[Pki-devel] [PATCH] 0054 Lightweight CAs: add audit events
Fraser Tweedale
ftweedal at redhat.com
Wed Mar 2 00:05:56 UTC 2016
On Mon, Feb 22, 2016 at 02:21:58PM -0500, Ade Lee wrote:
> This patch needs to be rebased.
>
> Tt was possible, however, to review the contents. In general,
> everything looks good. It would be be useful though, to be able to
> distinguish the many failure cases. For instance --
>
> try {
> ca.modifyAuthority(data.getEnabled(), data.getDescription());
> + audit(ILogger.SUCCESS, OpDef.OP_MODIFY, ca.getAuthorityID().toString(), auditParams);
> return createOKResponse(readAuthorityData(ca));
> } catch (CATypeException e) {
> + audit(ILogger.FAILURE, OpDef.OP_MODIFY, ca.getAuthorityID().toString(), auditParams);
> throw new ForbiddenException(e.toString());
> } catch (IssuerUnavailableException e) {
> + audit(ILogger.FAILURE, OpDef.OP_MODIFY, ca.getAuthorityID().toString(), auditParams);
> throw new ConflictingOperationException(e.toString());
> } catch (EBaseException e) {
> CMS.debug(e);
> + audit(ILogger.FAILURE, OpDef.OP_MODIFY, ca.getAuthorityID().toString(), auditParams);
> throw new PKIException("Error modifying authority: " + e.toString());
> }
>
> It would be nice to be able to determine if the modify failed because of permissions or otherwise.
> Can we add the exception error message to the auditParams?
>
> Ade
>
Updated patch attached. The "exception" key is added to the
auditParams map to indicate the exception (if any), rather than
adding a whole new audit message parameter.
Cheers,
Fraser
-------------- next part --------------
From 2d7722f2c9b8230e79d258ad7aa1be1e87804518 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Mon, 2 Nov 2015 01:43:26 -0500
Subject: [PATCH] Lightweight CAs: add audit events
Add audit events for lightweight CA administration.
Fixes: https://fedorahosted.org/pki/ticket/1590
---
base/ca/shared/conf/CS.cfg.in | 4 +-
.../dogtagpki/server/ca/rest/AuthorityService.java | 72 +++++++++++++++-------
.../src/com/netscape/certsrv/common/ScopeDef.java | 3 +
base/server/cmsbundle/src/LogMessages.properties | 8 +++
4 files changed, 64 insertions(+), 23 deletions(-)
diff --git a/base/ca/shared/conf/CS.cfg.in b/base/ca/shared/conf/CS.cfg.in
index 05508f8b289e027cc4e97df3fe584dfbc2290f7e..c679af5b3fd7f1fcda79848f68a9258580457b63 100644
--- a/base/ca/shared/conf/CS.cfg.in
+++ b/base/ca/shared/conf/CS.cfg.in
@@ -901,11 +901,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging
log.instance.SignedAudit._002=##
log.instance.SignedAudit._003=##
log.instance.SignedAudit._004=## Available Audit events:
-log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER
+log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG
log.instance.SignedAudit._006=##
log.instance.SignedAudit.bufferSize=512
log.instance.SignedAudit.enable=true
-log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER
+log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG
log.instance.SignedAudit.expirationTime=0
log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/ca_audit
log.instance.SignedAudit.flushInterval=5
diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
index 85203cb03eb6f6dabee01c275dfa302e7ee38592..fa9e1038b7b3ca718a7593052a852c31f48545f7 100644
--- a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
+++ b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
@@ -22,7 +22,9 @@ import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.security.cert.CertificateEncodingException;
import java.util.ArrayList;
+import java.util.LinkedHashMap;
import java.util.List;
+import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.core.Context;
@@ -49,6 +51,9 @@ import com.netscape.certsrv.ca.CANotLeafException;
import com.netscape.certsrv.ca.CATypeException;
import com.netscape.certsrv.ca.ICertificateAuthority;
