From 86bca3838d775bcb6b28e095cca605dd8b2d4e1f Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mar 12 2019 16:34:45 +0000 Subject: import pki-core-10.5.9-13.el7_6 --- diff --git a/SOURCES/pki-core-10.5.9-batch-3.0.patch b/SOURCES/pki-core-10.5.9-batch-3.0.patch new file mode 100644 index 0000000..5ba8682 --- /dev/null +++ b/SOURCES/pki-core-10.5.9-batch-3.0.patch @@ -0,0 +1,2863 @@ +diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg +index 63cb299..2d5d962 100644 +--- a/base/ca/shared/conf/CS.cfg ++++ b/base/ca/shared/conf/CS.cfg +@@ -911,7 +911,7 @@ log.instance.SignedAudit._007=## $ pki-server ca-audit-event-enable/disable insert n+1 empty lines ++.\" for man page specific macros, see man(7) ++.SH NAME ++PKICertImport \- Used to safely validate and import certificates into the NSS database. ++ ++.SH SYNOPSIS ++.PP ++\fBUsage: PKICertImport -d -i -n -t -u [-h ] [-f ] [-a]\fP ++ ++Validate and import a certificate into the specified NSS database. Verifies signature, trust chain, trust, and usage flags. If a certificate is not valid, it will not be added to the NSS DB or specified hardware token. ++ ++.SH DESCRIPTION ++.PP ++The certificate import utility validates signature, trust chain, trust, and usage flags before importing a certificate into the specified NSS database. This ensures that no certificate is used before its authenticity has been verified. Unlike \fBcertutil\fP, only one invocation is necessary to both validate and import certificates. ++.PP ++See \fBcertutil\fP for more information about the parameters to \fBPKICertImport\fP. ++ ++.SH OPTIONS ++.PP ++\fBPKICertImport\fP parameters: ++.PP ++.TP ++.B --ascii, -a ++The certificate is encoded in ASCII (PEM) format instead of binary format. Optional. ++ ++.TP ++.B --database, -d ++The directory containing the NSS database. This is usually the client's personal directory. Required. ++ ++.TP ++.B --password, -f ++The path to a file containing the password to the NSS database. Optional. ++ ++.TP ++.B --hsm, -h ++Name of the token. By default it takes 'internal'. Optional. ++ ++.TP ++.B --certificate, -i ++Path to the certificate to import. Required. ++ ++.TP ++.B --nickname, -n ++Nickname for the certificate in the NSS DB. Required. ++ ++.TP ++.B --trust, -t ++Trust flags for the certificate. See \fBcertutil\fP for more information about the available trust flags. Required. ++ ++.TP ++.B --usage, -u ++Usage to validate the certificate against. See \fBcertutil\fP for more information about available usage flags. Required. ++ ++.SH AUTHORS ++Alexander Scheel . ++ ++.SH COPYRIGHT ++Copyright (c) 2019 Red Hat, Inc. This is licensed under the GNU General Public ++License, version 2 (GPLv2). A copy of this license is available at ++http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt. +diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg +index 8bfb0fb..f21f305 100644 +--- a/base/kra/shared/conf/CS.cfg ++++ b/base/kra/shared/conf/CS.cfg +@@ -306,7 +306,7 @@ log.instance.SignedAudit._007=## $ pki-server kra-audit-event-enable/disable + * + *
    +- *
  • signed.audit LOGGING_SIGNED_AUDIT_AUDIT_LOG_SHUTDOWN used at audit function shutdown ++ *
  • signed.audit AUDIT_LOG_SHUTDOWN used at audit function shutdown + *
+ */ + public synchronized void shutdown() { +diff --git a/base/server/cmsbundle/src/audit-events.properties b/base/server/cmsbundle/src/audit-events.properties +index ddc278e..64548da 100644 +--- a/base/server/cmsbundle/src/audit-events.properties ++++ b/base/server/cmsbundle/src/audit-events.properties +@@ -8,1286 +8,1758 @@ + # + # Event: + # Description: ++# + # Applicable subsystems: + # Enabled by default: + # Fields: + # - : ++# + # + # Note: In the actual event definition there should be exactly 1 space + # after the # sign. + # + # Common fields: +-# - Outcome: must be "success" or "failure" +-# - SubjectID: must be the UID of the user responsible for the operation +-# "$System$" if system-initiated operation (e.g. log signing) ++# - Outcome: "Success" or "Failure" ++# - SubjectID: The UID of the user responsible for the operation ++# "$System$" or "SYSTEM" if system-initiated operation (e.g. log signing). + # + ######################################################################### +-# Selectable Signed Audit Events ++# Required Audit Events ++# ++# Event: ACCESS_SESSION_ESTABLISH with [Outcome=Failure] ++# Description: This event is used when access session failed to establish. ++# Applicable subsystems: CA, KRA, OCSP, TKS, TPS ++# Enabled by default: Yes ++# Fields: ++# - ClientIP: Client IP address. ++# - ServerIP: Server IP address. ++# - SubjectID: Client certificate subject DN. ++# - Outcome: Failure ++# - Info: Failure reason. ++# ++LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_FAILURE=\ ++:[AuditEvent=ACCESS_SESSION_ESTABLISH]{0} access session establish failure ++# ++# Event: ACCESS_SESSION_ESTABLISH with [Outcome=Success] ++# Description: This event is used when access session was established successfully. ++# Applicable subsystems: CA, KRA, OCSP, TKS, TPS ++# Enabled by default: Yes ++# Fields: ++# - ClientIP: Client IP address. ++# - ServerIP: Server IP address. ++# - SubjectID: Client certificate subject DN. ++# - Outcome: Success ++# ++LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_SUCCESS=\ ++:[AuditEvent=ACCESS_SESSION_ESTABLISH]{0} access session establish success ++# ++# Event: ACCESS_SESSION_TERMINATED ++# Description: This event is used when access session was terminated. ++# Applicable subsystems: CA, KRA, OCSP, TKS, TPS ++# Enabled by default: Yes ++# Fields: ++# - ClientIP: Client IP address. ++# - ServerIP: Server IP address. ++# - SubjectID: Client certificate subject DN. ++# - Info: The TLS Alert received from NSS ++# - Outcome: Success ++# - Info: The TLS Alert received from NSS ++# ++LOGGING_SIGNED_AUDIT_ACCESS_SESSION_TERMINATED=\ ++:[AuditEvent=ACCESS_SESSION_TERMINATED]{0} access session terminated ++# ++# Event: AUDIT_LOG_SIGNING ++# Description: This event is used when a signature on the audit log is generated (same as "flush" time). ++# Applicable subsystems: CA, KRA, OCSP, TKS, TPS ++# Enabled by default: Yes ++# Fields: ++# - SubjectID: Predefined to be "$System$" because this operation ++# associates with no user. ++# - Outcome: Success ++# - sig: The base-64 encoded signature of the buffer just flushed. ++# ++LOGGING_SIGNED_AUDIT_AUDIT_LOG_SIGNING_3=[AuditEvent=AUDIT_LOG_SIGNING][SubjectID={0}][Outcome={1}] signature of audit buffer just flushed: sig: {2} + # + # Event: AUDIT_LOG_STARTUP +-# - used at audit function startup ++# Description: This event is used at audit function startup. + # Applicable subsystems: CA, KRA, OCSP, TKS, TPS + # Enabled by default: Yes ++# Fields: ++# - SubjectID: $System$ ++# - Outcome: + # + LOGGING_SIGNED_AUDIT_AUDIT_LOG_STARTUP_2=:[AuditEvent=AUDIT_LOG_STARTUP][SubjectID={0}][Outcome={1}] audit function startup + # +-# Event: AUDIT_LOG_SHUTDOWN +-# - used at audit function shutdown ++# Event: AUTH with [Outcome=Failure] ++# Description: This event is used when authentication fails. ++# In case of SSL-client auth, only webserver env can pick up the SSL violation. ++# CS authMgr can pick up certificate mismatch, so this event is used. + # Applicable subsystems: CA, KRA, OCSP, TKS, TPS + # Enabled by default: Yes ++# Fields: ++# - SubjectID: ++# - Outcome: Failure ++# (obviously, if authentication failed, you won't have a valid SubjectID, so ++# in this case, SubjectID should be $Unidentified$) ++# - AuthMgr: The authentication manager instance name that did ++# this authentication. ++# - AttemptedCred: The credential attempted and failed. + # +-LOGGING_SIGNED_AUDIT_AUDIT_LOG_SHUTDOWN_2=:[AuditEvent=AUDIT_LOG_SHUTDOWN][SubjectID={0}][Outcome={1}] audit function shutdown ++LOGGING_SIGNED_AUDIT_AUTH_FAIL=:[AuditEvent=AUTH]{0} authentication failure + # +-# Event: CIMC_CERT_VERIFICATION +-# - used for verifying CIMC system certificates ++# Event: AUTH with [Outcome=Success] ++# Description: This event is used when authentication succeeded. + # Applicable subsystems: CA, KRA, OCSP, TKS, TPS +-# Enabled by default: No +-# - CertNickName is the cert nickname ++# Enabled by default: Yes ++# Fields: ++# - SubjectID: id of user who has been authenticated ++# - Outcome: Success ++# - AuthMgr: The authentication manager instance name that did ++# this authentication. + # +-LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION_3=:[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID={0}][Outcome={1}][CertNickName={2}] CIMC certificate verification ++LOGGING_SIGNED_AUDIT_AUTH_SUCCESS=:[AuditEvent=AUTH]{0} authentication success + # +-# Event: ROLE_ASSUME +-# - used when user assumes a role (in current CS that's when one accesses a +-# role port) ++# Event: AUTHZ with [Outcome=Failure] ++# Description: This event is used when authorization has failed. + # Applicable subsystems: CA, KRA, OCSP, TKS, TPS + # Enabled by default: Yes +-# Role must be be one of the valid roles, by default: "Administrators", +-# "Certificate Manager Agents", and "Auditors" +-# note that customized role names can be used once configured ++# Fields: ++# - SubjectID: id of user who has failed to be authorized for an action ++# - Outcome: Failure ++# - aclResource: The ACL resource ID as defined in ACL resource list. ++# - Op: One of the operations as defined with the ACL statement ++# e.g. "read" for an ACL statement containing "(read,write)". ++# - Info: + # +-LOGGING_SIGNED_AUDIT_ROLE_ASSUME=:[AuditEvent=ROLE_ASSUME]{0} assume privileged role ++LOGGING_SIGNED_AUDIT_AUTHZ_FAIL=:[AuditEvent=AUTHZ]{0} authorization failure + # +-# Event: CONFIG_CERT_POLICY +-# - used when configuring certificate policy constraints and extensions +-# Applicable subsystems: CA +-# Enabled by default: No +-# ParamNameValPairs must be a name;;value pair +-# (where name and value are separated by the delimiter ;;) +-# separated by + (if more than one name;;value pair) of config params changed ++# Event: AUTHZ with [Outcome=Success] ++# Description: This event is used when authorization is successful. ++# Applicable subsystems: CA, KRA, OCSP, TKS, TPS ++# Enabled by default: Yes ++# Fields: ++# - SubjectID: id of user who has been authorized for an action ++# - Outcome: Success ++# - aclResource: The ACL resource ID as defined in ACL resource list. ++# - Op: One of the operations as defined with the ACL statement ++# e.g. "read" for an ACL statement containing "(read,write)". + # +-LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY_3=:[AuditEvent=CONFIG_CERT_POLICY][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] certificate policy constraint or extension configuration parameter(s) change ++LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS=:[AuditEvent=AUTHZ]{0} authorization success + # +-# Event: CONFIG_CERT_PROFILE +-# - used when configuring certificate profile +-# (general settings and certificate profile) +-# (extensions and constraints policies are to be obsoleted but do it anyway) ++# Event: CERT_PROFILE_APPROVAL ++# Description: This event is used when an agent approves/disapproves a certificate profile set by the ++# administrator for automatic approval. + # Applicable subsystems: CA + # Enabled by default: Yes +-# ParamNameValPairs must be a name;;value pair +-# (where name and value are separated by the delimiter ;;) +-# separated by + (if more than one name;;value pair) of config params changed ++# Fields: ++# - SubjectID: id of the CA agent who approved the certificate enrollment profile ++# - Outcome: ++# - ProfileID: One of the profiles defined by the administrator ++# and to be approved by an agent. ++# - Op: "approve" or "disapprove". + # +-LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE_3=:[AuditEvent=CONFIG_CERT_PROFILE][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] certificate profile configuration parameter(s) change ++LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL_4=:[AuditEvent=CERT_PROFILE_APPROVAL][SubjectID={0}][Outcome={1}][ProfileID={2}][Op={3}] certificate profile approval + # +-# Event: CONFIG_CRL_PROFILE +-# - used when configuring CRL profile +-# (extensions, frequency, CRL format) ++# Event: CERT_REQUEST_PROCESSED ++# Description: This event is used when certificate request has just been through the approval process. + # Applicable subsystems: CA + # Enabled by default: Yes +-# ParamNameValPairs must be a name;;value pair +-# (where name and value are separated by the delimiter ;;) +-# separated by + (if more than one name;;value pair) of config params changed ++# Fields: ++# - SubjectID: The UID of the agent who approves, rejects, or cancels ++# the certificate request. ++# - Outcome: ++# - ReqID: The request ID. ++# - InfoName: "certificate" (in case of approval), "rejectReason" ++# (in case of reject), or "cancelReason" (in case of cancel) ++# - InfoValue: The certificate (in case of success), a reject reason in ++# text, or a cancel reason in text. ++# - CertSerialNum: + # +-LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE_3=:[AuditEvent=CONFIG_CRL_PROFILE][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] CRL profile configuration parameter(s) change ++LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED=:[AuditEvent=CERT_REQUEST_PROCESSED]{0} certificate request processed + # +-# Event: CONFIG_OCSP_PROFILE +-# - used when configuring OCSP profile +-# (everything under Online Certificate Status Manager) +-# Applicable subsystems: OCSP ++# Event: CERT_SIGNING_INFO ++# Description: This event indicates which key is used to sign certificates. ++# Applicable subsystems: CA + # Enabled by default: Yes +-# ParamNameValPairs must be a name;;value pair +-# (where name and value are separated by the delimiter ;;) +-# separated by + (if more than one name;;value pair) of config params changed ++# Fields: ++# - SubjectID: $System$ ++# - Outcome: Success ++# - SKI: Subject Key Identifier of the certificate signing certificate ++# - AuthorityID: (applicable only to lightweight CA) + # +-LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE_3=:[AuditEvent=CONFIG_OCSP_PROFILE][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] OCSP profile configuration parameter(s) change ++LOGGING_SIGNED_AUDIT_CERT_SIGNING_INFO=:[AuditEvent=CERT_SIGNING_INFO]{0} certificate signing info + # +-# Event: CONFIG_AUTH +-# - used when configuring authentication +-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS ++# Event: CERT_STATUS_CHANGE_REQUEST ++# Description: This event is used when a certificate status change request (e.g. revocation) ++# is made (before approval process). ++# Applicable subsystems: CA + # Enabled by default: Yes +-# ParamNameValPairs must be a name;;value pair +-# (where name and value are separated by the delimiter ;;) +-# separated by + (if more than one name;;value pair) of config params changed +-# --- Password MUST NOT be logged --- ++# Fields: ++# - SubjectID: id of uer who performed the action ++# - Outcome: ++# - ReqID: The request ID. ++# - CertSerialNum: The serial number (in hex) of the certificate to be revoked. ++# - RequestType: "revoke", "on-hold", "off-hold" + # +-LOGGING_SIGNED_AUDIT_CONFIG_AUTH_3=:[AuditEvent=CONFIG_AUTH][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] authentication configuration parameter(s) change ++LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST=:[AuditEvent=CERT_STATUS_CHANGE_REQUEST]{0} certificate revocation/unrevocation request made + # +-# Event: CONFIG_ROLE +-# - used when configuring role information (anything under users/groups) +-# add/remove/edit a role, etc) +-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS ++# Event: CERT_STATUS_CHANGE_REQUEST_PROCESSED ++# Description: This event is used when certificate status is changed (revoked, expired, on-hold, ++# off-hold). ++# Applicable subsystems: CA + # Enabled by default: Yes +-# ParamNameValPairs must be a name;;value pair +-# (where name and value are separated by the delimiter ;;) +-# separated by + (if more than one name;;value pair) of config params changed ++# Fields: ++# - SubjectID: The UID of the agent that processed the request. ++# - Outcome: ++# - ReqID: The request ID. ++# - RequestType: "revoke", "on-hold", "off-hold" ++# - Approval: "complete", "rejected", or "canceled" ++# (note that "complete" means "approved") ++# - CertSerialNum: The serial number (in hex). ++# - RevokeReasonNum: One of the following number: ++# reason number reason ++# -------------------------------------- ++# 0 Unspecified ++# 1 Key compromised ++# 2 CA key compromised (should not be used) ++# 3 Affiliation changed ++# 4 Certificate superceded ++# 5 Cessation of operation ++# 6 Certificate is on-hold ++# - Info: + # +-LOGGING_SIGNED_AUDIT_CONFIG_ROLE=:[AuditEvent=CONFIG_ROLE]{0} role configuration parameter(s) change ++LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED=:[AuditEvent=CERT_STATUS_CHANGE_REQUEST_PROCESSED]{0} certificate status change request processed + # +-# Event: CONFIG_ACL +-# - used when configuring ACL information ++# Event: CLIENT_ACCESS_SESSION_ESTABLISH with [Outcome=Failure] ++# Description: This event is when access session failed to establish when Certificate System acts as client. + # Applicable subsystems: CA, KRA, OCSP, TKS, TPS + # Enabled by default: Yes +-# ParamNameValPairs must be a name;;value pair +-# (where name and value are separated by the delimiter ;;) +-# separated by + (if more than one name;;value pair) of config params changed ++# Fields: ++# - ClientHost: Client hostname. ++# - ServerHost: Server hostname. ++# - ServerPort: Server port. ++# - SubjectID: SYSTEM ++# - Outcome: Failure ++# - Info: + # +-LOGGING_SIGNED_AUDIT_CONFIG_ACL_3=:[AuditEvent=CONFIG_ACL][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] ACL configuration parameter(s) change ++LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE=\ ++:[AuditEvent=CLIENT_ACCESS_SESSION_ESTABLISH]{0} access session failed to establish when Certificate System acts as client + # +-# Event: CONFIG_SIGNED_AUDIT +-# - used when configuring signedAudit ++# Event: CLIENT_ACCESS_SESSION_ESTABLISH with [Outcome=Success] ++# Description: This event is used when access session was established successfully when ++# Certificate System acts as client. + # Applicable subsystems: CA, KRA, OCSP, TKS, TPS + # Enabled by default: Yes +-# ParamNameValPairs must be a name;;value pair +-# (where name and value are separated by the delimiter ;;) +-# separated by + (if more than one name;;value pair) of config params changed ++# Fields: ++# - ClientHost: Client hostname. ++# - ServerHost: Server hostname. ++# - ServerPort: Server port. ++# - SubjectID: SYSTEM ++# - Outcome: Success + # +-LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT=:[AuditEvent=CONFIG_SIGNED_AUDIT]{0} signed audit configuration parameter(s) change ++LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS=\ ++:[AuditEvent=CLIENT_ACCESS_SESSION_ESTABLISH]{0} access session establish successfully when Certificate System acts as client + # +-# Event: CONFIG_ENCRYPTION +-# - used when configuring encryption (cert settings and SSL cipher preferences) ++# Event: CLIENT_ACCESS_SESSION_TERMINATED ++# Description: This event is used when access session was terminated when Certificate System acts as client. + # Applicable subsystems: CA, KRA, OCSP, TKS, TPS + # Enabled by default: Yes +-# ParamNameValPairs must be a name;;value pair +-# (where name and value are separated by the delimiter ;;) +-# separated by + (if more than one name;;value pair) of config params changed ++# Fields: ++# - ClientHost: Client hostname. ++# - ServerHost: Server hostname. ++# - ServerPort: Server port. ++# - SubjectID: SYSTEM ++# - Outcome: Success ++# - Info: The TLS Alert received from NSS + # +-LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION_3=:[AuditEvent=CONFIG_ENCRYPTION][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] encryption configuration parameter(s) change ++LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_TERMINATED=\ ++:[AuditEvent=CLIENT_ACCESS_SESSION_TERMINATED]{0} access session terminated when Certificate System acts as client + # +-# Event: CONFIG_TRUSTED_PUBLIC_KEY +-# - used when +-# 1. "Manage Certificate" is used to edit the trustness of certificates +-# and deletion of certificates +-# 2. "Certificate Setup Wizard" is used to import CA certificates into the +-# certificate database (Although CrossCertificatePairs are stored +-# within internaldb, audit them as well) +-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS ++# Event: CMC_REQUEST_RECEIVED ++# Description: This event is used when a CMC request is received. ++# Applicable subsystems: CA + # Enabled by default: Yes +-# ParamNameValPairs must be a name;;value pair +-# (where name and value are separated by the delimiter ;;) +-# separated by + (if more than one name;;value pair) of config params changed ++# Fields: ++# - SubjectID: The UID of user that triggered this event. ++# If CMC requests is signed by an agent, SubjectID should ++# be that of the agent. ++# In case of an unsigned request, it would bear $Unidentified$. ++# - Outcome: ++# - CMCRequest: Base64 encoding of the CMC request received + # +-LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY=:[AuditEvent=CONFIG_TRUSTED_PUBLIC_KEY]{0} certificate database configuration ++LOGGING_SIGNED_AUDIT_CMC_REQUEST_RECEIVED_3=:[AuditEvent=CMC_REQUEST_RECEIVED][SubjectID={0}][Outcome={1}][CMCRequest={2}] CMC request received + # +-# Event: CONFIG_DRM +-# - used when configuring DRM +-# (Key recovery scheme, change of any secret component) +-# Applicable subsystems: KRA ++# Event: CMC_RESPONSE_SENT ++# Description: This event is used when a CMC response is sent. ++# Applicable subsystems: CA + # Enabled by default: Yes +-# ParamNameValPairs must be a name;;value pair +-# (where name and value are separated by the delimiter ;;) +-# separated by + (if more than one name;;value pair) of config params changed +-# --- secret component (password) MUST NOT be logged --- ++# Fields: ++# - SubjectID: The UID of user that triggered this event. ++# - Outcome: ++# - CMCResponse: Base64 encoding of the CMC response sent + # +-LOGGING_SIGNED_AUDIT_CONFIG_DRM_3=:[AuditEvent=CONFIG_DRM][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] DRM configuration parameter(s) change ++LOGGING_SIGNED_AUDIT_CMC_RESPONSE_SENT_3=:[AuditEvent=CMC_RESPONSE_SENT][SubjectID={0}][Outcome={1}][CMCResponse={2}] CMC response sent + # +-# Event: SELFTESTS_EXECUTION +-# - used when self tests are run +-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS ++# Event: CMC_SIGNED_REQUEST_SIG_VERIFY ++# Description: This event is used when agent signed CMC certificate requests or revocation requests ++# are submitted and signature is verified. ++# Applicable subsystems: CA + # Enabled by default: Yes ++# Fields: ++# - SubjectID: the user who signed the CMC request (success case) ++# - Outcome: ++# - ReqType: The request type (enrollment, or revocation). ++# - CertSubject: The certificate subject name of the certificate request. ++# - SignerInfo: A unique String representation for the signer. + # +-LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION_2=:[AuditEvent=SELFTESTS_EXECUTION][SubjectID={0}][Outcome={1}] self tests execution (see selftests.log for details) ++LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY=:[AuditEvent=CMC_SIGNED_REQUEST_SIG_VERIFY]{0} agent signed CMC request signature verification + # +-# Event: AUDIT_LOG_DELETE +-# - used AFTER audit log gets expired (authz should not allow, +-# but in case authz gets compromised. Make sure it is written +-# AFTER the log expiration happens) +-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS +-# Enabled by default: No +-# LogFile must be the complete name (including the path) of the +-# signedAudit log that is attempted to be deleted ++# Event: CMC_USER_SIGNED_REQUEST_SIG_VERIFY ++# Description: This event is used when CMC (user-signed or self-signed) certificate requests or revocation requests ++# are submitted and signature is verified. ++# Applicable subsystems: CA ++# Enabled by default: Yes ++# Fields: ++# - SubjectID: the user who signed the CMC request (success case) ++# - Outcome: ++# - ReqType: The request type (enrollment, or revocation). ++# - CertSubject: The certificate subject name of the certificate request. ++# - CMCSignerInfo: A unique String representation for the CMC request signer. ++# - info: + # +-LOGGING_SIGNED_AUDIT_LOG_DELETE_3=:[AuditEvent=AUDIT_LOG_DELETE][SubjectID={0}][Outcome={1}][LogFile={2}] signedAudit log deletion ++LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE=:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY]{0} User signed CMC request signature verification