type=SECURITY_DATA_ARCHIVAL_REQUEST>:[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST][SubjectID={0}][Outcome={1}][ArchivalRequestID={2}][ClientKeyID={3}] security data archival request made
+LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST=<type=SECURITY_DATA_ARCHIVAL_REQUEST>:[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST][SubjectID={0}][Outcome={1}][ArchivalRequestID={2}][ClientKeyID={3}] security data archival request made
#
#
# LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED
generated by cgit (git 2.34.1) at 2026-03-06 09:30:24 +0000