import com.netscape.certsrv.ca.IssuerUnavailableException;
+import com.netscape.certsrv.common.OpDef;
+import com.netscape.certsrv.common.ScopeDef;
+import com.netscape.certsrv.logging.ILogger;
import com.netscape.cms.realm.PKIPrincipal;
import com.netscape.cms.servlet.base.PKIService;
import com.netscape.cmsutil.util.Utils;
@@ -76,12 +81,9 @@ public class AuthorityService extends PKIService implements AuthorityResource {
@Context
private HttpServletRequest servletRequest;
- /*
- private final static String LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL =
- "LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL_4";
- private final static String LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE =
- "LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE_3";
- */
+ private final static String LOGGING_SIGNED_AUDIT_AUTHORITY_CONFIG =
+ "LOGGING_SIGNED_AUDIT_AUTHORITY_CONFIG_3";
+
@Override
public Response listCAs() {
@@ -183,19 +185,32 @@ public class AuthorityService extends PKIService implements AuthorityResource {
PKIPrincipal principal =
(PKIPrincipal) servletRequest.getUserPrincipal();
+ Map<String, String> auditParams = new LinkedHashMap<>();
+ auditParams.put("dn", data.getDN());
+ if (parentAID != null)
+ auditParams.put("parent", parentAIDString);
+ if (data.getDescription() != null)
+ auditParams.put("description", data.getDescription());
+
try {
ICertificateAuthority subCA = hostCA.createCA(
principal.getAuthToken(),
data.getDN(), parentAID, data.getDescription());
+ audit(ILogger.SUCCESS, OpDef.OP_ADD,
+ subCA.getAuthorityID().toString(), auditParams);
return createOKResponse(readAuthorityData(subCA));
} catch (IllegalArgumentException e) {
throw new BadRequestException(e.toString());
} catch (CANotFoundException e) {
throw new ResourceNotFoundException(e.toString());
} catch (IssuerUnavailableException | CADisabledException e) {
+ auditParams.put("exception", e.toString());
+ audit(ILogger.FAILURE, OpDef.OP_ADD, "<unknown>", auditParams);
throw new ConflictingOperationException(e.toString());
} catch (Exception e) {
CMS.debug(e);
+ auditParams.put("exception", e.toString());
+ audit(ILogger.FAILURE, OpDef.OP_ADD, "<unknown>", auditParams);
throw new PKIException("Error creating CA: " + e.toString());
}
}
@@ -213,15 +228,31 @@ public class AuthorityService extends PKIService implements AuthorityResource {
if (ca == null)
throw new ResourceNotFoundException("CA \"" + aidString + "\" not found");
+ Map<String, String> auditParams = new LinkedHashMap<>();
+ if (data.getEnabled() != ca.getAuthorityEnabled())
+ auditParams.put("enabled", data.getEnabled().toString());
+ String curDesc = ca.getAuthorityDescription();
+ String newDesc = data.getDescription();
+ if (curDesc != null && !curDesc.equals(newDesc)
+ || curDesc == null && newDesc != null)
+ auditParams.put("description", data.getDescription());
+
try {
ca.modifyAuthority(data.getEnabled(), data.getDescription());
+ audit(ILogger.SUCCESS, OpDef.OP_MODIFY, ca.getAuthorityID().toString(), auditParams);
return createOKResponse(readAuthorityData(ca));
} catch (CATypeException e) {
+ auditParams.put("exception", e.toString());
+ audit(ILogger.FAILURE, OpDef.OP_MODIFY, ca.getAuthorityID().toString(), auditParams);
throw new ForbiddenException(e.toString());
} catch (IssuerUnavailableException e) {
+ auditParams.put("exception", e.toString());
+ audit(ILogger.FAILURE, OpDef.OP_MODIFY, ca.getAuthorityID().toString(), auditParams);
throw new ConflictingOperationException(e.toString());
} catch (EBaseException e) {
CMS.debug(e);
+ auditParams.put("exception", e.toString());
+ audit(ILogger.FAILURE, OpDef.OP_MODIFY, ca.getAuthorityID().toString(), auditParams);
throw new PKIException("Error modifying authority: " + e.toString());
}
}