failure ++LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS=:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY]{0} User signed CMC request signature verification success + # +-# Event: LOG_PATH_CHANGE +-# - used when log file name (including any path changes) for any of +-# audit, system, transaction, or other customized log file +-# change is attempted (authz should not allow, but make sure it's +-# written after the attempt) ++# Event: CONFIG_ACL ++# Description: This event is used when configuring ACL information. + # Applicable subsystems: CA, KRA, OCSP, TKS, TPS + # Enabled by default: Yes +-# LogType must be "System", "Transaction", or "SignedAudit" +-# toLogFile must be the name (including any path changes) that the user is +-# attempting to change to ++# Fields: ++# - SubjectID: id of administrator who performed the action ++# - Outcome: ++# - ParamNameValPairs: A name-value pair ++# (where name and value are separated by the delimiter ;;) ++# separated by + (if more than one name-value pair) of config params changed. + # +-LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4=:[AuditEvent=LOG_PATH_CHANGE][SubjectID={0}][Outcome={1}][LogType={2}][toLogFile={3}] log path change attempt ++LOGGING_SIGNED_AUDIT_CONFIG_ACL_3=:[AuditEvent=CONFIG_ACL][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] ACL configuration parameter(s) change + # +-# Event: LOG_EXPIRATION_CHANGE +-# - used when log expiration time change is attempted (authz should not +-# allow, but make sure it's written after the attempt) ++# Event: CONFIG_AUTH ++# Description: This event is used when configuring authentication. + # Applicable subsystems: CA, KRA, OCSP, TKS, TPS +-# Enabled by default: No +-# LogType must be "System", "Transaction", or "SignedAudit" +-# ExpirationTime must be the amount of time (in seconds) that is +-# attempted to be changed to ++# Enabled by default: Yes ++# Fields: ++# - SubjectID: id of administrator who performed the action ++# - Outcome: ++# - ParamNameValPairs: A name-value pair ++# (where name and value are separated by the delimiter ;;) ++# separated by + (if more than one name-value pair) of config params changed. ++# --- Password MUST NOT be logged --- + # +-# -- feature disabled -- +-#LOGGING_SIGNED_AUDIT_LOG_EXPIRATION_CHANGE_4=:[AuditEvent=LOG_EXPIRATION_CHANGE][SubjectID={0}][Outcome={1}][LogType={2}][ExpirationTime={3}] log expiration time change attempt ++LOGGING_SIGNED_AUDIT_CONFIG_AUTH_3=:[AuditEvent=CONFIG_AUTH][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] authentication configuration parameter(s) change + # +-# Event: SERVER_SIDE_KEYGEN_REQUEST +-# - used when server-side key generation request is made +-# This is for tokenkeys +-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS ++# Event: CONFIG_CERT_PROFILE ++# Description: This event is used when configuring certificate profile ++# (general settings and certificate profile). ++# Applicable subsystems: CA + # Enabled by default: Yes +-# EntityID must be the representation of the subject that will be on the certificate when issued ++# Fields: ++# - SubjectID: id of administrator who performed the action ++# - Outcome: ++# - ParamNameValPairs: A name-value pair ++# (where name and value are separated by the delimiter ;;) ++# separated by + (if more than one name-value pair) of config params changed. + # +-LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST=:[AuditEvent=SERVER_SIDE_KEYGEN_REQUEST]{0} server-side key generation request ++LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE_3=:[AuditEvent=CONFIG_CERT_PROFILE][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] certificate profile configuration parameter(s) change + # +-# Event: SERVER_SIDE_KEYGEN_REQUEST_PROCESSED +-# - used when server-side key generation request has been processed. +-# This is for tokenkeys +-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS ++# Event: CONFIG_CRL_PROFILE ++# Description: This event is used when configuring CRL profile ++# (extensions, frequency, CRL format). ++# Applicable subsystems: CA + # Enabled by default: Yes +-# EntityID must be the representation of the subject that will be on the certificate when issued +-# PubKey must be the base-64 encoded public key associated with +-# the private key to be archived ++# Fields: ++# - SubjectID: id of administrator who performed the action ++# - Outcome: ++# - ParamNameValPairs: A name-value pair ++# (where name and value are separated by the delimiter ;;) ++# separated by + (if more than one name-value pair) of config params changed. + # +-LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED=:[AuditEvent=SERVER_SIDE_KEYGEN_REQUEST_PROCESSED]{0} server-side key generation request processed ++LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE_3=:[AuditEvent=CONFIG_CRL_PROFILE][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] CRL profile configuration parameter(s) change + # +-# Event: KEY_RECOVERY_REQUEST +-# - used when key recovery request is made +-# Applicable subsystems: CA, OCSP, TKS, TPS, TPS +-# Enabled by default: No +-# RecoveryID must be the recovery request ID +-# PubKey must be the base-64 encoded public key associated with +-# the private key to be recovered ++# Event: CONFIG_DRM ++# Description: This event is used when configuring KRA. ++# This includes key recovery scheme, change of any secret component. ++# Applicable subsystems: KRA ++# Enabled by default: Yes ++# Fields: ++# - SubjectID: id of administrator who performed the action ++# - Outcome: ++# - ParamNameValPairs A name-value pair ++# (where name and value are separated by the delimiter ;;) ++# separated by + (if more than one name-value pair) of config params changed. ++# --- secret component (password) MUST NOT be logged --- + # +-LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4=:[AuditEvent=KEY_RECOVERY_REQUEST][SubjectID={0}][Outcome={1}][RecoveryID={2}][PubKey={3}] key recovery request made ++LOGGING_SIGNED_AUDIT_CONFIG_DRM_3=:[AuditEvent=CONFIG_DRM][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] DRM configuration parameter(s) change + # +-# Event: KEY_RECOVERY_AGENT_LOGIN +-# - used when DRM agents login as recovery agents to approve +-# key recovery requests +-# Applicable subsystems: KRA +-# Enabled by default: No +-# RecoveryID must be the recovery request ID +-# RecoveryAgent must be the recovery agent the DRM agent is +-# logging in with ++# Event: CONFIG_OCSP_PROFILE ++# Description: This event is used when configuring OCSP profile ++# (everything under Online Certificate Status Manager). ++# Applicable subsystems: OCSP ++# Enabled by default: Yes ++# Fields: ++# - SubjectID: id of administrator who performed the action ++# - Outcome: ++# - ParamNameValPairs: A name-value pair ++# (where name and value are separated by the delimiter ;;) ++# separated by + (if more than one name-value pair) of config params changed. + # +-LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN_4=:[AuditEvent=KEY_RECOVERY_AGENT_LOGIN][SubjectID={0}][Outcome={1}][RecoveryID={2}][RecoveryAgent={3}] key recovery agent login ++LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE_3=:[AuditEvent=CONFIG_OCSP_PROFILE][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] OCSP profile configuration parameter(s) change + # +-# Event: KEY_GEN_ASYMMETRIC +-# - used when asymmetric keys are generated +-# (like when CA certificate requests are generated - +-# e.g. CA certificate change over, renewal with new key, etc.) ++# Event: CONFIG_ROLE ++# Description: This event is used when configuring role information. ++# This includes anything under users/groups, add/remove/edit a role, etc. + # Applicable subsystems: CA, KRA, OCSP, TKS, TPS + # Enabled by default: Yes +-# PubKey must be the base-64 encoded public key material ++# Fields: ++# - SubjectID: id of administrator who performed the action ++# - Outcome: ++# - ParamNameValPairs: A name-value pair ++# (where name and value are separated by the delimiter ;;) ++# separated by + (if more than one name-value pair) of config params changed. + # +-LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC_3=:[AuditEvent=KEY_GEN_ASYMMETRIC][SubjectID={0}][Outcome={1}][PubKey={2}] asymmetric key generation ++LOGGING_SIGNED_AUDIT_CONFIG_ROLE=:[AuditEvent=CONFIG_ROLE]{0} role configuration parameter(s) change + # +-# Event: CERT_SIGNING_INFO +-# Applicable subsystems: CA ++# Event: CONFIG_SERIAL_NUMBER ++# Description: This event is used when configuring serial number ranges ++# (when requesting a serial number range when cloning, for example). ++# Applicable subsystems: CA, KRA + # Enabled by default: Yes ++# Fields: ++# - SubjectID: id of administrator who performed the action ++# - Outcome: ++# - ParamNameValPairs: A name-value pair ++# (where name and value are separated by the delimiter ;;) ++# separated by + (if more than one name-value pair) of config params changed. + # +-LOGGING_SIGNED_AUDIT_CERT_SIGNING_INFO=:[AuditEvent=CERT_SIGNING_INFO]{0} certificate signing info ++LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER_1=:[AuditEvent=CONFIG_SERIAL_NUMBER][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] serial number range update + # +-# Event: OCSP_SIGNING_INFO +-# Applicable subsystems: CA, OCSP ++# Event: CONFIG_SIGNED_AUDIT ++# Description: This event is used when configuring signedAudit. ++# Applicable subsystems: CA, KRA, OCSP, TKS, TPS + # Enabled by default: Yes ++# Fields: ++# - SubjectID: id of administrator who performed the action ++# - Outcome: ++# - ParamNameValPairs: A name-value pair ++# (where name and value are separated by the delimiter ;;) ++# separated by + (if more than one name-value pair) of config params changed. + # +-LOGGING_SIGNED_AUDIT_OCSP_SIGNING_INFO=:[AuditEvent=OCSP_SIGNING_INFO]{0} OCSP signing info ++LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT=:[AuditEvent=CONFIG_SIGNED_AUDIT]{0} signed audit configuration parameter(s) change ++# ++# Event: CONFIG_TRUSTED_PUBLIC_KEY ++# Description: This event is used when: ++# 1. "Manage Certificate" is used to edit the trustness of certificates ++# and deletion of certificates ++# 2. "Certificate Setup Wizard" is used to import CA certificates into the ++# certificate database (Although CrossCertificatePairs are stored ++# within internaldb, audit them as well) ++# Applicable subsystems: CA, KRA, OCSP, TKS, TPS ++# Enabled by default: Yes ++# Fields: ++# - SubjectID: ID of administrator who performed this configuration ++# - Outcome: ++# - ParamNameValPairs: A name-value pair ++# (where name and value are separated by the delimiter ;;) ++# separated by + (if more than one name-value pair) of config params changed. ++# ++LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY=:[AuditEvent=CONFIG_TRUSTED_PUBLIC_KEY]{0} certificate database configuration + # + # Event: CRL_SIGNING_INFO ++# Description: This event indicates which key is used to sign CRLs. + # Applicable subsystems: CA + # Enabled by default: Yes ++# Fields: ++# - SubjectID: $System$ ++# - Outcome: ++# - SKI: Subject Key Identifier of the CRL signing certificate + # + LOGGING_SIGNED_AUDIT_CRL_SIGNING_INFO=:[AuditEvent=CRL_SIGNING_INFO]{0} CRL signing info + # +-# Event: NON_PROFILE_CERT_REQUEST +-# - used when a non-profile certificate request is made (before approval process) +-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS +-# Enabled by default: No +-# SubjectID must be the UID of user that triggered this event +-# (if CMC enrollment requests signed by an agent, SubjectID should +-# be that of the agent), while +-# CertSubject must be the certificate subject name of the certificate request +-# ReqID must be the certificate request ID +-# ServiceID must be the identity of the servlet that submitted the original +-# request +-# +-LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST_5=:[AuditEvent=NON_PROFILE_CERT_REQUEST][SubjectID={0}][Outcome={1}][ReqID={2}][ServiceID={3}][CertSubject={4}] certificate request made without certificate profiles +-# +-# Event: CMC_REQUEST_RECEIVED +-# - used when a CMC request is received. ++# Event: DELTA_CRL_GENERATION ++# Description: This event is used when delta CRL generation is complete. + # Applicable subsystems: CA + # Enabled by default: Yes +-# SubjectID must be the UID of user that triggered this event +-# (if CMC requests is signed by an agent, SubjectID should +-# be that of the agent) +-# In case of an unsigned request, it would bear $Unidentified$ ++# Fields: ++# - SubjectID: $Unidentified$ ++# - Outcome: "Success" when delta CRL is generated successfully, "Failure" otherwise. ++# - CRLnum: The CRL number that identifies the CRL ++# - Info: ++# - FailureReason: + # +-LOGGING_SIGNED_AUDIT_CMC_REQUEST_RECEIVED_3=:[AuditEvent=CMC_REQUEST_RECEIVED][SubjectID={0}][Outcome={1}][CMCRequest={2}] CMC request received ++LOGGING_SIGNED_AUDIT_DELTA_CRL_GENERATION=:[AuditEvent=DELTA_CRL_GENERATION]{0} Delta CRL generation + # +-# Event: CMC_RESPONSE_SENT +-# - used when a CMC response is sent ++# Event: FULL_CRL_GENERATION ++# Description: This event is used when full CRL generation is complete. + # Applicable subsystems: CA + # Enabled by default: Yes +-# SubjectID must be the UID of user that triggered this event ++# Fields: ++# - SubjectID: $System$ ++# - Outcome: "Success" when full CRL is generated successfully, "Failure" otherwise. ++# - CRLnum: The CRL number that identifies the CRL ++# - Info: ++# - FailureReason: + # +-LOGGING_SIGNED_AUDIT_CMC_RESPONSE_SENT_3=:[AuditEvent=CMC_RESPONSE_SENT][SubjectID={0}][Outcome={1}][CMCResponse={2}] CMC response sent ++LOGGING_SIGNED_AUDIT_FULL_CRL_GENERATION=:[AuditEvent=FULL_CRL_GENERATION]{0} Full CRL generation + # + # Event: PROFILE_CERT_REQUEST +-# - used when a profile certificate request is made (before approval process) ++# Description: This event is used when a profile certificate request is made (before approval process). + # Applicable subsystems: CA + # Enabled by default: Yes +-# SubjectID must be the UID of user that triggered this event +-# (if CMC enrollment requests signed by an agent, SubjectID should +-# be that of the agent), while +-# CertSubject must be the certificate subject name of the certificate request +-# ReqID must be the certificate request ID +-# ProfileID must be one of the certificate profiles defined by the +-# administrator ++# Fields: ++# - SubjectID: The UID of user that triggered this event. ++# If CMC enrollment requests signed by an agent, SubjectID should ++# be that of the agent. ++# - Outcome: ++# - CertSubject: The certificate subject name of the certificate request. ++# - ReqID: The certificate request ID. ++# - ProfileID: One of the certificate profiles defined by the ++# administrator. + # + LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST_5=:[AuditEvent=PROFILE_CERT_REQUEST][SubjectID={0}][Outcome={1}][ReqID={2}][ProfileID={3}][CertSubject={4}] certificate request made with certificate profiles + # +-# Event: CERT_REQUEST_PROCESSED +-# - used when certificate request has just been through the approval process ++# Event: PROOF_OF_POSSESSION ++# Description: This event is used for proof of possession during certificate enrollment processing. + # Applicable subsystems: CA + # Enabled by default: Yes +-# SubjectID must be the UID of the agent who approves, rejects, or cancels +-# the certificate request +-# ReqID must be the request ID +-# InfoName must be value "certificate" (in case of approval), "rejectReason" +-# (in case of reject), or "cancelReason" (in case of cancel) +-# InfoValue must contain the certificate (in case of success), a reject reason in +-# text, or a cancel reason in text ++# Fields: ++# - SubjectID: id that represents the authenticated user ++# - Outcome: ++# - Info: some information on when/how it occurred + # +-LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED=:[AuditEvent=CERT_REQUEST_PROCESSED]{0} certificate request processed ++LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION_3=:[AuditEvent=PROOF_OF_POSSESSION][SubjectID={0}][Outcome={1}][Info={2}] proof of possession + # +-# Event: CERT_STATUS_CHANGE_REQUEST +-# - used when a certificate status change request (e.g. revocation) +-# is made (before approval process) +-# Applicable subsystems: CA ++# Event: OCSP_ADD_CA_REQUEST_PROCESSED ++# Description: This event is used when an add CA request to the OCSP Responder is processed. ++# Applicable subsystems: OCSP + # Enabled by default: Yes +-# ReqID must be the request ID +-# CertSerialNum must be the serial