[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Pki-devel] [PATCH] pki-cfu-0115-Ticket-1007-TPS-audit.patch



This patch is for
https://fedorahosted.org/pki/ticket/1007

    Ticket #1007 TPS audit
This patch implements the TPS operation auditing: TOKEN_APPLET_UPGRADE_SUCCESS,TOKEN_APPLET_UPGRADE_FAILURE,TOKEN_CERT_ENROLLMENT,TOKEN_CERT_RENEWAL,TOKEN_CERT_RETRIEVAL,TOKEN_KEY_RECOVERY,TOKEN_CERT_STATUS_CHANGE_REQUEST,TOKEN_OP_REQUEST,TOKEN_FORMAT_SUCCESS,TOKEN_FORMAT_FAILURE,TOKEN_KEY_CHANGEOVER,TOKEN_KEY_CHANGEOVER_FAILURE,TOKEN_PIN_RESET_SUCCESS,TOKEN_PIN_RESET_FAILURE,TOKEN_STATE_CHANGE,TOKEN_AUTH_SUCCESS,TOKEN_AUTH_FAILURE

Administrative auditing (via REST interface) will be covered in a separate ticket.

thanks,
Christina

From dcc495559444ba9f9659c60e1e00329640592d3d Mon Sep 17 00:00:00 2001
From: Christina Fu <cfu redhat com>
Date: Thu, 21 Jan 2016 11:58:03 -0800
Subject: [PATCH] Ticket #1007 TPS audit

This patch implements the TPS operation auditing: TOKEN_APPLET_UPGRADE_SUCCESS,TOKEN_APPLET_UPGRADE_FAILURE,TOKEN_CERT_ENROLLMENT,TOKEN_CERT_RENEWAL,TOKEN_CERT_RETRIEVAL,TOKEN_KEY_RECOVERY,TOKEN_CERT_STATUS_CHANGE_REQUEST,TOKEN_OP_REQUEST,TOKEN_FORMAT_SUCCESS,TOKEN_FORMAT_FAILURE,TOKEN_KEY_CHANGEOVER,TOKEN_KEY_CHANGEOVER_FAILURE,TOKEN_PIN_RESET_SUCCESS,TOKEN_PIN_RESET_FAILURE,TOKEN_STATE_CHANGE,TOKEN_AUTH_SUCCESS,TOKEN_AUTH_FAILURE

Administrative auditing (via REST interface) will be covered in a separate ticket
---
 base/common/src/com/netscape/certsrv/apps/CMS.java |  21 ++
 .../src/com/netscape/certsrv/apps/ICMSEngine.java  |  19 +
 base/server/cmsbundle/src/LogMessages.properties   |  88 ++++-
 .../src/com/netscape/cmscore/apps/CMSEngine.java   |   7 +
 .../netscape/cmscore/app/CMSEngineDefaultStub.java |   5 +
 base/tps/shared/conf/CS.cfg.in                     |   4 +-
 .../server/tps/cms/CAEnrollCertResponse.java       |   5 +
 .../server/tps/cms/CARemoteRequestHandler.java     |  10 +-
 .../server/tps/cms/CARenewCertResponse.java        |   5 +
 .../server/tps/cms/CARetrieveCertResponse.java     |   5 +
 .../server/tps/cms/CARevokeCertResponse.java       |   5 +
 .../server/tps/cms/KRARecoverKeyResponse.java      |   5 +
 .../server/tps/cms/KRARemoteRequestHandler.java    |   4 +-
 .../tps/cms/KRAServerSideKeyGenResponse.java       |   5 +
 .../server/tps/cms/RemoteRequestHandler.java       |   4 +
 .../dogtagpki/server/tps/cms/RemoteResponse.java   |   9 +
 .../dogtagpki/server/tps/processor/AppletInfo.java |   9 +
 .../server/tps/processor/TPSEnrollProcessor.java   | 251 ++++++++++----
 .../server/tps/processor/TPSPinResetProcessor.java |  42 ++-
 .../server/tps/processor/TPSProcessor.java         | 385 +++++++++++++++++++--
 20 files changed, 763 insertions(+), 125 deletions(-)

diff --git a/base/common/src/com/netscape/certsrv/apps/CMS.java b/base/common/src/com/netscape/certsrv/apps/CMS.java
index 94f5c1687322cbe4a4b194b22e0f483bc8e012dc..9bfa608f2b5fa843a8c5d099e9383df89f7390e6 100644
--- a/base/common/src/com/netscape/certsrv/apps/CMS.java
+++ b/base/common/src/com/netscape/certsrv/apps/CMS.java
@@ -843,6 +843,27 @@ public final class CMS {
     }
 
     /**
+     * Retrieves the centralized log message from LogMessages.properties.
+     *
+     * @param msgID message id defined in LogMessages.properties
+     * @param p1 1st parameter
+     * @param p2 2nd parameter
+     * @param p3 3rd parameter
+     * @param p4 4th parameter
+     * @param p5 5th parameter
+     * @param p6 6th parameter
+     * @param p7 7th parameter
+     * @param p8 8th parameter
+     * @param p9 9th parameter
+     * @param p10 10th parameter
+     * @return localized log message
+     */
+    public static String getLogMessage(String msgID, String p1, String p2, String p3, String p4, String p5, String p6,
+            String p7, String p8, String p9, String p10) {
+        return _engine.getLogMessage(msgID, p1, p2, p3, p4, p5, p6, p7, p8, p9, p10);
+    }
+
+    /**
      * Returns the main config store. It is a handle to CMS.cfg.
      *
      * @return configuration store
diff --git a/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java b/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java
index e024208fdcfdf83d3cf25478355d1a6d867a9ab3..aa6b9e32e26edec3e9c34d23f84db1684f31ebbd 100644
--- a/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java
+++ b/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java
@@ -456,6 +456,25 @@ public interface ICMSEngine extends ISubsystem {
             String p7, String p8, String p9);
 