@@ -253,15 +284,24 @@ public class AuthorityService extends PKIService implements AuthorityResource {
if (ca == null)
throw new ResourceNotFoundException("CA \"" + aidString + "\" not found");
+ Map<String, String> auditParams = new LinkedHashMap<>();
+
try {
ca.deleteAuthority();
+ audit(ILogger.SUCCESS, OpDef.OP_DELETE, aidString, null);
return createNoContentResponse();
} catch (CATypeException e) {
+ auditParams.put("exception", e.toString());
+ audit(ILogger.FAILURE, OpDef.OP_DELETE, aidString, auditParams);
throw new ForbiddenException(e.toString());
} catch (CAEnabledException | CANotLeafException e) {
+ auditParams.put("exception", e.toString());
+ audit(ILogger.FAILURE, OpDef.OP_DELETE, aidString, auditParams);
throw new ConflictingOperationException(e.toString());
} catch (EBaseException e) {
CMS.debug(e);
+ auditParams.put("exception", e.toString());
+ audit(ILogger.FAILURE, OpDef.OP_DELETE, aidString, auditParams);
throw new PKIException("Error modifying authority: " + e.toString());
}
}
@@ -292,25 +332,15 @@ public class AuthorityService extends PKIService implements AuthorityResource {
"-----END " + name + "-----\n";
}
- /* TODO work out what audit messages are needed
- public void auditProfileChangeState(String profileId, String op, String status) {
+ private void audit(
+ String status, String op, String id,
+ Map<String, String> params) {
String msg = CMS.getLogMessage(
- LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL,
+ LOGGING_SIGNED_AUDIT_AUTHORITY_CONFIG,
auditor.getSubjectID(),
status,
- profileId,
- op);
+ auditor.getParamString(ScopeDef.SC_AUTHORITY, op, id, params));
auditor.log(msg);
}
- public void auditProfileChange(String scope, String type, String id, String status, Map<String, String> params) {
- String msg = CMS.getLogMessage(
- LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
- auditor.getSubjectID(),
- status,
- auditor.getParamString(scope, type, id, params));
- auditor.log(msg);
- }
- */
-
}
diff --git a/base/common/src/com/netscape/certsrv/common/ScopeDef.java b/base/common/src/com/netscape/certsrv/common/ScopeDef.java
index f689d1504d2cebf8868246e0ce51653a3d78d291..a06696e4b05e2f63e544bd2c0deaa2b8f6abd732 100644
--- a/base/common/src/com/netscape/certsrv/common/ScopeDef.java
+++ b/base/common/src/com/netscape/certsrv/common/ScopeDef.java
@@ -41,6 +41,9 @@ public interface ScopeDef {
public final static String SC_ADMIN = "admin";
public final static String SC_NETWORK = "network";
+ // lightweight authorities
+ public final static String SC_AUTHORITY = "authority";
+
// profile
public final static String SC_PROFILE_IMPLS = "profile";
public final static String SC_PROFILE_RULES = "rules";
diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties
index 1452db0e903e38e044d52c2cd3add8a98c403046..5f9432e28d1ac620d8ef29e13ceb701225a61ff4 100644
--- a/base/server/cmsbundle/src/LogMessages.properties
+++ b/base/server/cmsbundle/src/LogMessages.properties
@@ -2654,6 +2654,14 @@ LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_PROFILE_3=<type=CONFIG_TOKEN_PROFILE>:[AuditEv
# - used when token state changed
#
LOGGING_SIGNED_AUDIT_TOKEN_STATE_CHANGE_5=<type=TOKEN_STATE_CHANGE>:[AuditEvent=TOKEN_STATE_CHANGE][SubjectID={0}][Outcome={1}][CUID={2}][oldState={3}][newState={4}] token state changed
+#
+# LOGGING_SIGNED_AUDIT_AUTHORITY_CONFIG
+# - used when configuring lightweight authorities
+# ParamNameValPairs must be a name;;value pair
+# (where name and value are separated by the delimiter ;;)
+# separated by + (if more than one name;;value pair) of config params changed
+#
+LOGGING_SIGNED_AUDIT_AUTHORITY_CONFIG_3=<type=AUTHORITY_CONFIG>:[AuditEvent=AUTHORITY_CONFIG][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] lightweight authority configuration change
###########################
--
2.5.0
More information about the Pki-devel
mailing list