number (in hex) of the certificate to be revoked +-# RequestType must be "revoke", "on-hold", "off-hold" ++# Fields: ++# - SubjectID: OCSP administrator user id ++# - Outcome: "Success" when CA is added successfully, "Failure" otherwise. ++# - CASubjectDN: The subject DN of the leaf CA cert in the chain. + # +-LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST=:[AuditEvent=CERT_STATUS_CHANGE_REQUEST]{0} certificate revocation/unrevocation request made ++LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_PROCESSED=:[AuditEvent=OCSP_ADD_CA_REQUEST_PROCESSED]{0} Add CA for OCSP Responder + # +-# Event: CERT_STATUS_CHANGE_REQUEST_PROCESSED +-# - used when certificate status is changed (revoked, expired, on-hold, +-# off-hold) +-# Applicable subsystems: CA ++# Event: OCSP_GENERATION ++# Description: This event is used when an OCSP response generated is complete. ++# Applicable subsystems: CA, OCSP + # Enabled by default: Yes +-# SubjectID must be the UID of the agent that processed the request +-# ReqID must be the request ID +-# RequestType must be "revoke", "on-hold", "off-hold" +-# Approval must be "complete", "rejected", or "canceled" +-# (note that "complete" means "approved") +-# CertSerialNum must be the serial number (in hex) +-# RevokeReasonNum must contain one of the following number: +-# reason number reason +-# -------------------------------------- +-# 0 Unspecified +-# 1 Key compromised +-# 2 CA key compromised (should not be used) +-# 3 Affiliation changed +-# 4 Certificate superceded +-# 5 Cessation of operation +-# 6 Certificate is on-hold ++# Fields: ++# - SubjectID: $NonRoleUser$ ++# - Outcome: "Success" when OCSP response is generated successfully, "Failure" otherwise. ++# - FailureReason: + # +-LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED=:[AuditEvent=CERT_STATUS_CHANGE_REQUEST_PROCESSED]{0} certificate status change request processed ++LOGGING_SIGNED_AUDIT_OCSP_GENERATION=:[AuditEvent=OCSP_GENERATION]{0} OCSP response generation + # +-# Event: AUTHZ with [Outcome=Success] +-# - used when authorization is successful +-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS ++# Event: OCSP_REMOVE_CA_REQUEST_PROCESSED with [Outcome=Failure] ++# Description: This event is used when a remove CA request to the OCSP Responder is processed and failed. ++# Applicable subsystems: OCSP + # Enabled by default: Yes +-# Outcome must be success for this event +-# aclResource must be the ACL resource ID as defined in ACL resource list +-# Op must be one of the operations as defined with the ACL statement +-# e.g. "read" for an ACL statement containing "(read,write)" ++# Fields: ++# - SubjectID: OCSP administrator user id ++# - Outcome: Failure ++# - CASubjectDN: The subject DN of the leaf CA certificate in the chain. + # +-LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS=:[AuditEvent=AUTHZ]{0} authorization success ++LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE=:[AuditEvent=OCSP_REMOVE_CA_REQUEST_PROCESSED]{0} Remove CA for OCSP Responder has failed + # +-# Event: AUTHZ with [Outcome=Failure] +-# - used when authorization has failed +-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS ++# Event: OCSP_REMOVE_CA_REQUEST_PROCESSED with [Outcome=Success] ++# Description: This event is used when a remove CA request to the OCSP Responder is processed successfully. ++# Applicable subsystems: OCSP + # Enabled by default: Yes +-# Outcome must be failure for this event +-# aclResource must be the ACL resource ID as defined in ACL resource list +-# Op must be one of the operations as defined with the ACL statement +-# e.g. "read" for an ACL statement containing "(read,write)" ++# Fields: ++# - SubjectID: OCSP administrator user id ++# - Outcome: "Success" when CA is removed successfully, "Failure" otherwise. ++# - CASubjectDN: The subject DN of the leaf CA certificate in the chain. + # +-LOGGING_SIGNED_AUDIT_AUTHZ_FAIL=:[AuditEvent=AUTHZ]{0} authorization failure ++LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS=:[AuditEvent=OCSP_REMOVE_CA_REQUEST_PROCESSED]{0} Remove CA for OCSP Responder is successful + # +-# Event: INTER_BOUNDARY +-# - used when inter-CIMC_Boundary data transfer is successful +-# (this is used when data does not need to be captured) +-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS +-# Enabled by default: No +-# ProtectionMethod must be one of the following: "SSL", or "unknown" +-# ReqType must be the request type +-# ReqID must be the request ID ++# Event: OCSP_SIGNING_INFO ++# Description: This event indicates which key is used to sign OCSP responses. ++# Applicable subsystems: CA, OCSP ++# Enabled by default: Yes ++# Fields: ++# - SubjectID: $System$ ++# - Outcome: ++# - SKI: Subject Key Identifier of the OCSP signing certificate ++# - AuthorityID: (applicable only to lightweight CA) + # +-LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS_5=:[AuditEvent=INTER_BOUNDARY][SubjectID={0}][Outcome={1}][ProtectionMethod={2}][ReqType={3}][ReqID={4}] inter-CIMC_Boundary communication (data exchange) success ++LOGGING_SIGNED_AUDIT_OCSP_SIGNING_INFO=:[AuditEvent=OCSP_SIGNING_INFO]{0} OCSP signing info + # +-# Event: AUTH with [Outcome=Failure] +-# - used when authentication fails (in case of SSL-client auth, +-# only webserver env can pick up the SSL violation; +-# CS authMgr can pick up certificate mis-match, so this event is used) ++# Event: ROLE_ASSUME ++# Description: This event is used when a user assumes a role. + # Applicable subsystems: CA, KRA, OCSP, TKS, TPS + # Enabled by default: Yes +-# Outcome should always be "failure" in this event +-# (obviously, if authentication failed, you won't have a valid SubjectID, so +-# in this case, SubjectID should be $Unidentified$) +-# AuthMgr must be the authentication manager instance name that did +-# this authentication +-# AttemptedCred must be the credential attempted and failed ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - Role: One of the valid roles: ++# "Administrators", "Certificate Manager Agents", or "Auditors". ++# Note that customized role names can be used once configured. + # +-LOGGING_SIGNED_AUDIT_AUTH_FAIL=:[AuditEvent=AUTH]{0} authentication failure ++LOGGING_SIGNED_AUDIT_ROLE_ASSUME=:[AuditEvent=ROLE_ASSUME]{0} assume privileged role + # +-# Event: AUTH with [Outcome=Success] +-# - used when authentication succeeded ++# Event: SECURITY_DOMAIN_UPDATE ++# Description: This event is used when updating contents of security domain ++# (add/remove a subsystem). ++# Applicable subsystems: CA ++# Enabled by default: Yes ++# Fields: ++# - SubjectID: CA administrator user ID ++# - Outcome: ++# - ParamNameValPairs: A name-value pair ++# (where name and value are separated by the delimiter ;;) ++# separated by + (if more than one name-value pair) of config params changed. ++# ++LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE_1=:[AuditEvent=SECURITY_DOMAIN_UPDATE][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] security domain update ++# ++# Event: SELFTESTS_EXECUTION ++# Description: This event is used when self tests are run. + # Applicable subsystems: CA, KRA, OCSP, TKS, TPS + # Enabled by default: Yes +-# Outcome should always be "success" in this event +-# AuthMgr must be the authentication manager instance name that did +-# this authentication ++# Fields: ++# - SubjectID: $System$ ++# - Outcome: + # +-LOGGING_SIGNED_AUDIT_AUTH_SUCCESS=:[AuditEvent=AUTH]{0} authentication success ++LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION_2=:[AuditEvent=SELFTESTS_EXECUTION][SubjectID={0}][Outcome={1}] self tests execution (see selftests.log for details) ++######################################################################### ++# Available Audit Events - Enabled by default: Yes ++######################################################################### + # +-# Event: CERT_PROFILE_APPROVAL +-# - used when an agent approves/disapproves a certificate profile set by the +-# administrator for automatic approval +-# Applicable subsystems: CA ++# Event: ASYMKEY_GENERATION_REQUEST ++# Description: This event is used when asymmetric key generation request is made. ++# Applicable subsystems: KRA + # Enabled by default: Yes +-# ProfileID must be one of the profiles defined by the