     /**
+     * Retrieves the centralized log message from LogMessages.properties.
+     *
+     * @param msgID message id defined in LogMessages.properties
+     * @param p1 1st parameter
+     * @param p2 2nd parameter
+     * @param p3 3rd parameter
+     * @param p4 4th parameter
+     * @param p5 5th parameter
+     * @param p6 6th parameter
+     * @param p7 7th parameter
+     * @param p8 8th parameter
+     * @param p9 9th parameter
+     * @param p10 10th parameter
+     * @return localized log message
+     */
+    public String getLogMessage(String msgID, String p1, String p2, String p3, String p4, String p5, String p6,
+            String p7, String p8, String p9, String p10);
+
+    /**
      * Parse ACL resource attributes
      *
      * @param resACLs same format as the resourceACLs attribute:
diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties
index e0e926ccb43a94c01bcb40cad81f7f04ee437f45..9dcfa1a9af0329d6335bacdf9461037a81d5ff0f 100644
--- a/base/server/cmsbundle/src/LogMessages.properties
+++ b/base/server/cmsbundle/src/LogMessages.properties
@@ -2541,13 +2541,26 @@ LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED_6=<type=ASYMKEY_GENERATION_RE
 #
 # LOGGING_SIGNED_AUDIT_TOKEN_CERT_ENROLLMENT
 # - used for TPS when token certificate enrollment request is made
+# - Info is normally used to store more info in case of failure
 #
-LOGGING_SIGNED_AUDIT_TOKEN_CERT_ENROLLMENT_9=<type=TOKEN_CERT_ENROLLMENT>:[[AuditEvent=TOKEN_CERT_ENROLLMENT][SubjectID={0}][CUID={1}][MSN={2}][Outcome={3}][tokenType={4}][AppletVersion={5}][KeyVersion={6}][Serial={7}][CA_ID={8}] token certificate enrollment request made
+LOGGING_SIGNED_AUDIT_TOKEN_CERT_ENROLLMENT_9=<type=TOKEN_CERT_ENROLLMENT>:[[AuditEvent=TOKEN_CERT_ENROLLMENT][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][Info={8}] token certificate enrollment request made
 #
 # LOGGING_SIGNED_AUDIT_TOKEN_CERT_RENEWAL
 # - used for TPS when token certificate renewal request is made
+# - Info is normally used to store more info in case of failure
 #
-LOGGING_SIGNED_AUDIT_TOKEN_CERT_RENEWAL_9=<type=TOKEN_CERT_RENEWAL>:[[AuditEvent=TOKEN_CERT_RENEWAL][SubjectID={0}][CUID={1}][MSN={2}][Outcome={3}][tokenType={4}][AppletVersion={5}][KeyVersion={6}][Serial={7}][CA_ID={8}] token certificate renewal request made
+LOGGING_SIGNED_AUDIT_TOKEN_CERT_RENEWAL_9=<type=TOKEN_CERT_RENEWAL>:[[AuditEvent=TOKEN_CERT_RENEWAL][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][Info={8}] token certificate renewal request made
+#
+# LOGGING_SIGNED_AUDIT_TOKEN_CERT_RETRIEVAL
+# - used for TPS when token certificate retrieval request is made;
+#   usually used during recovery, along with LOGGING_SIGNED_AUDIT_TOKEN_KEY_RECOVERY
+#
+LOGGING_SIGNED_AUDIT_TOKEN_CERT_RETRIEVAL_9=<type=TOKEN_CERT_RETRIEVAL>:[[AuditEvent=TOKEN_CERT_RETRIEVAL][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][Info={8}] token certificate retrieval request made
+#
+# LOGGING_SIGNED_AUDIT_TOKEN_KEY_RECOVERY
+# - used for TPS when token certificate key recovery request is made
+#
+LOGGING_SIGNED_AUDIT_TOKEN_KEY_RECOVERY_10=<type=TOKEN_KEY_RECOVERY>:[[AuditEvent=TOKEN_KEY_RECOVERY][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][KRA_ID={8}][Info={9}] token certificate/key recovery request made
 #
 # LOGGING_SIGNED_AUDIT_TOKEN_CERT_STATUS_CHANGE_REQUEST
 # - used when a token certificate status change request (e.g. revocation)
@@ -2556,23 +2569,70 @@ LOGGING_SIGNED_AUDIT_TOKEN_CERT_RENEWAL_9=<type=TOKEN_CERT_RENEWAL>:[[AuditEvent
 # CertSerialNum must be the serial number (in hex) of the certificate to be revoked
 # RequestType must be "revoke", "on-hold", "off-hold"
 #
-LOGGING_SIGNED_AUDIT_TOKEN_CERT_STATUS_CHANGE_REQUEST_7=<type=TOKEN_CERT_STATUS_CHANGE_REQUEST>:[AuditEvent=TOKEN_CERT_STATUS_CHANGE_REQUEST][SubjectID={0}][Outcome={1}][tokenType={2}][CUID={3}][CertSerialNum={4}][RequestType={5}][CA_ID={6}] token certificate revocation/unrevocation request made
+LOGGING_SIGNED_AUDIT_TOKEN_CERT_STATUS_CHANGE_REQUEST_10=<type=TOKEN_CERT_STATUS_CHANGE_REQUEST>:[AuditEvent=TOKEN_CERT_STATUS_CHANGE_REQUEST][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][CertSerialNum={5}][RequestType={6}][RevokeReasonNum={7}][CA_ID={8}][Info={9}] token certificate revocation/unrevocation request made
 #
-# LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_REQUEST
+# LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_SUCCESS
 # - used when token pin reset request is made
-LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_REQUEST_7=<type=TOKEN_PIN_RESET_REQUEST>:[AuditEvent=TOKEN_PIN_RESET_REQUEST][SubjectID={0}][CUID={1}][MSN={2}][Outcome={3}][tokenType={4}][AppletVersion={5}][KeyVersion={6}] token pin reset request made
+LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_SUCCESS_6=<type=TOKEN_PIN_RESET_SUCCESS>:[AuditEvent=TOKEN_PIN_RESET_SUCCESS][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][AppletVersion={4}][KeyVersion={5}] token op pin reset success
 #
-# LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_REQUEST
-# - used when token format request is made
-LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_REQUEST_7=<type=TOKEN_FORMAT_REQUEST>:[AuditEvent=TOKEN_FORMAT_REQUEST][SubjectID={0}][CUID={1}][MSN={2}][Outcome={3}][tokenType={4}][AppletVersion={5}][KeyVersion={6}] token format request made
+# LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_FAILURE
+# - used when token pin reset request failed 
+LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_FAILURE_6=<type=TOKEN_PIN_RESET_FAILURE>:[AuditEvent=TOKEN_PIN_RESET_FAILURE][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][AppletVersion={4}][KeyVersion={5}] token op pin reset failure
 #
-# LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE
-# - used when token apple upgrade occurs
-LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_8=<type=TOKEN_APPLET_UPGRADE>:[AuditEvent=TOKEN_APPLET_UPGRADE][SubjectID={0}][CUID={1}][MSN={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][oldAppletVersion={6}][newAppletVersion={7}] token applet upgrade
+# LOGGING_SIGNED_AUDIT_TOKEN_OP_REQUEST
+# - used when token op request made
+# - OP can be "format", "enroll", or "pinReset"
+LOGGING_SIGNED_AUDIT_TOKEN_OP_REQUEST_6=<type=TOKEN_OP_REQUEST>:[AuditEvent=TOKEN_OP_REQUEST][IP={0}][CUID={1}][MSN={2}][Outcome={3}][OP={4}][AppletVersion={5}] token op request made
 #
-# LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER
-# - used when token applet upgrade occurs
-LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_8=<type=TOKEN_KEY_CHANGEOVER>:[AuditEvent=TOKEN_KEY_CHANGEOVER][SubjectID={0}][CUID={1}][MSN={2}][Outcome={3}][tokenType={4}][AppletVersion={5}][oldKeyVersion={6}][newKeyVersion={7}] token key changeover
+# LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_SUCCESS
+# - used when token format op succeeded
+LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_SUCCESS_9=<type=TOKEN_FORMAT_SUCCESS>:[AuditEvent=TOKEN_FORMAT_SUCCESS][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][tokenType={5}][AppletVersion={6}][KeyVersion={7}][Info={8}] token op format success
+#
+# LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_FAILURE
+# - used when token format op failed
+LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_FAILURE_9=<type=TOKEN_FORMAT_FAILURE>:[AuditEvent=TOKEN_FORMAT_FAILURE][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][tokenType={5}][AppletVersion={6}][KeyVersion={7}][Info={8}] token op format failure
+#
+#
+# LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_SUCCESS
+# - used when token apple upgrade succeeded
+LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_SUCCESS_9=<type=TOKEN_APPLET_UPGRADE_SUCCESS>:[AuditEvent=TOKEN_APPLET_UPGRADE_SUCCESS][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][KeyVersion={5}][oldAppletVersion={6}][newAppletVersion={7}][Info={8}] token applet upgrade success
+#
+#
+# LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_FAILURE
+# - used when token apple upgrade failed
+LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_FAILURE_9=<type=TOKEN_APPLET_UPGRADE_FAILURE>:[AuditEvent=TOKEN_APPLET_UPGRADE_FAILURE][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][KeyVersion={5}][oldAppletVersion={6}][newAppletVersion={7}][Info={8}] token applet upgrade failure
+#
+# LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_REQUIRED
+# - used when token key changeover is required
+LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_REQUIRED_10=<type=TOKEN_KEY_CHANGEOVER_REQUIRED>:[AuditEvent=TOKEN_KEY_CHANGEOVER_REQUIRED][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][tokenType={5}][AppletVersion={6}][oldKeyVersion={7}][newKeyVersion={8}][Info={9}] token key changeover required
+#
+# LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_SUCCESS
+# - used when token key changeover succeeded
+# - Info usually is unused for success
+LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_SUCCESS_10=<type=TOKEN_KEY_CHANGEOVER_SUCCESS>:[AuditEvent=TOKEN_KEY_CHANGEOVER_SUCCESS][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][tokenType={5}][AppletVersion={6}][oldKeyVersion={7}][newKeyVersion={8}][Info={9}] token key changeover success
+#
+# LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_FAILURE
+# - used when token key changeover  failed
+# - Info is used for storing more info in case of failure 
+LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_FAILURE_10=<type=TOKEN_KEY_CHANGEOVER_FAILURE>:[AuditEvent=TOKEN_KEY_CHANGEOVER_FAILURE][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][tokenType={5}][AppletVersion={6}][oldKeyVersion={7}][newKeyVersion={8}][Info={9}] token key changeover failure
+#
+# LOGGING_SIGNED_AUDIT_TOKEN_AUTH_FAILURE
+# - used when authentication failed
+# Outcome should always be "failure" in this event
+#   (obviously, if authentication failed, you won't have a valid SubjectID, so
+#       in this case, AttemptedID is recorded)
+# AuthMgr must be the authentication manager instance name that did
+#   this authentication
+#
+LOGGING_SIGNED_AUDIT_TOKEN_AUTH_FAILURE_9=<type=TOKEN_AUTH_FAILURE>:[AuditEvent=TOKEN_AUTH_FAILURE][IP={0}][AttemptedID={1}][CUID={2}][MSN={3}][Outcome={4}][OP={5}][tokenType={6}][AppletVersion={7}][AuthMgr={8}] token authentication failure
+#
+# LOGGING_SIGNED_AUDIT_TOKEN_AUTH_SUCCESS
+# - used when authentication succeeded
+# Outcome should always be "success" in this event
+# AuthMgr must be the authentication manager instance name that did
+#   this authentication
+#
+LOGGING_SIGNED_AUDIT_TOKEN_AUTH_SUCCESS_9=<type=TOKEN_AUTH_SUCCESS>:[AuditEvent=TOKEN_AUTH_SUCCESS][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][OP={5}][tokenType={6}][AppletVersion={7}][AuthMgr={8}] token authentication success
 #
 # LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_GENERAL
 # - used when configuring general TPS 
diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
index d050060d909c3cb4608aa3d1379d26de57ab9326..d68290195a92c90b0bb960b64a5f0bfc160ef0a7 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
@@ -1650,6 +1650,13 @@ public class CMSEngine implements ICMSEngine {
         return getLogMessage(msgID, params);
     }
 
+    public String getLogMessage(String msgID, String p1, String p2, String p3, String p4, String p5, String p6,
+            String p7, String p8, String p9, String p10) {
+        String params[] = { p1, p2, p3, p4, p5, p6, p7, p8, p9, p10 };
+
+        return getLogMessage(msgID, params);
+    }
+
     public void getSubjAltNameConfigDefaultParams(String name,
             Vector<String> params) {
         GeneralNameUtil.SubjAltNameGN.getDefaultParams(name, params);
diff --git a/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java b/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java
index 5d43af7d136c83e1c436d0e9222338f747f5b685..2b85eacacd688d744099189dabed02d91f1b9933 100644
--- a/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java
+++ b/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java
@@ -253,6 +253,11 @@ public class CMSEngineDefaultStub implements ICMSEngine {
         return null;
     }
 
+    public String getLogMessage(String msgID, String p1, String p2, String p3, String p4, String p5, String p6,
+            String p7, String p8, String p9, String p10) {
+        return null;
+    }
+
     public IACL parseACL(String resACLs) throws EACLsException {
         return null;
     }
diff --git a/base/tps/shared/conf/CS.cfg.in b/base/tps/shared/conf/CS.cfg.in
index 82801f2fb0613da116e4945cec39a56fe0ad0bce..e9f9ffaa69cc6014599802afc00026c537904bd9 100644
--- a/base/tps/shared/conf/CS.cfg.in
+++ b/base/tps/shared/conf/CS.cfg.in
@@ -209,11 +209,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging
 log.instance.SignedAudit._002=##
 log.instance.SignedAudit._003=##
 log.instance.SignedAudit._004=## Available Audit events:
-log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,TOKEN_CERT_ENROLLMENT,TOKEN_CERT_RENEWAL,TOKEN_CERT_STATUS_CHANGE_REQUEST,TOKEN_PIN_RESET_REQUEST,TOKEN_FORMAT_REQUEST,TOKEN_APPLET_UPGRADE,TOKEN_KEY_CHANGEOVER,CONFIG_TOKEN_PROFILE,CONFIG_TOKEN_GENERAL,TOKEN_STATE_CHANGE
+log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,TOKEN_CERT_ENROLLMENT,TOKEN_CERT_RENEWAL,TOKEN_CERT_STATUS_CHANGE_REQUEST,TOKEN_PIN_RESET_SUCCESS,TOKEN_PIN_RESET_FAILURE,TOKEN_OP_REQUEST,TOKEN_FORMAT_SUCCESS,TOKEN_FORMAT_FAILURE,TOKEN_APPLET_UPGRADE_SUCCESS,TOKEN_APPLET_UPGRADE_FAILURE,TOKEN_KEY_CHANGEOVER_REQUIREDTOKEN_KEY_CHANGEOVER_FAILURE,CONFIG_TOKEN_PROFILE,CONFIG_TOKEN_GENERAL,TOKEN_STATE_CHANGE,TOKEN_CERT_RETRIEVAL,TOKEN_KEY_RECOVERY,TOKEN_AUTH_SUCCESS,TOKEN_AUTH_FAILURE
 log.instance.SignedAudit._006=##
 log.instance.SignedAudit.bufferSize=512
 log.instance.SignedAudit.enable=true
-log.instance.SignedAudit.events=SELFTESTS_EXECUTION,AUTHZ_SUCCESS,AUTHZ_FAIL,AUTH_FAIL,AUTH_SUCCESS,AUTH_FAIL,ROLE_ASSUME,AUTHZ_SUCCESS,AUTHZ_FAIL,CIMC_CERT_VERIFICATION,CONFIG_SIGNED_AUDIT,CONFIG_ROLE,CONFIG_AUTH,TOKEN_CERT_ENROLLMENT,TOKEN_CERT_RENEWAL,TOKEN_CERT_STATUS_CHANGE_REQUEST,TOKEN_PIN_RESET_REQUEST,TOKEN_FORMAT_REQUEST,TOKEN_APPLET_UPGRADE,TOKEN_KEY_CHANGEOVER,CONFIG_TOKEN_PROFILE,CONFIG_TOKEN_GENERAL,TOKEN_STATE_CHANGE
+log.instance.SignedAudit.events=SELFTESTS_EXECUTION,AUTHZ_SUCCESS,AUTHZ_FAIL,AUTH_FAIL,AUTH_SUCCESS,AUTH_FAIL,ROLE_ASSUME,AUTHZ_SUCCESS,AUTHZ_FAIL,CIMC_CERT_VERIFICATION,CONFIG_SIGNED_AUDIT,CONFIG_ROLE,CONFIG_AUTH,TOKEN_CERT_ENROLLMENT,TOKEN_CERT_RENEWAL,TOKEN_CERT_STATUS_CHANGE_REQUEST,TOKEN_PIN_RESET_SUCCESS,TOKEN_PIN_RESET_FAILURE,TOKEN_OP_REQUEST,TOKEN_FORMAT_SUCCESS,TOKEN_FORMAT_FAILURE,TOKEN_APPLET_UPGRADE_SUCCESS,TOKEN_APPLET_UPGRADE_FAILURE,TOKEN_KEY_CHANGEOVER_REQUIRED,TOKEN_KEY_CHANGEOVER_SUCCESS,TOKEN_KEY_CHANGEOVER_FAILURE,CONFIG_TOKEN_PROFILE,CONFIG_TOKEN_GENERAL,TOKEN_STATE_CHANGE,TOKEN_CERT_RETRIEVAL,TOKEN_KEY_RECOVERY,TOKEN_AUTH_SUCCESS,TOKEN_AUTH_FAILURE
 log.instance.SignedAudit.unselected.events=
 log.instance.SignedAudit.mandatory.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,LOGGING_SIGNED_AUDIT_SIGNING
 log.instance.SignedAudit.expirationTime=0
diff --git a/base/tps/src/org/dogtagpki/server/tps/cms/CAEnrollCertResponse.java b/base/tps/src/org/dogtagpki/server/tps/cms/CAEnrollCertResponse.java
index 9c83e08429149672d89ac05e3b47fe9df6bebf88..702038f8c87fb07efc1be14558c82308f8e5a86f 100644
--- a/base/tps/src/org/dogtagpki/server/tps/cms/CAEnrollCertResponse.java
+++ b/base/tps/src/org/dogtagpki/server/tps/cms/CAEnrollCertResponse.java
@@ -34,6 +34,11 @@ public class CAEnrollCertResponse extends RemoteResponse
         nameValTable = ht;
     }
 
+    public CAEnrollCertResponse(String connid, Hashtable<String, Object> ht) {
+        setConnID(connid);
+        nameValTable = ht;
+    }
+
     public String getCertB64() {
         return (String) nameValTable.get(IRemoteRequest.CA_RESPONSE_Certificate_b64);
     }
diff --git a/base/tps/src/org/dogtagpki/server/tps/cms/CARemoteRequestHandler.java b/base/tps/src/org/dogtagpki/server/tps/cms/CARemoteRequestHandler.java
index d70bf5d797ee34ebfd84f707149dc6212fa56cba..0a68e65831cea885389f81061bf5a33b6d40dd2f 100644
--- a/base/tps/src/org/dogtagpki/server/tps/cms/CARemoteRequestHandler.java
+++ b/base/tps/src/org/dogtagpki/server/tps/cms/CARemoteRequestHandler.java
@@ -263,7 +263,7 @@ public class CARemoteRequestHandler extends RemoteRequestHandler
             }
 
             CMS.debug("CARemoteRequestHandler: enrollCertificate(): ends.");
-            return new CAEnrollCertResponse(response);
+            return new CAEnrollCertResponse(connid, response);
         } else {
             CMS.debug("CARemoteRequestHandler: enrollCertificate(): no response content");
             throw new EBaseException("CARemoteRequestHandler: enrollCertificate(): no response content.");
@@ -360,7 +360,7 @@ public class CARemoteRequestHandler extends RemoteRequestHandler
             }
 
             CMS.debug("CARemoteRequestHandler: retrieveCertificate(): ends.");
-            return new CARetrieveCertResponse(response);
+            return new CARetrieveCertResponse(connid, response);
         } else {
             CMS.debug("CARemoteRequestHandler: retrieveCertificate(): no response content");
             throw new EBaseException("CARemoteRequestHandler: retrieveCertificate(): no response content.");
@@ -471,7 +471,7 @@ public class CARemoteRequestHandler extends RemoteRequestHandler
             }
 
             CMS.debug("CARemoteRequestHandler: renewCertificate(): ends.");
-            return new CARenewCertResponse(response);
+            return new CARenewCertResponse(connid, response);
         } else {
             CMS.debug("CARemoteRequestHandler: renewCertificate(): no response content");
             throw new EBaseException("CARemoteRequestHandler: renewCertificate(): no response content.");
@@ -542,7 +542,7 @@ public class CARemoteRequestHandler extends RemoteRequestHandler
             response.put(IRemoteRequest.RESPONSE_STATUS, ist);
 
             CMS.debug("CARemoteRequestHandler: revokeCertificate(): ends.");
-            return new CARevokeCertResponse(response);
+            return new CARevokeCertResponse(connid, response);
         } else {
             CMS.debug("CARemoteRequestHandler: revokeCertificate(): no response content.");
             throw new EBaseException("CARemoteRequestHandler: revokeCertificate(): no response content.");
@@ -605,7 +605,7 @@ public class CARemoteRequestHandler extends RemoteRequestHandler
             response.put(IRemoteRequest.RESPONSE_STATUS, ist);
 
             CMS.debug("CARemoteRequestHandler: unrevokeCertificate(): ends.");
-            return new CARevokeCertResponse(response);
+            return new CARevokeCertResponse(connid, response);
         } else {
             CMS.debug("CARemoteRequestHandler: unrevokeCertificate(): no response content.");
             throw new EBaseException("CARemoteRequestHandler: unrevokeCertificate(): no response content.");
diff --git a/base/tps/src/org/dogtagpki/server/tps/cms/CARenewCertResponse.java b/base/tps/src/org/dogtagpki/server/tps/cms/CARenewCertResponse.java
index bb9ebbb44d658afe0773c9c8b88285abbdea3cce..ad1edef28384a239a71f11fe92a4cd459d41df20 100644
--- a/base/tps/src/org/dogtagpki/server/tps/cms/CARenewCertResponse.java
+++ b/base/tps/src/org/dogtagpki/server/tps/cms/CARenewCertResponse.java
@@ -34,6 +34,11 @@ public class CARenewCertResponse extends RemoteResponse
         nameValTable = ht;
     }
 
+    public CARenewCertResponse(String connid, Hashtable<String, Object> ht) {
+        setConnID(connid);
+        nameValTable = ht;
+    }
+
     public String getRenewedCertB64() {
         return (String) nameValTable.get(IRemoteRequest.CA_RESPONSE_Certificate_b64);
     }
diff --git a/base/tps/src/org/dogtagpki/server/tps/cms/CARetrieveCertResponse.java b/base/tps/src/org/dogtagpki/server/tps/cms/CARetrieveCertResponse.java
index b9150c456f615cf8f441962bb3fb8fca75558619..8889dc55a4193148185149a7f7be3d9914bb663d 100644
--- a/base/tps/src/org/dogtagpki/server/tps/cms/CARetrieveCertResponse.java
+++ b/base/tps/src/org/dogtagpki/server/tps/cms/CARetrieveCertResponse.java
@@ -38,6 +38,11 @@ public class CARetrieveCertResponse extends RemoteResponse
         nameValTable = ht;
     }
 
+    public CARetrieveCertResponse(String connid, Hashtable<String, Object> ht) {
+        setConnID(connid);
+        nameValTable = ht;
+    }
+
     public String getCertB64() {
         return (String) nameValTable.get(IRemoteRequest.CA_RESPONSE_Certificate_chain_b64);
     }
diff --git a/base/tps/src/org/dogtagpki/server/tps/cms/CARevokeCertResponse.java b/base/tps/src/org/dogtagpki/server/tps/cms/CARevokeCertResponse.java
index d7db5976c2d382ba16e8d6885a3e604aba7b290d..f72a0cf0988ab4d8acc1531f7d7e53c02a51eb0a 100644
--- a/base/tps/src/org/dogtagpki/server/tps/cms/CARevokeCertResponse.java
+++ b/base/tps/src/org/dogtagpki/server/tps/cms/CARevokeCertResponse.java
@@ -33,6 +33,11 @@ public class CARevokeCertResponse extends RemoteResponse
         nameValTable = ht;
     }
 
+    public CARevokeCertResponse(String connid, Hashtable<String, Object> ht) {
+        setConnID(connid);
+        nameValTable = ht;
+    }
+
     public String getErrorString() {
         return (String) nameValTable.get(IRemoteRequest.RESPONSE_ERROR_STRING);
     }
diff --git a/base/tps/src/org/dogtagpki/server/tps/cms/KRARecoverKeyResponse.java b/base/tps/src/org/dogtagpki/server/tps/cms/KRARecoverKeyResponse.java
index 9d0c5ff5f62c76c4d027ee657a372d560344e41e..aa9780995eb673b7155f11ba8c85db88f1bb87f1 100644
--- a/base/tps/src/org/dogtagpki/server/tps/cms/KRARecoverKeyResponse.java
+++ b/base/tps/src/org/dogtagpki/server/tps/cms/KRARecoverKeyResponse.java
@@ -33,6 +33,11 @@ public class KRARecoverKeyResponse extends RemoteResponse
         nameValTable = ht;
     }
 
+    public KRARecoverKeyResponse(String connid, Hashtable<String, Object> ht) {
+        setConnID(connid);
+        nameValTable = ht;
+    }
+
     public String getErrorString() {
         return (String) nameValTable.get(IRemoteRequest.RESPONSE_ERROR_STRING);
     }
diff --git a/base/tps/src/org/dogtagpki/server/tps/cms/KRARemoteRequestHandler.java b/base/tps/src/org/dogtagpki/server/tps/cms/KRARemoteRequestHandler.java
index 89304cbc9adb3ae03a1ec7dd740b289d09205cbe..1f7347ddd001a18cb6214c25876883dd0753753f 100644
--- a/base/tps/src/org/dogtagpki/server/tps/cms/KRARemoteRequestHandler.java
+++ b/base/tps/src/org/dogtagpki/server/tps/cms/KRARemoteRequestHandler.java
@@ -208,7 +208,7 @@ public class KRARemoteRequestHandler extends RemoteRequestHandler
             }
 
             CMS.debug("KRARemoteRequestHandler: serverSideKeyGen(): ends.");
-            return new KRAServerSideKeyGenResponse(response);
+            return new KRAServerSideKeyGenResponse(connid, response);
         } else {
             CMS.debug("KRARemoteRequestHandler: serverSideKeyGen(): no response content.");
             throw new EBaseException("KRARemoteRequestHandler: serverSideKeyGen(): no response content.");
@@ -352,7 +352,7 @@ public class KRARemoteRequestHandler extends RemoteRequestHandler
             }
 