administrator +-# and to be approved by an agent +-# Op must be "approve" or "disapprove" ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - GenerationRequestID: ++# - ClientKeyID: + # +-LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL_4=:[AuditEvent=CERT_PROFILE_APPROVAL][SubjectID={0}][Outcome={1}][ProfileID={2}][Op={3}] certificate profile approval ++LOGGING_SIGNED_AUDIT_ASYMKEY_GENERATION_REQUEST=:[AuditEvent=ASYMKEY_GENERATION_REQUEST]{0} Asymkey generation request made + # +-# Event: PROOF_OF_POSSESSION +-# - used for proof of possession during certificate enrollment processing +-# Applicable subsystems: CA ++# Event: ASYMKEY_GENERATION_REQUEST_PROCESSED ++# Description: This event is used when a request to generate asymmetric keys received by the KRA ++# is processed. ++# Applicable subsystems: KRA + # Enabled by default: Yes ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - GenerationRequestID: ++# - ClientKeyID: ++# - KeyID: ++# - FailureReason: + # +-LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION_3=:[AuditEvent=PROOF_OF_POSSESSION][SubjectID={0}][Outcome={1}][Info={2}] proof of possession ++LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED=:[AuditEvent=ASYMKEY_GENERATION_REQUEST_PROCESSED]{0} Asymkey generation request processed + # +-# Event: CMC_PROOF_OF_IDENTIFICATION +-# - used for proof of identification during CMC request processing ++# Event: AUTHORITY_CONFIG ++# Description: This event is used when configuring lightweight authorities. + # Applicable subsystems: CA +-# Enabled by default: No +-# - In case of success, "SubjectID" is the actual identified identification; +-# - In case of failure, "SubjectID" is the attempted identification ++# Enabled by default: Yes ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - ParamNameValPairs: A name-value pair ++# (where name and value are separated by the delimiter ;;) ++# separated by + (if more than one name-value pair) of config params changed. + # +-LOGGING_SIGNED_AUDIT_CMC_PROOF_OF_IDENTIFICATION_3=:[AuditEvent=CMC_PROOF_OF_IDENTIFICATION][SubjectID={0}][Outcome={1}][Info={2}] proof of identification in CMC request ++LOGGING_SIGNED_AUDIT_AUTHORITY_CONFIG_3=:[AuditEvent=AUTHORITY_CONFIG][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] lightweight authority configuration change + # +-# Event: CMC_ID_POP_LINK_WITNESS +-# - used for identification and POP linking verification during CMC request processing +-# Applicable subsystems: CA +-# Enabled by default: No ++# Event: CONFIG_ENCRYPTION ++# Description: This event is used when configuring encryption (cert settings and SSL cipher preferences). ++# Applicable subsystems: CA, KRA, OCSP, TKS, TPS ++# Enabled by default: Yes ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - ParamNameValPairs: A name-value pair ++# (where name and value are separated by the delimiter ;;) ++# separated by + (if more than one name-value pair) of config params changed. + # +-LOGGING_SIGNED_AUDIT_CMC_ID_POP_LINK_WITNESS_3=:[AuditEvent=CMC_ID_POP_LINK_WITNESS][SubjectID={0}][Outcome={1}][Info={2}] Identification Proof of Possession linking witness verification ++LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION_3=:[AuditEvent=CONFIG_ENCRYPTION][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] encryption configuration parameter(s) change ++# ++# Event: CONFIG_TOKEN_AUTHENTICATOR ++# Description: This event is used when configuring token authenticators. ++# Applicable subsystems: TPS ++# Enabled by default: Yes ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - OP: ++# - Authenticator: ++# - ParamNameValPairs: A name-value pair ++# (where name and value are separated by the delimiter ;;) ++# separated by + (if more than one name-value pair) of config params changed. ++# --- secret component (password) MUST NOT be logged --- ++# - Info: Error info for failed cases. ++# ++LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_AUTHENTICATOR_6=:[AuditEvent=CONFIG_TOKEN_AUTHENTICATOR][SubjectID={0}][Outcome={1}][OP={2}][Authenticator={3}][ParamNameValPairs={4}][Info={5}] token authenticator configuration parameter(s) change ++# ++# Event: CONFIG_TOKEN_CONNECTOR ++# Description: This event is used when configuring token connectors. ++# Applicable subsystems: TPS ++# Enabled by default: Yes ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - Service: can be any of the methods offered ++# - Connector: ++# - ParamNameValPairs: A name-value pair ++# (where name and value are separated by the delimiter ;;) ++# separated by + (if more than one name-value pair) of config params changed. ++# --- secret component (password) MUST NOT be logged --- ++# - Info: Error info for failed cases. ++# ++LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_CONNECTOR_6=:[AuditEvent=CONFIG_TOKEN_CONNECTOR][SubjectID={0}][Outcome={1}][Service={2}][Connector={3}][ParamNameValPairs={4}][Info={5}] token connector configuration parameter(s) change ++# ++# Event: CONFIG_TOKEN_MAPPING_RESOLVER ++# Description: This event is used when configuring token mapping resolver. ++# Applicable subsystems: TPS ++# Enabled by default: Yes ++# Fields: ++# - SubjectID: TPS administrator id ++# - Outcome: ++# - Service: ++# - MappingResolverID: ++# - ParamNameValPairs: A name-value pair ++# (where name and value are separated by the delimiter ;;) ++# separated by + (if more than one name-value pair) of config params changed. ++# --- secret component (password) MUST NOT be logged --- ++# - Info: Error info for failed cases. ++# ++LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_MAPPING_RESOLVER_6=:[AuditEvent=CONFIG_TOKEN_MAPPING_RESOLVER][SubjectID={0}][Outcome={1}][Service={2}][MappingResolverID={3}][ParamNameValPairs={4}][Info={5}] token mapping resolver configuration parameter(s) change ++# ++# Event: CONFIG_TOKEN_RECORD ++# Description: This event is used when information in token record changed. ++# Applicable subsystems: TPS ++# Enabled by default: Yes ++# Fields: ++# - SubjectID: TPS administrator id ++# - Outcome: ++# - OP: operation to add or delete token ++# - TokenID: smart card unique id ++# - ParamNameValPairs: A name-value pair ++# (where name and value are separated by the delimiter ;;) ++# separated by + (if more than one name-value pair) of config params changed. ++# --- secret component (password) MUST NOT be logged --- ++# - Info: in general is used for capturing error info for failed cases ++# ++LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_RECORD_6=:[AuditEvent=CONFIG_TOKEN_RECORD][SubjectID={0}][Outcome={1}][OP={2}][TokenID={3}][ParamNameValPairs={4}][Info={5}] token record configuration parameter(s) change ++# ++# Event: KEY_GEN_ASYMMETRIC ++# Description: This event is used when asymmetric keys are generated ++# such as when CA certificate requests are generated, ++# e.g. CA certificate change over, renewal with new key. ++# Applicable subsystems: CA, KRA, OCSP, TKS, TPS ++# Enabled by default: Yes ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - PubKey: The base-64 encoded public key material. ++# ++LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC_3=:[AuditEvent=KEY_GEN_ASYMMETRIC][SubjectID={0}][Outcome={1}][PubKey={2}] asymmetric key generation ++# ++# Event: LOG_PATH_CHANGE ++# Description: This event is used when log file name (including any path changes) for any of ++# audit, system, transaction, or other customized log file change is attempted. ++# The ACL should not allow this operation, but make sure it's written after the attempt. ++# Applicable subsystems: CA, KRA, OCSP, TKS, TPS ++# Enabled by default: Yes ++# Fields: ++# - SubjectID: administrator user id ++# - Outcome: ++# - LogType: "System", "Transaction", or "SignedAudit" ++# - toLogFile: The name (including any path changes) that the user is ++# attempting to change to. ++# ++LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4=:[AuditEvent=LOG_PATH_CHANGE][SubjectID={0}][Outcome={1}][LogType={2}][toLogFile={3}] log path change attempt ++# ++# Event: RANDOM_GENERATION ++# Description: This event is used when a random number generation is complete. ++# Applicable subsystems: CA, KRA, OCSP, TKS, TPS ++# Enabled by default: Yes ++# Fields: ++# - SubjectID: ++# - Outcome: "Success" when a random number is