             CMS.debug("KRARemoteRequestHandler: recoverKey(): ends.");
-            return new KRARecoverKeyResponse(response);
+            return new KRARecoverKeyResponse(connid, response);
         } else {
             CMS.debug("KRARemoteRequestHandler: recoverKey(): no response content.");
             throw new EBaseException("KRARemoteRequestHandler: recoverKey(): no response content.");
diff --git a/base/tps/src/org/dogtagpki/server/tps/cms/KRAServerSideKeyGenResponse.java b/base/tps/src/org/dogtagpki/server/tps/cms/KRAServerSideKeyGenResponse.java
index 1836bcdbdf1b2906509c2e8204c3ecf498a33584..11c5a944e2442bc0df33314ec56b4a8a7d100477 100644
--- a/base/tps/src/org/dogtagpki/server/tps/cms/KRAServerSideKeyGenResponse.java
+++ b/base/tps/src/org/dogtagpki/server/tps/cms/KRAServerSideKeyGenResponse.java
@@ -33,6 +33,11 @@ public class KRAServerSideKeyGenResponse extends RemoteResponse
         nameValTable = ht;
     }
 
+    public KRAServerSideKeyGenResponse(String connid, Hashtable<String, Object> ht) {
+        setConnID(connid);
+        nameValTable = ht;
+    }
+
     public String getErrorString() {
         return (String) nameValTable.get(IRemoteRequest.RESPONSE_ERROR_STRING);
     }
diff --git a/base/tps/src/org/dogtagpki/server/tps/cms/RemoteRequestHandler.java b/base/tps/src/org/dogtagpki/server/tps/cms/RemoteRequestHandler.java
index ceed1c11c267858fc740fae662db89361f59bd93..b594df9207eefd3f4c4e7ff95275e4023496b02a 100644
--- a/base/tps/src/org/dogtagpki/server/tps/cms/RemoteRequestHandler.java
+++ b/base/tps/src/org/dogtagpki/server/tps/cms/RemoteRequestHandler.java
@@ -88,4 +88,8 @@ public abstract class RemoteRequestHandler
         }
     }
 
+    protected String getConnid() {
+        return connid;
+    }
+
 }
diff --git a/base/tps/src/org/dogtagpki/server/tps/cms/RemoteResponse.java b/base/tps/src/org/dogtagpki/server/tps/cms/RemoteResponse.java
index c2c7818b01f8d79d56a7c364b662350c3f565111..bf6f82f29a4e4bb8bb2dca805374d9e8b0bf64e9 100644
--- a/base/tps/src/org/dogtagpki/server/tps/cms/RemoteResponse.java
+++ b/base/tps/src/org/dogtagpki/server/tps/cms/RemoteResponse.java
@@ -28,8 +28,17 @@ import org.dogtagpki.server.connector.IRemoteRequest;
  */
 public abstract class RemoteResponse
 {
+    private String connId;
     protected Hashtable<String, Object> nameValTable;
 
+    protected void setConnID(String connid) {
+        connId = connid;
+    }
+
+    public String getConnID() {
+        return connId;
+    }
+
     public int getStatus() {
         Integer iValue = (Integer) nameValTable.get(IRemoteRequest.RESPONSE_STATUS);
         if (iValue == null)
diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/AppletInfo.java b/base/tps/src/org/dogtagpki/server/tps/processor/AppletInfo.java
index b5574760e4f6fd453947f9a6bdd1d199eafca558..bcbb10be4aad6c548cabd2e29f94539d527f24b9 100644
--- a/base/tps/src/org/dogtagpki/server/tps/processor/AppletInfo.java
+++ b/base/tps/src/org/dogtagpki/server/tps/processor/AppletInfo.java
@@ -9,6 +9,7 @@ public class AppletInfo {
     private byte minorVersion;
     private byte appMajorVersion;
     private byte appMinorVersion;
+    private String finalAppletVersion = null;
 
     private TPSBuffer aid;
     private TPSBuffer cuid;
@@ -26,6 +27,14 @@ public class AppletInfo {
 
     }
 
+    public void setFinalAppletVersion(String appletVersion) {
+        finalAppletVersion = appletVersion;
+    }
+
+    public String getFinalAppletVersion() {
+        return finalAppletVersion;
+    }
+
     public void setKDD(TPSBuffer theKDD) {
         kdd = new TPSBuffer(theKDD);
     }
diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java
index 89e1191350318bd5edc4143cc4413f434518a79f..46421068f56ea6c3b306ad4049cec6f8d8704c37 100644
--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java
+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java
@@ -13,11 +13,6 @@ import java.util.Map;
 import java.util.Random;
 import java.util.zip.DataFormatException;
 
-import netscape.security.provider.RSAPublicKey;
-//import org.mozilla.jss.pkcs11.PK11ECPublicKey;
-import netscape.security.util.BigInt;
-import netscape.security.x509.X509CertImpl;
-
 import org.dogtagpki.server.tps.TPSSession;
 import org.dogtagpki.server.tps.TPSSubsystem;
 import org.dogtagpki.server.tps.TPSTokenPolicy;
@@ -57,8 +52,6 @@ import org.mozilla.jss.pkcs11.PK11PubKey;
 import org.mozilla.jss.pkcs11.PK11RSAPublicKey;
 import org.mozilla.jss.pkix.primitive.SubjectPublicKeyInfo;
 
-import sun.security.pkcs11.wrapper.PKCS11Constants;
-
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.EPropertyNotFound;
@@ -66,6 +59,12 @@ import com.netscape.certsrv.base.IConfigStore;
 import com.netscape.certsrv.tps.token.TokenStatus;
 import com.netscape.cmsutil.util.Utils;
 
+import netscape.security.provider.RSAPublicKey;
+//import org.mozilla.jss.pkcs11.PK11ECPublicKey;
+import netscape.security.util.BigInt;
+import netscape.security.x509.X509CertImpl;
+import sun.security.pkcs11.wrapper.PKCS11Constants;
+
 public class TPSEnrollProcessor extends TPSProcessor {
 
     public TPSEnrollProcessor(TPSSession session) {
@@ -91,6 +90,7 @@ public class TPSEnrollProcessor extends TPSProcessor {
         String method = "TPSEnrollProcessor.enroll:";
         CMS.debug(method + " entering...");
         String logMsg = null;
+        String auditInfo = null;
         TPSSubsystem tps = (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID);
         TPSTokenPolicy tokenPolicy = new TPSTokenPolicy(tps);
         IConfigStore configStore = CMS.getConfigStore();
@@ -100,9 +100,13 @@ public class TPSEnrollProcessor extends TPSProcessor {
         TokenRecord tokenRecord = null;
         try {
             appletInfo = getAppletInfo();
+            auditOpRequest("enroll", appletInfo, "success", null);
         } catch (TPSException e) {
-            logMsg = e.toString();
-            tps.tdb.tdbActivity(ActivityDatabase.OP_ENROLLMENT, tokenRecord, session.getIpAddress(), logMsg,
+            auditInfo = e.toString();
+            // appletInfo is null as expected at this point
+            // but audit for the record anyway
+            auditOpRequest("enroll", appletInfo, "failure", auditInfo);
+            tps.tdb.tdbActivity(ActivityDatabase.OP_ENROLLMENT, tokenRecord, session.getIpAddress(), auditInfo,
                     "failure");
 
             throw e;
@@ -152,12 +156,15 @@ public class TPSEnrollProcessor extends TPSProcessor {
                 throw new TPSException(logMsg, TPSStatus.STATUS_ERROR_MISCONFIGURATION);
             }
 
+            TPSAuthenticator userAuth = null;
             try {
                 CMS.debug("In TPSEnrollProcessor.enroll: isExternalReg: calling requestUserId");
-                TPSAuthenticator userAuth =
-                        getAuthentication(authId);
+                userAuth = getAuthentication(authId);
                 processAuthentication(TPSEngine.ENROLL_OP, userAuth, cuid, tokenRecord);
+                auditAuth(userid, currentTokenOperation, appletInfo, "success", authId);
             } catch (Exception e) {
+                auditAuth(userid, currentTokenOperation, appletInfo, "failure",
+                        (userAuth != null) ? userAuth.getID() : null);
                 // all exceptions are considered login failure
                 CMS.debug(method + ": authentication exception thrown: " + e);
                 logMsg = "ExternalReg authentication failed, status = STATUS_ERROR_LOGIN";
@@ -206,32 +213,7 @@ public class TPSEnrollProcessor extends TPSProcessor {
             }
 
             session.setExternalRegAttrs(erAttrs);
-            if (erAttrs.getTokenType() != null) {
-                CMS.debug("In TPSEnrollProcessor.enroll: isExternalReg: setting tokenType to tokenType attribute of user entry:"
-                        +
-                        erAttrs.getTokenType());
-                setSelectedTokenType(erAttrs.getTokenType());
-            } else {
-                // get the default externalReg tokenType
-                configName = "externalReg.default.tokenType";
-                CMS.debug(method + " externalReg user entry does not contain tokenType...setting to default config: "
-                        + configName);
-                try {
-                    tokenType = configStore.getString(configName,
-                            "externalRegAddToToken");
-                    CMS.debug("In TPSEnrollProcessor.enroll: isExternalReg: setting tokenType to default:" +
-                            tokenType);
-                    setSelectedTokenType(tokenType);
-                } catch (EBaseException e) {
-                    CMS.debug(method + " Internal Error obtaining mandatory config values. Error: "
-                            + e);
-                    logMsg = "TPS error getting config values from config store." + e.toString();
-                    tps.tdb.tdbActivity(ActivityDatabase.OP_ENROLLMENT, tokenRecord, session.getIpAddress(), logMsg,
-                            "failure");
-
-                    throw new TPSException(logMsg, TPSStatus.STATUS_ERROR_MISCONFIGURATION);
-                }
-            }
+            setExternalRegSelectedTokenType(erAttrs);
 
             CMS.debug("In TPSEnrollProcessor.enroll isExternalReg: about to process keySet resolver");
             /*
@@ -343,7 +325,7 @@ public class TPSEnrollProcessor extends TPSProcessor {
 
         // isExternalReg : user already authenticated earlier
         if (!isExternalReg)
-            checkAndAuthenticateUser(appletInfo, tokenType);
+            checkAndAuthenticateUser(appletInfo, getSelectedTokenType());
 
         if (do_force_format) {
             CMS.debug(method + " About to force format first due to policy.");
@@ -582,6 +564,7 @@ public class TPSEnrollProcessor extends TPSProcessor {
         CMS.debug(method + " tokendb updated with certs to the cuid so that it reflects what's on the token");
 
         logMsg = "appletVersion=" + lastObjVer + "; tokenType =" + selectedTokenType + "; userid =" + userid;
+        CMS.debug(method + logMsg);
         tps.tdb.tdbActivity(ActivityDatabase.OP_ENROLLMENT, tokenRecord, session.getIpAddress(), logMsg,
                 "success");
 
@@ -1216,6 +1199,7 @@ public class TPSEnrollProcessor extends TPSProcessor {
 
         String method = "TPSEnrollProcessor.externalRegRecover:";
         String logMsg;
+        String auditInfo;
         CMS.debug(method + "begins");
         TPSStatus status = TPSStatus.STATUS_ERROR_RECOVERY_IS_PROCESSED;
         if (session == null || session.getExternalRegAttrs() == null ||
@@ -1322,10 +1306,18 @@ public class TPSEnrollProcessor extends TPSProcessor {
                 keyResp = kraRH.recoverKey(cuid, userid, Util.specialURLEncode(channel.getDRMWrappedDesKey()),
                         null, keyid);
                 if (keyResp == null) {
-                    logMsg = "recovering key not found";
-                    CMS.debug(method + logMsg);
+                    auditInfo = "recovering key not found";
+                    auditRecovery(userid, appletInfo, "failure",
+                            channel.getKeyInfoData().toHexStringPlain(),
+                            serial, caConn,
+                            kraConn, auditInfo);
+                    CMS.debug(method + auditInfo);
                     return TPSStatus.STATUS_ERROR_RECOVERY_FAILED;
                 }
+                auditRecovery(userid, appletInfo, "success",
+                        channel.getKeyInfoData().toHexStringPlain(),
+                        serial, caConn,
+                        kraConn, null);
             }
 
             CertEnrollInfo cEnrollInfo = new CertEnrollInfo();
@@ -1837,15 +1829,18 @@ public class TPSEnrollProcessor extends TPSProcessor {
                         try {
                             caRH = new CARemoteRequestHandler(caConnId);
 
-                            CARevokeCertResponse response =
-                                    caRH.revokeCertificate(false /*unrevoke*/, serialToRecover,
-                                            certToRecover.getCertificate(),
-                                            null);
+                            CARevokeCertResponse response = caRH.revokeCertificate(false /*unrevoke*/, serialToRecover,
+                                    certToRecover.getCertificate(),
+                                    null);
                             CMS.debug(method + ": response status =" + response.getStatus());
+                            auditRevoke(certToRecover.getTokenID(), false /*off-hold*/, -1 /*na*/,
+                                    String.valueOf(response.getStatus()), serialToRecover, caConnId, null);
 
                         } catch (EBaseException e) {
                             logMsg = "failed getting CARemoteRequestHandler";
                             CMS.debug(method + ":" + logMsg);
+                            auditRevoke(certToRecover.getTokenID(), false/*off-hold*/, -1 /*na*/, "failure",
+                                    serialToRecover, caConnId, logMsg);
                             throw new TPSException(method + ":" + logMsg, TPSStatus.STATUS_ERROR_RECOVERY_FAILED);
                         }
                     }
@@ -2182,6 +2177,7 @@ public class TPSEnrollProcessor extends TPSProcessor {
             SecureChannel channel, TPSEngine.ENROLL_MODES mode)
             throws TPSException, IOException {
 
+        String auditInfo = null;
         CMS.debug("TPSEnrollProcessor.enrollOneCertificate: entering ... mode: " + mode);
 
         if (certsInfo == null || aInfo == null || cEnrollInfo == null || channel == null) {
@@ -2209,8 +2205,11 @@ public class TPSEnrollProcessor extends TPSProcessor {
             //Bomb out if cert exists, we ca't overwrite
 
             if (certIdExists) {
+                auditInfo = "cert id exists on token; Overwrite of certificates not allowed";
+                auditEnrollment(userid, "enrollment", aInfo, "failure", channel.getKeyInfoData().toHexStringPlain(),
+                        null, null /*caConnID*/, auditInfo);
                 throw new TPSException(
-                        "TPSEnrollProcessor.enrollOneCertificate: Overwrite of certificates not allowed!",
+                        "TPSEnrollProcessor.enrollOneCertificate: " + auditInfo,
                         TPSStatus.STATUS_ERROR_MAC_ENROLL_PDU);
             }
 
@@ -2231,8 +2230,13 @@ public class TPSEnrollProcessor extends TPSProcessor {
 
             CMS.debug("TPSEnrollProcessor.enrollOneCertificate: detecting recovery mode!");
             if (isRecovery && !serverSideKeyGen) {
+                auditInfo = "Attempting illegal recovery when archival is not enabled";
+                auditRecovery(userid, aInfo, "failure",
+                        channel.getKeyInfoData().toHexStringPlain(),
+                        null, null,
+                        null, auditInfo);
                 throw new TPSException(
-                        "TPSEnrollProcessor.enrollOneCertificate: Attempting illegal recovery when archival is not enabled!",
+                        "TPSEnrollProcessor.enrollOneCertificate: " + auditInfo,
                         TPSStatus.STATUS_ERROR_RECOVERY_FAILED);
             }
         }
@@ -2250,14 +2254,14 @@ public class TPSEnrollProcessor extends TPSProcessor {
 
             CMS.debug("TPSEnrollProcessor.enrollOneCertificate: either generate private key on the server, or preform recovery or perform renewal.");
             boolean archive = checkForServerKeyArchival(cEnrollInfo);
-            String drmConnId = getDRMConnectorID();
+            String kraConnId = getDRMConnectorID();
 
             String publicKeyStr = null;
             //Do this for JUST server side keygen
             if (isRecovery == false) {
                 ssKeyGenResponse = getTPSEngine()
                         .serverSideKeyGen(cEnrollInfo.getKeySize(),
-                                aInfo.getCUIDhexStringPlain(), userid, drmConnId, channel.getDRMWrappedDesKey(),
+                                aInfo.getCUIDhexStringPlain(), userid, kraConnId, channel.getDRMWrappedDesKey(),
                                 archive, isECC);
 
                 publicKeyStr = ssKeyGenResponse.getPublicKey();
@@ -2286,10 +2290,19 @@ public class TPSEnrollProcessor extends TPSProcessor {
                             + rsaKey.getKeySize());
                 }
             } catch (InvalidKeyFormatException e) {
-                String msg = "TPSEnrollProcessor.enrollOneCertificate, can't create public key object from server side key generated public key blob! "
+                auditInfo = "TPSEnrollProcessor.enrollOneCertificate, can't create public key object from server side key generated public key blob! "
                         + e.toString();
-                CMS.debug(msg);
-                throw new TPSException(msg,
+                if (!isRecovery) { //servrSideKeygen
+                    auditEnrollment(userid, "enrollment", aInfo, "failure", channel.getKeyInfoData().toHexStringPlain(),
+                            BigInteger.ZERO, null /*caConnID*/, auditInfo);
+                } else {
+                    auditRecovery(userid, aInfo, "failure",
+                            channel.getKeyInfoData().toHexStringPlain(),
+                            null /*serial*/, null /*caConn*/,
+                            kraConnId, auditInfo);
+                }
+                CMS.debug(auditInfo);
+                throw new TPSException(auditInfo,
                         TPSStatus.STATUS_ERROR_MAC_ENROLL_PDU);
             } catch (InvalidKeyException e) {
                 String msg = "TPSEnrollProcessor.enrollOneCertificate, can't create public key object from server side key generated public key blob! "
@@ -2457,21 +2470,24 @@ public class TPSEnrollProcessor extends TPSProcessor {
                 }
 
                 String retCertB64 = caEnrollResp.getCertB64();
-
-                CMS.debug("TPSEnrollProcessor.enrollOneCertificate: retCertB64: " + retCertB64);
-
-                cert_bytes = Utils.base64decode(retCertB64);
-
-                TPSBuffer cert_bytes_buf = new TPSBuffer(cert_bytes);
-                CMS.debug("TPSEnrollProcessor.enrollOneCertificate: retCertB64: " + cert_bytes_buf.toHexString());
-
                 if (retCertB64 != null)
                     CMS.debug("TPSEnrollProcessor.enrollOneCertificate:: new cert b64 =" + retCertB64);
                 else {
-                    CMS.debug("TPSEnrollProcessor.enrollOneCertificate:: new cert b64 not found");
-                    throw new TPSException("TPSEnrollProcessor.enrollOneCertificate: new cert b64 not found",
+                    auditInfo = "new cert b64 not found";
+                    CMS.debug("TPSEnrollProcessor.enrollOneCertificate:: " + auditInfo);
+                    auditEnrollment(userid, "enrollment", aInfo, "failure", channel.getKeyInfoData().toHexStringPlain(),
+                            BigInteger.ZERO, caConnID, auditInfo);
+                    throw new TPSException("TPSEnrollProcessor.enrollOneCertificate: " + auditInfo,
                             TPSStatus.STATUS_ERROR_MAC_ENROLL_PDU);
                 }
+
+                CMS.debug("TPSEnrollProcessor.enrollOneCertificate: retCertB64: " + retCertB64);
+
+                cert_bytes = Utils.base64decode(retCertB64);
+
+                TPSBuffer cert_bytes_buf = new TPSBuffer(cert_bytes);
+                CMS.debug("TPSEnrollProcessor.enrollOneCertificate: retCertB64: " + cert_bytes_buf.toHexString());
+
                 x509Cert = caEnrollResp.getCert();
                 if (x509Cert != null)
                     CMS.debug("TPSEnrollProcessor.enrollOneCertificate:: new cert retrieved");
@@ -2481,12 +2497,17 @@ public class TPSEnrollProcessor extends TPSProcessor {
                             TPSStatus.STATUS_ERROR_MAC_ENROLL_PDU);
                 }
 
+                auditEnrollment(userid, "enrollment", aInfo, "success", channel.getKeyInfoData().toHexStringPlain(),
+                        x509Cert.getSerialNumber(), caConnID, null);
             } else {
+                String caConnID = getCAConnectorID("keyGen", cEnrollInfo.getKeyType());
+
                 //Import the cert data from the CertEnrollObject or from Renewal object
 
                 CMS.debug("TPSEnrollProcessor.enrollOneCertificate: Attempt to import cert data in recovery mode or renew mode!");
 
                 if (isRecovery) {
+
                     CARetrieveCertResponse certResp = cEnrollInfo.getRecoveredCertData();
 
                     if (certResp == null) {
@@ -2512,11 +2533,18 @@ public class TPSEnrollProcessor extends TPSProcessor {
                                 TPSStatus.STATUS_ERROR_RECOVERY_FAILED);
                     }
                     x509Cert = certResp.getCert();
-                    if (x509Cert != null)
+                    if (x509Cert != null) {
                         CMS.debug("TPSEnrollProcessor.enrollOneCertificate:: recovering new cert retrieved");
-                    else {
-                        CMS.debug("TPSEnrollProcessor.enrollOneCertificate:: recovering new cert not found");
-                        throw new TPSException("TPSEnrollProcessor.enrollOneCertificate: new cert not found",
+                        auditEnrollment(userid, "retrieval", aInfo, "success",
+                                channel.getKeyInfoData().toHexStringPlain(), x509Cert.getSerialNumber(),
+                                certResp.getConnID(), null);
+                    } else {
+                        auditInfo = "recovering new cert not found";
+                        CMS.debug("TPSEnrollProcessor.enrollOneCertificate:: " + auditInfo);
+                        auditEnrollment(userid, "retrieval", aInfo, "failure",
+                                channel.getKeyInfoData().toHexStringPlain(), null /*unavailable*/,
+                                certResp.getConnID(), auditInfo);
+                        throw new TPSException("TPSEnrollProcessor.enrollOneCertificate: " + auditInfo,
                                 TPSStatus.STATUS_ERROR_RECOVERY_FAILED);
                     }
 
@@ -2528,8 +2556,11 @@ public class TPSEnrollProcessor extends TPSProcessor {
 
                     CARenewCertResponse certResp = cEnrollInfo.getRenewedCertData();
                     if (certResp == null) {
+                        auditInfo = "In renewal mode, CARemewCertResponse object not found!";
+                        auditEnrollment(userid, "renewal", aInfo, "failure",
+                                channel.getKeyInfoData().toHexStringPlain(), null, caConnID, auditInfo);
                         throw new TPSException(
-                                "TPSEnrollProcessor.enrollOneCertificate: In renewal mode, CARemewCertResponse object not found!",
+                                "TPSEnrollProcessor.enrollOneCertificate: " + auditInfo,
                                 TPSStatus.STATUS_ERROR_MAC_ENROLL_PDU);
                     }
 
@@ -2539,7 +2570,10 @@ public class TPSEnrollProcessor extends TPSProcessor {
                     if (retCertB64 != null)
                         CMS.debug("TPSEnrollProcessor.enrollOneCertificate:: renewing: new cert b64 =" + retCertB64);
                     else {
-                        CMS.debug("TPSEnrollProcessor.enrollOneCertificate:: renewing new cert b64 not found");
+                        auditInfo = "renewing new cert b64 not found";
+                        CMS.debug("TPSEnrollProcessor.enrollOneCertificate:: " + auditInfo);
+                        auditEnrollment(userid, "renewal", aInfo, "failure",
+                                channel.getKeyInfoData().toHexStringPlain(), null, certResp.getConnID(), auditInfo);
                         throw new TPSException(
                                 "TPSEnrollProcessor.enrollOneCertificate: remewomg: new cert b64 not found",
                                 TPSStatus.STATUS_ERROR_MAC_ENROLL_PDU);
@@ -2547,11 +2581,17 @@ public class TPSEnrollProcessor extends TPSProcessor {
 
                     x509Cert = certResp.getRenewedCert();
 
-                    if (x509Cert != null)
+                    if (x509Cert != null) {
                         CMS.debug("TPSEnrollProcessor.enrollOneCertificate:: renewing new cert retrieved");
-                    else {
-                        CMS.debug("TPSEnrollProcessor.enrollOneCertificate:: renewing new cert not found");
-                        throw new TPSException("TPSEnrollProcessor.enrollOneCertificate: new cert not found",
+                        auditEnrollment(userid, "renewal", aInfo, "success",
+                                channel.getKeyInfoData().toHexStringPlain(), x509Cert.getSerialNumber(),
+                                certResp.getConnID(), null);
+                    } else {
+                        auditInfo = "renewing new cert not found";
+                        CMS.debug("TPSEnrollProcessor.enrollOneCertificate:: " + auditInfo);
+                        auditEnrollment(userid, "renewal", aInfo, "failure",
+                                channel.getKeyInfoData().toHexStringPlain(), null, certResp.getConnID(), auditInfo);
+                        throw new TPSException("TPSEnrollProcessor.enrollOneCertificate: " + auditInfo,
                                 TPSStatus.STATUS_ERROR_MAC_ENROLL_PDU);
                     }
 
@@ -3447,6 +3487,75 @@ public class TPSEnrollProcessor extends TPSProcessor {
         return serialBI;
     }
 
+    /*
+     * op can be "retrieval", "renewal", or "enrollment" (default)
+     */
+    private void auditEnrollment(String subjectID, String op,
+            AppletInfo aInfo,
+            String status,
+            String keyVersion,
+            BigInteger serial,
+            String caConnId,
+            String info) {
+
+        // when serial is 0, means no serial, as in case of failure
+        String serialNum = "";
+        if (serial != null && serial.compareTo(BigInteger.ZERO) > 0)
+            serialNum = serial.toString();
+
+        String auditType = "";
+        switch (op) {
+        case "retrieval":
+            auditType = "LOGGING_SIGNED_AUDIT_TOKEN_CERT_RETRIEVAL_9";
+            break;
+        case "renewal":
+            auditType = "LOGGING_SIGNED_AUDIT_TOKEN_CERT_RENEWAL_9";
+            break;
+        default:
+            auditType = "LOGGING_SIGNED_AUDIT_TOKEN_CERT_ENROLLMENT_9";
+        }
+
+        String auditMessage = CMS.getLogMessage(
+                auditType,
+                (session != null) ? session.getIpAddress() : null,
+                subjectID,
+                aInfo.getCUIDhexStringPlain(),
+                status,
+                getSelectedTokenType(),
+                keyVersion,
+                serialNum,
+                caConnId,
+                info);
+        audit(auditMessage);
+    }
+
+    private void auditRecovery(String subjectID, AppletInfo aInfo,
+            String status,
+            String keyVersion,
+            BigInteger serial,
+            String caConnId,
+            String kraConnId,
+            String info) {
+
+        String serialNum = "";
+        if (serial.compareTo(BigInteger.ZERO) > 0)
+            serialNum = serial.toString();
+
+        String auditMessage = CMS.getLogMessage(
+                "LOGGING_SIGNED_AUDIT_TOKEN_KEY_RECOVERY_10",
+                (session != null) ? session.getIpAddress() : null,
+                subjectID,
+                aInfo.getCUIDhexStringPlain(),
+                status,
+                getSelectedTokenType(),
+                keyVersion,
+                serialNum,
+                caConnId,
+                kraConnId,
+                info);
+        audit(auditMessage);
+    }
+
     public static void main(String[] args) {
     }
 
diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java
index 2c29b21e82b2baf9e4d6020c72adccc50840ad81..d9a79f4f024f701641252da2b13ff69b5735db1b 100644
--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java
+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java
@@ -72,8 +72,12 @@ public class TPSPinResetProcessor extends TPSProcessor {
 
         try {
             appletInfo = getAppletInfo();
+            auditOpRequest("pinReset", appletInfo, "success", null);
         } catch (TPSException e) {
             logMsg = e.toString();
+            // appletInfo is null as expected at this point
+            // but audit for the record anyway
+            auditOpRequest("pinReset", appletInfo, "failure", logMsg);
             tps.tdb.tdbActivity(ActivityDatabase.OP_ENROLLMENT, tokenRecord, session.getIpAddress(), logMsg,
                     "failure");
 
@@ -85,9 +89,10 @@ public class TPSPinResetProcessor extends TPSProcessor {
 
         if (tokenRecord == null) {
             //We can't reset the pin of a token that does not exist.
-
-            CMS.debug(method + ": Token does not exist!");
-            throw new TPSException(method + " Can't reset pin of token that does not exist ",
+            logMsg = "Token does not exist!";
+            auditPinReset(session.getIpAddress(), userid, appletInfo, "failure", null, logMsg);
+            CMS.debug(method + ": " + logMsg);
+            throw new TPSException(method + logMsg +
                     TPSStatus.STATUS_ERROR_MAC_RESET_PIN_PDU);
         }
 
@@ -122,6 +127,7 @@ public class TPSPinResetProcessor extends TPSProcessor {
             }
         } catch (TPSException e) {
             logMsg = e.toString();
+            auditPinReset(session.getIpAddress(), userid, appletInfo, "failure", null, logMsg);
             tps.tdb.tdbActivity(ActivityDatabase.OP_PIN_RESET, tokenRecord, session.getIpAddress(), logMsg,
                     "failure");
 
@@ -144,6 +150,9 @@ public class TPSPinResetProcessor extends TPSProcessor {
 
         checkAndHandlePinReset(channel);
 
+        auditPinReset(session.getIpAddress(), userid, appletInfo, "success",
+                channel.getKeyInfoData().toHexStringPlain(), null);
+
         try {
             tps.tdb.tdbUpdateTokenEntry(tokenRecord);
             CMS.debug(method + ": token record updated!");
@@ -165,6 +174,33 @@ public class TPSPinResetProcessor extends TPSProcessor {
 
     }
 
+    protected void auditPinReset(String ip, String subjectID,
+            AppletInfo aInfo,
+            String status,
+            String keyVersion,
+            String info) {
+
+        String auditType = "";
+        switch (status) {
+        case "success":
+            auditType = "LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_SUCCESS_6";
+            break;
+        default:
+            auditType = "LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_FAILURE_6";
+        }
+
+        String auditMessage = CMS.getLogMessage(
+                auditType,
+                ip,
+                subjectID,
+                (aInfo != null) ? aInfo.getCUIDhexStringPlain() : null,
+                status,
+                getSelectedTokenType(),
+                keyVersion,
+                info);
+        audit(auditMessage);
+    }
+
     public static void main(String[] args) {
         // TODO Auto-generated method stub
 
diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
index bf757c72213526ade31af019816f28d4d9c56100..9099fc3a0422404c0129aa756e90f62709d08be5 100644
--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
@@ -88,6 +88,7 @@ import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.EPropertyNotFound;
 import com.netscape.certsrv.base.IConfigStore;
 import com.netscape.certsrv.common.Constants;
+import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.tps.token.TokenStatus;
 import com.netscape.symkey.SessionKey;
 
@@ -130,6 +131,8 @@ public class TPSProcessor {
 
     ProfileDatabase profileDatabase = new ProfileDatabase();
 
+    protected ILogger mSignedAuditLogger = CMS.getSignedAuditLogger();
+
     public TPSProcessor(TPSSession session) {
         setSession(session);
     }
@@ -903,10 +906,12 @@ public class TPSProcessor {
         APDUResponse select = selectApplet((byte) 0x04, (byte) 0x00, cardMgrAIDBuff);
 
         if (!select.checkResult()) {
-            throw new TPSException("TPSProcessor.upgradeApplet: Can't selelect the card manager!");
+            String logMsg = "Can't selelect the card manager!";
+            auditAppletUpgrade(appletInfo, "failure", null /*unavailable*/, new_version, logMsg);
+            throw new TPSException("TPSProcessor.upgradeApplet:" + logMsg);
         }
 
-        SecureChannel channel = setupSecureChannel((byte) defKeyVersion, (byte) defKeyIndex, connId,appletInfo);
+        SecureChannel channel = setupSecureChannel((byte) defKeyVersion, (byte) defKeyIndex, connId, appletInfo);
 
         channel.externalAuthenticate();
 
@@ -928,9 +933,13 @@ public class TPSProcessor {
         select = selectApplet((byte) 0x04, (byte) 0x00, netkeyAIDBuff);
 
         if (!select.checkResult()) {
-            throw new TPSException("TPSProcessor.upgradeApplet: Cannot select newly created applet!",
+            String logMsg = "Cannot select newly created applet!";
+            auditAppletUpgrade(appletInfo, "failure", channel.getKeyInfoData().toHexStringPlain(), new_version, logMsg);
+            throw new TPSException("TPSProcessor.upgradeApplet: " + logMsg,
                     TPSStatus.STATUS_ERROR_UPGRADE_APPLET);
         }
+
+        auditAppletUpgrade(appletInfo, "success", channel.getKeyInfoData().toHexStringPlain(), new_version, null);
         tokenRecord.setAppletID(new_version);
 
     }
@@ -1071,6 +1080,7 @@ public class TPSProcessor {
         tokenRecord.setUserID(userid);
         authToken = authenticateUser(op, userAuth, userCred);
         userid = authToken.getInString("userid");
+
         tokenRecord.setUserID(userid);
         CMS.debug(method + " auth token userid=" + userid);
     }
@@ -1328,16 +1338,16 @@ public class TPSProcessor {
             throw new TPSException("TPSProcessor.isTokenRecordPresent: invalid input data.");
         }
 
-        CMS.debug("TPSEnrollProcessor.isTokenRecordPresent: " + appletInfo.getCUIDhexString());
+        CMS.debug("TPSProcessor.isTokenRecordPresent: " + appletInfo.getCUIDhexString());
 
         TPSSubsystem tps = (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID);
         TokenRecord tokenRecord = null;
         try {
             tokenRecord = tps.tdb.tdbGetTokenEntry(appletInfo.getCUIDhexStringPlain());
             // now the in memory tokenRecord is replaced by the actual token data
-            CMS.debug("TPSEnrollProcessor.enroll: found token...");
+            CMS.debug("TPSProcessor.enroll: found token...");
         } catch (Exception e) {
-            CMS.debug("TPSEnrollProcessor.enroll: token does not exist in tokendb... create one in memory");
+            CMS.debug("TPSProcessor.enroll: token does not exist in tokendb... create one in memory");
         }
 
         return tokenRecord;
@@ -1432,7 +1442,6 @@ public class TPSProcessor {
     /*
      * revokeCertificates revokes certificates on the token specified
      * @param cuid the cuid of the token to revoke certificates
-     * @return logMsg captures the audit message
      * @throws TPSException in case of error
      *
      * TODO: maybe make this a callback function later
@@ -1536,13 +1545,15 @@ public class TPSProcessor {
                 CMS.debug(method + ": found cert hex serial: " + serial +
                         " dec serial:" + serialStr);
                 try {
-                    CARevokeCertResponse response =
-                            caRH.revokeCertificate(true, serialStr, cert.getCertificate(),
-                                    revokeReason);
+                    CARevokeCertResponse response = caRH.revokeCertificate(true, serialStr, cert.getCertificate(),
+                            revokeReason);
                     CMS.debug(method + ": response status =" + response.getStatus());
+                    auditRevoke(cuid, true, revokeReason.getCode(), String.valueOf(response.getStatus()), serialStr,
+                            caConnId, null);
                 } catch (EBaseException e) {
                     logMsg = method + ": revokeCertificate from CA failed:" + e;
                     CMS.debug(logMsg);
+                    auditRevoke(cuid, true, revokeReason.getCode(), "failure", serialStr, caConnId, null);
 
                     if (revokeReason == RevocationReason.CERTIFICATE_HOLD) {
                         tps.tdb.tdbActivity(ActivityDatabase.OP_FORMAT, session.getTokenRecord(),
@@ -1731,6 +1742,44 @@ public class TPSProcessor {
         return erAttrs;
     }
 
+    protected void setExternalRegSelectedTokenType(ExternalRegAttrs erAttrs)
+           throws TPSException {
+        String method = "TPSProcessor.setExternalRegSelectedTokenType: ";
+        IConfigStore configStore = CMS.getConfigStore();
+        TPSSubsystem tps = (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID);
+
+        CMS.debug(method + " begins");
+        if (erAttrs == null) {
+            CMS.debug(method + " parameter erAttr is null; nothing to set");
+        }
+            if (erAttrs.getTokenType() != null) {
+                CMS.debug(method + " setting tokenType to tokenType attribute of user entry:"
+                        +
+                        erAttrs.getTokenType());
+                setSelectedTokenType(erAttrs.getTokenType());
+            } else {
+                // get the default externalReg tokenType
+                String configName = "externalReg.default.tokenType";
+                CMS.debug(method + " externalReg user entry does not contain tokenType...setting to default config: "
+                        + configName);
+                try {
+                    String tokenType = configStore.getString(configName,
+                            "externalRegAddToToken");
+                    CMS.debug(method + " setting tokenType to default:" +
+                            tokenType);
+                    setSelectedTokenType(tokenType);
+                } catch (EBaseException e) {
+                    CMS.debug(method + " Internal Error obtaining mandatory config values. Error: "
+                            + e);
+                    String logMsg = "TPS error getting config values from config store." + e.toString();
+                    tps.tdb.tdbActivity(currentTokenOperation, session.getTokenRecord(), session.getIpAddress(), logMsg,
+                            "failure");
+
+                    throw new TPSException(logMsg, TPSStatus.STATUS_ERROR_MISCONFIGURATION);
+                }
+            }
+    }
+
     protected void format(boolean skipAuth) throws TPSException, IOException {
 
         IConfigStore configStore = CMS.getConfigStore();
@@ -1738,14 +1787,19 @@ public class TPSProcessor {
         String logMsg = null;
         String appletVersion = null;
 
+        CMS.debug("TPSProcessor.format begins");
         TPSSubsystem tps = (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID);
 
         AppletInfo appletInfo = null;
         TokenRecord tokenRecord = null;
         try {
             appletInfo = getAppletInfo();
+            auditOpRequest("format", appletInfo, "success", null);
         } catch (TPSException e) {
             logMsg = e.toString();
+            // appletInfo is null as expected at this point
+            // but audit for the record anyway
+            auditOpRequest("format", appletInfo, "failure", logMsg);
             tps.tdb.tdbActivity(ActivityDatabase.OP_FORMAT, tokenRecord, session.getIpAddress(), logMsg,
                     "failure");
 
@@ -1849,12 +1903,15 @@ public class TPSProcessor {
 
                     throw new TPSException(logMsg, TPSStatus.STATUS_ERROR_MISCONFIGURATION);
                 }
+                TPSAuthenticator userAuth = null;
                 try {
-                    TPSAuthenticator userAuth =
-                            getAuthentication(authId);
+                    userAuth = getAuthentication(authId);
 
                     processAuthentication(TPSEngine.FORMAT_OP, userAuth, cuid, tokenRecord);
+                    auditAuth(userid, currentTokenOperation, appletInfo, "success", authId);
                 } catch (Exception e) {
+                    auditAuth(userid, currentTokenOperation, appletInfo, "failure",
+                            (userAuth != null) ? userAuth.getID() : null);
                     // all exceptions are considered login failure
                     CMS.debug("TPSProcessor.format:: authentication exception thrown: " + e);
                     logMsg = "authentication failed, status = STATUS_ERROR_LOGIN";
@@ -1892,7 +1949,8 @@ public class TPSProcessor {
                 }
                 test ends */
 
-                setSelectedTokenType(erAttrs.getTokenType());
+                setExternalRegSelectedTokenType(erAttrs);
+//                setSelectedTokenType(erAttrs.getTokenType());
             }
             CMS.debug("In TPSProcessor.format: isExternalReg: about to process keySet resolver");
             /*
@@ -1961,8 +2019,11 @@ public class TPSProcessor {
                 CMS.debug("TPSProcessor.format: getting config: " + configName);
                 isAuthRequired = configStore.getBoolean(configName, true);
             } catch (EBaseException e) {
-                CMS.debug("TPSProcessor.format: Internal Error obtaining mandatory config values. Error: " + e);
-                logMsg = "TPS error getting config values from config store." + e.toString();
+                String info = " Internal Error obtaining mandatory config values. Error: " + e;
+                auditFormat(userid, appletInfo, "failure",
+                        null, info);
+                CMS.debug("TPSProcessor.format: " + info);
+                logMsg = "TPS error: " + info;
                 tps.tdb.tdbActivity(ActivityDatabase.OP_FORMAT, tokenRecord, session.getIpAddress(), logMsg,
                         "failure");
 
@@ -1970,11 +2031,15 @@ public class TPSProcessor {
             }
 
             if (isAuthRequired && !skipAuth) {
+                TPSAuthenticator userAuth = null;
                 try {
-                    TPSAuthenticator userAuth =
-                            getAuthentication(TPSEngine.OP_FORMAT_PREFIX, tokenType);
+                    userAuth = getAuthentication(TPSEngine.OP_FORMAT_PREFIX, tokenType);
                     processAuthentication(TPSEngine.FORMAT_OP, userAuth, cuid, tokenRecord);
+                    auditAuth(userid, currentTokenOperation, appletInfo, "success",
+                            (userAuth != null) ? userAuth.getID() : null);
                 } catch (Exception e) {
+                    auditAuth(userid, currentTokenOperation, appletInfo, "failure",
+                            (userAuth != null) ? userAuth.getID() : null);
                     // all exceptions are considered login failure
                     CMS.debug("TPSProcessor.format:: authentication exception thrown: " + e);
                     logMsg = "authentication failed, status = STATUS_ERROR_LOGIN";
@@ -1997,12 +2062,12 @@ public class TPSProcessor {
             // Check for transition to 0/UNINITIALIZED status.
 
             if (!tps.engine.isOperationTransitionAllowed(tokenRecord.getTokenStatus(), newState)) {
-                CMS.debug("TPSProcessor.format: token transition disallowed " +
-                        tokenRecord.getTokenStatus() +
-                        " to " + newState);
-                logMsg = "Operation for CUID " + appletInfo.getCUIDhexStringPlain() +
-                        " Disabled, illegal transition attempted " + tokenRecord.getTokenStatus() +
+                String info = " illegal transition attempted: " + tokenRecord.getTokenStatus() +
                         " to " + newState;
+                CMS.debug("TPSProcessor.format: token transition: " + info);
+                logMsg = "Operation for CUID " + appletInfo.getCUIDhexStringPlain() + " Disabled. " + info;
+                auditFormat(userid, appletInfo, "failure",
+                        null, info);
 
                 tps.tdb.tdbActivity(ActivityDatabase.OP_FORMAT, tokenRecord, session.getIpAddress(), logMsg,
                         "failure");
@@ -2020,6 +2085,8 @@ public class TPSProcessor {
             checkAllowUnknownToken(TPSEngine.OP_FORMAT_PREFIX);
         }
 
+        // TODO: the following lines of code could be replaced with call to
+        // checkAndUpgradeApplet()
         TPSBuffer build_id = getAppletVersion();
 
         if (build_id == null) {
@@ -2052,9 +2119,18 @@ public class TPSProcessor {
 
         // Upgrade Symm Keys if needed
 
-        SecureChannel channel = checkAndUpgradeSymKeys(appletInfo,tokenRecord);
+        SecureChannel channel;
+        try {
+            channel = checkAndUpgradeSymKeys(appletInfo, tokenRecord);
+        } catch (TPSException te) {
+            auditKeyChangeover(appletInfo, "failure", null /* TODO */,
+                    getSymmetricKeysRequiredVersionHexString(), te.toString());
+            throw te;
+        }
         channel.externalAuthenticate();
 
+        auditFormat(userid, appletInfo, "success", channel.getKeyInfoData().toHexStringPlain(), null);
+
         if (isTokenPresent && revokeCertsAtFormat()) {
             // Revoke certificates on token, if so configured
             RevocationReason reason = getRevocationReasonAtFormat();
@@ -2621,7 +2697,7 @@ public class TPSProcessor {
             index = configStore.getInteger(TPSEngine.CFG_CHANNEL_DEFKEY_INDEX, 0x0);
 
         } catch (EBaseException e) {
-            throw new TPSException("TPSProcessor.getChannelDefKeyVersion: Internal error finding config value: " + e,
+            throw new TPSException("TPSProcessor.getChannelDefKeyIndex: Internal error finding config value: " + e,
                     TPSStatus.STATUS_ERROR_UPGRADE_APPLET);
 
         }
@@ -2800,6 +2876,12 @@ public class TPSProcessor {
                 + " App major version: " + result.getAppMajorVersion() + " App minor version: "
                 + result.getAppMinorVersion());
 
+        String currentAppletVersion = formatCurrentAppletVersion(result);
+        if (currentAppletVersion != null) {
+            CMS.debug("TPSProcessor.getAppletInfo: current applet version = " +
+                currentAppletVersion);
+        }
+
         return result;
     }
 
@@ -2852,6 +2934,14 @@ public class TPSProcessor {
         return version;
     }
 
+    protected String getSymmetricKeysRequiredVersionHexString() throws TPSException {
+        int requiredVersion = getSymmetricKeysRequiredVersion();
+        byte[] nv = { (byte) requiredVersion, 0x01 };
+        TPSBuffer newVersion = new TPSBuffer(nv);
+        String newVersionStr = newVersion.toHexString();
+        return newVersionStr;
+    }
+
     protected SecureChannel checkAndUpgradeSymKeys(AppletInfo appletInfo,TokenRecord tokenRecord) throws TPSException, IOException {
 
         /* If the key of the required version is
@@ -2909,6 +2999,10 @@ public class TPSProcessor {
 
                 channel = setupSecureChannel(appletInfo);
 
+                auditKeyChangeoverRequired(appletInfo,
+                        channel.getKeyInfoData().toHexStringPlain(),
+                        getSymmetricKeysRequiredVersionHexString(), null);
+
                 /* Assemble the Buffer with the version information
                  The second byte is the key offset, which is always 1
                 */
@@ -3003,7 +3097,8 @@ public class TPSProcessor {
                 selectCoolKeyApplet();
 
                 channel = setupSecureChannel((byte) requiredVersion, (byte) defKeyIndex,
-                        getTKSConnectorID(),appletInfo);
+                        getTKSConnectorID(), appletInfo);
+                auditKeyChangeover(appletInfo, "success", curVersionStr, newVersionStr, null);
 
             } else {
                 CMS.debug("TPSProcessor.checkAndUpgradeSymeKeys: We are already at the desired key set, returning secure channel.");
@@ -3160,18 +3255,35 @@ public class TPSProcessor {
     }
 
     protected String formatCurrentAppletVersion(AppletInfo aInfo) throws TPSException, IOException {
+        String method = "TPSProcessor.formatCurrentAppletVersion: ";
+        CMS.debug(method + " begins");
+        /*
+         * TODO: looks like calling formatCurrentAppletVersion() more than
+         * once will cause keygen to fail on token. (resolve later if needed)
+         * In the mean time, resolution is to save up the result the first
+         *  time it is called
+         */
+        if (aInfo.getFinalAppletVersion() != null) {
+            return aInfo.getFinalAppletVersion();
+        }
 
         if (aInfo == null) {
             throw new TPSException("TPSProcessor.formatCurrentAppletVersion: ", TPSStatus.STATUS_ERROR_CONTACT_ADMIN);
         }
 
         TPSBuffer build_id = getAppletVersion();
+        if (build_id == null) {
+            CMS.debug(method + " getAppletVersion returning null");
+            return null;
+        }
         String build_idStr = build_id.toHexStringPlain();
 
         String finalVersion = aInfo.getAppMajorVersion() + "." + aInfo.getAppMinorVersion() + "." + build_idStr;
 
         finalVersion = finalVersion.toLowerCase();
-        CMS.debug("TPSProcessor.formatCurrentAppletVersion: returing: " + finalVersion);
+
+        aInfo.setFinalAppletVersion(finalVersion);
+        CMS.debug(method + " returing: " + finalVersion);
 
         return finalVersion;
 
@@ -3286,13 +3398,17 @@ public class TPSProcessor {
             CMS.debug(method + ": opPrefox: " + opPrefix);
 
             if (isAuthRequired) {
+                TPSAuthenticator userAuth = null;
                 try {
-                    TPSAuthenticator userAuth =
-                            getAuthentication(opPrefix, tokenType);
+                    userAuth = getAuthentication(opPrefix, tokenType);
                     processAuthentication(TPSEngine.ENROLL_OP, userAuth, appletInfo.getCUIDhexString(), tokenRecord);
+                    auditAuth(userid, currentTokenOperation, appletInfo, "success",
+                            (userAuth != null) ? userAuth.getID() : null);
 
                 } catch (Exception e) {
                     // all exceptions are considered login failure
+                    auditAuth(userid, currentTokenOperation, appletInfo, "failure",
+                            (userAuth != null) ? userAuth.getID() : null);
                     CMS.debug("TPSProcessor.checkAndAuthenticateUser:: authentication exception thrown: " + e);
                     String msg = "TPS error user authentication failed:" + e;
                     tps.tdb.tdbActivity(ActivityDatabase.OP_ENROLLMENT, tokenRecord, session.getIpAddress(), msg,
@@ -3700,6 +3816,219 @@ public class TPSProcessor {
     }
     */
 
+    protected void auditAuth(String subjectID, String op,
+            AppletInfo aInfo,
+            String status,
+            String authMgrId) {
+
+        String auditType = "LOGGING_SIGNED_AUDIT_TOKEN_AUTH_FAILURE_9";
+        if (status.equals("success"))
+            auditType = "LOGGING_SIGNED_AUDIT_TOKEN_AUTH_SUCCESS_9";
+
+        String auditMessage = CMS.getLogMessage(
+                auditType,
+                session.getIpAddress(),
+                subjectID,
+                (aInfo != null) ? aInfo.getCUIDhexStringPlain() : null,
+                (aInfo != null) ? aInfo.getMSNString() : null,
+                status,
+                op,
+                getSelectedTokenType(),
+                (aInfo != null) ? aInfo.getFinalAppletVersion() : null,
+                authMgrId);
+        audit(auditMessage);
+    }
+
+    /*
+     * op can be can be "format", "enroll", or "pinReset"
+     */
+    protected void auditOpRequest(String op, AppletInfo aInfo,
+            String status,
+            String info) {
+        String auditType = "LOGGING_SIGNED_AUDIT_TOKEN_OP_REQUEST_6";
+        String auditMessage = CMS.getLogMessage(
+                auditType,
+                session.getIpAddress(),
+                (aInfo != null) ? aInfo.getCUIDhexStringPlain() : null,
+                (aInfo != null) ? aInfo.getMSNString() : null,
+                status,
+                op,
+                (aInfo != null) ? aInfo.getFinalAppletVersion() : null,
+                info);
+        audit(auditMessage);
+    }
+
+    protected void auditFormat(String subjectID,
+            AppletInfo aInfo,
+            String status,
+            String keyVersion,
+            String info) {
+        String auditType = "";
+        switch (status) {
+        case "success":
+            auditType = "LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_SUCCESS_9";
+            break;
+        default:
+            auditType = "LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_FAILURE_9";
+        }
+
+        String auditMessage = CMS.getLogMessage(
+                auditType,
+                session.getIpAddress(),
+                subjectID,
+                (aInfo != null) ? aInfo.getCUIDhexStringPlain() : null,
+                (aInfo != null) ? aInfo.getMSNString() : null,
+                status,
+                getSelectedTokenType(),
+                (aInfo != null) ? aInfo.getFinalAppletVersion() : null,
+                keyVersion,
+                info);
+        audit(auditMessage);
+    }
+
+    protected void auditAppletUpgrade(AppletInfo aInfo,
+            String status,
+            String keyVersion,
+            String newVersion,
+            String info) {
+
+        String auditType = "";
+        switch (status) {
+        case "success":
+            auditType = "LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_SUCCESS_9";
+            break;
+        default:
+            auditType = "LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_FAILURE_9";
+        }
+
+        String auditMessage = CMS.getLogMessage(
+                auditType,
+                (session != null) ? session.getIpAddress() : null,
+                userid,
+                (aInfo != null) ? aInfo.getCUIDhexStringPlain() : null,
+                (aInfo != null) ? aInfo.getMSNString() : null,
+                status,
+                keyVersion,
+                (aInfo != null) ? aInfo.getFinalAppletVersion() : null,
+                newVersion,
+                info);
+        audit(auditMessage);
+    }
+
+    protected void auditKeyChangeoverRequired(AppletInfo aInfo,
+            String oldKeyVersion,
+            String newKeyVersion,
+            String info) {
+
+        String auditType = "LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_REQUIRED_10";
+
+        String auditMessage = CMS.getLogMessage(
+                auditType,
+                (session != null) ? session.getIpAddress() : null,
+                userid,
+                (aInfo != null) ? aInfo.getCUIDhexStringPlain() : null,
+                (aInfo != null) ? aInfo.getMSNString() : null,
+                "na",
+                getSelectedTokenType(),
+                (aInfo != null) ? aInfo.getFinalAppletVersion() : null,
+                oldKeyVersion,
+                newKeyVersion,
+                info);
+        audit(auditMessage);
+    }
+
+    protected void auditKeyChangeover(AppletInfo aInfo,
+            String status,
+            String oldKeyVersion,
+            String newKeyVersion,
+            String info) {
+
+        String auditType = "";
+        switch (status) {
+        case "success":
+            auditType = "LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_SUCCESS_9";
+            break;
+        default:
+            auditType = "LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_FAILURE_10";
+        }
+
+        String auditMessage = CMS.getLogMessage(
+                auditType,
+                (session != null) ? session.getIpAddress() : null,
+                userid,
+                (aInfo != null) ? aInfo.getCUIDhexStringPlain() : null,
+                (aInfo != null) ? aInfo.getMSNString() : null,
+                status,
+                getSelectedTokenType(),
+                (aInfo != null) ? aInfo.getFinalAppletVersion() : null,
+                oldKeyVersion,
+                newKeyVersion,
+                info);
+        audit(auditMessage);
+    }
+
+    /*
+     * audit revoke, on-hold, or off-hold
+     */
+    protected void auditRevoke(String cuid,
+            boolean isRevoke,
+            int revokeReason,
+            String status,
+            String serial,
+            String caConnId,
+            String info) {
+
+        String auditType = "LOGGING_SIGNED_AUDIT_TOKEN_CERT_STATUS_CHANGE_REQUEST_10";
+        /*
+         * requestType is "revoke", "on-hold", or "off-hold"
+         */
+        String requestType = "revoke";
+        if (!isRevoke)
+            requestType = "off-hold";
+        else {
+            if (revokeReason == RevocationReason.CERTIFICATE_HOLD.getCode()) {
+                requestType = "on-hold";
+            }
+        }
+
+        String auditMessage = CMS.getLogMessage(
+                auditType,
+                (session != null) ? session.getIpAddress() : null,
+                userid,
+                cuid,
+                status,
+                getSelectedTokenType(),
+                serial,
+                requestType,
+                String.valueOf(revokeReason),
+                caConnId,
+                info);
+        audit(auditMessage);
+    }
+
+    /**
+     * Signed Audit Log
+     *
+     * This method is called to store messages to the signed audit log.
+     * <P>
+     *
+     * @param msg signed audit log message
+     */
+    protected void audit(String msg) {
+        // in this case, do NOT strip preceding/trailing whitespace
+        // from passed-in String parameters
+
+        if (mSignedAuditLogger == null) {
+            return;
+        }
+
+        mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT,
+                null,
+                ILogger.S_SIGNED_AUDIT,
+                ILogger.LL_SECURITY,
+                msg);
+    }
+
     public static void main(String[] args) {
     }
 
-- 
2.4.3


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]