generated successfully, "Failure" otherwise. ++# - Info: ++# - Caller: PKI code that calls the random number generator. ++# - Size: Size of random number in bytes. ++# - FailureReason: ++# ++LOGGING_SIGNED_AUDIT_RANDOM_GENERATION=:[AuditEvent=RANDOM_GENERATION]{0} Random number generation + # + # Event: SCHEDULE_CRL_GENERATION +-# - used when CRL generation is scheduled ++# Description: This event is used when CRL generation is scheduled. + # Applicable subsystems: CA +-# Enabled by default: No +-# Outcome is "success" when CRL generation is scheduled successfully, "failure" otherwise ++# Enabled by default: Yes ++# Fields: ++# - SubjectID: ++# - Outcome: "Success" when CRL generation is scheduled successfully, "Failure" otherwise. ++# - FailureReason: + # + LOGGING_SIGNED_AUDIT_SCHEDULE_CRL_GENERATION=:[AuditEvent=SCHEDULE_CRL_GENERATION]{0} schedule for CRL generation + # +-# Event: DELTA_CRL_GENERATION +-# - used when delta CRL generation is complete +-# Applicable subsystems: CA ++# Event: SECURITY_DATA_ARCHIVAL_REQUEST ++# Description: This event is used when security data recovery request is made. ++# Applicable subsystems: KRA + # Enabled by default: Yes +-# Outcome is "success" when delta CRL is generated successfully, "failure" otherwise ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - ArchivalRequestID: The requestID provided by the CA through the connector. ++# It is used to track the request through from CA to KRA. ++# - RequestId: The KRA archival request ID. ++# - ClientKeyID: The user supplied client ID associated with ++# the security data to be archived. ++# - FailureReason: + # +-LOGGING_SIGNED_AUDIT_DELTA_CRL_GENERATION=:[AuditEvent=DELTA_CRL_GENERATION]{0} Delta CRL generation ++LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST=:[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST]{0} security data archival request made + # +-# Event: DELTA_CRL_PUBLISHING +-# - used when delta CRL publishing is complete +-# Applicable subsystems: CA +-# Enabled by default: No +-# Outcome is "success" when delta CRL is publishing successfully, "failure" otherwise ++# Event: SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED ++# Description: This event is used when user security data archive request is processed. ++# This is when KRA receives and processed the request. ++# Applicable subsystems: KRA ++# Enabled by default: Yes ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - ArchivalRequestID: The requestID provided by the CA through the connector. ++# It is used to track the request through from CA to KRA. ++# - RequestId: The KRA archival request ID. ++# - ClientKeyID: The user supplied client ID associated with ++# the security data to be archived. ++# - KeyID: ++# - PubKey: ++# - FailureReason: + # +-LOGGING_SIGNED_AUDIT_DELTA_CRL_PUBLISHING=:[AuditEvent=DELTA_CRL_PUBLISHING]{0} Delta CRL publishing ++LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED=:[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED]{0} security data archival request processed + # +-# Event: FULL_CRL_GENERATION +-# - used when full CRL generation is complete +-# Applicable subsystems: CA ++# Event: SECURITY_DATA_RECOVERY_REQUEST ++# Description: This event is used when security data recovery request is made. ++# Applicable subsystems: KRA + # Enabled by default: Yes +-# Outcome is "success" when full CRL is generated successfully, "failure" otherwise ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - RecoveryID: The recovery request ID. ++# - DataID: The ID of the security data being requested to be recovered. ++# - PubKey: + # +-LOGGING_SIGNED_AUDIT_FULL_CRL_GENERATION=:[AuditEvent=FULL_CRL_GENERATION]{0} Full CRL generation ++LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST=:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST]{0} security data recovery request made + # +-# Event: FULL_CRL_PUBLISHING +-# - used when full CRL publishing is complete +-# Applicable subsystems: CA +-# Enabled by default: No +-# Outcome is "success" when full CRL is publishing successfully, "failure" otherwise ++# Event: SECURITY_DATA_RECOVERY_REQUEST_PROCESSED ++# Description: This event is used when security data recovery request is processed. ++# Applicable subsystems: KRA ++# Enabled by default: Yes ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - RecoveryID: The recovery request ID. ++# - KeyID: The ID of the security data being requested to be recovered. ++# - RecoveryAgents: The UIDs of the recovery agents approving this request. ++# - FailureReason: + # +-LOGGING_SIGNED_AUDIT_FULL_CRL_PUBLISHING=:[AuditEvent=FULL_CRL_PUBLISHING]{0} Full CRL publishing ++LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED=:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST_PROCESSED]{0} security data recovery request processed + # +-# Event: CRL_RETRIEVAL +-# - used when CRLs are retrieved by the OCSP Responder +-# Applicable subsystems: OCSP +-# Enabled by default: No +-# Outcome is "success" when CRL is retrieved successfully, "failure" otherwise +-# CRLnum is the CRL number that identifies the CRL ++# Event: SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE ++# Description: This event is used when KRA agents login as recovery agents to change ++# the state of key recovery requests. ++# Applicable subsystems: KRA ++# Enabled by default: Yes ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - RecoveryID: The recovery request ID. ++# - Operation: The operation performed (approve, reject, cancel etc.). + # +-LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL_3=:[AuditEvent=CRL_RETRIEVAL][SubjectID={0}][Outcome={1}][CRLnum={2}] CRL retrieval ++LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE=:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE]{0} security data recovery request state change + # +-# Event: CRL_VALIDATION +-# - used when CRL is retrieved and validation process occurs +-# Applicable subsystems: OCSP +-# Enabled by default: No ++# Event: SERVER_SIDE_KEYGEN_REQUEST ++# Description: This event is used when server-side key generation request is made. ++# This is for token keys. ++# Applicable subsystems: CA, KRA, OCSP, TKS, TPS ++# Enabled by default: Yes ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - EntityID: The representation of the subject that will be on the certificate when issued. ++# - RequestID: + # +-LOGGING_SIGNED_AUDIT_CRL_VALIDATION_2=:[AuditEvent=CRL_VALIDATION][SubjectID={0}][Outcome={1}] CRL validation ++LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST=:[AuditEvent=SERVER_SIDE_KEYGEN_REQUEST]{0} server-side key generation request + # +-# Event: OCSP_ADD_CA_REQUEST +-# - used when a CA is attempted to be added to the OCSP Responder +-# Applicable subsystems: OCSP +-# Enabled by default: No +-# Outcome is "success" as the request is made +-# CA must be the base-64 encoded PKCS7 certificate (or chain) ++# Event: SERVER_SIDE_KEYGEN_REQUEST_PROCESSED ++# Description: This event is used when server-side key generation request has been processed. ++# This is for token keys. ++# Applicable subsystems: CA, KRA, OCSP, TKS, TPS ++# Enabled by default: Yes ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - EntityID: The representation of the subject that will be on the certificate when issued. ++# - RequestID: ++# - PubKey: The base-64 encoded public key associated with ++# the private key to be archived. + # +-LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST=:[AuditEvent=OCSP_ADD_CA_REQUEST]{0} request to add a CA for OCSP Responder ++LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED=:[AuditEvent=SERVER_SIDE_KEYGEN_REQUEST_PROCESSED]{0} server-side key generation request processed + # +-# Event: OCSP_ADD_CA_REQUEST_PROCESSED +-# - used when an add CA request to the OCSP Responder is processed +-# Applicable subsystems: OCSP ++# Event: SYMKEY_GENERATION_REQUEST ++# Description: This event is used when symmetric key generation request is made. ++# Applicable subsystems: KRA + # Enabled by default: Yes +-# Outcome is "success" when CA is added successfully, "failure" otherwise +-# CASubjectDN is the subject DN of the leaf CA cert in the chain ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - GenerationRequestID: ++# - ClientKeyID: The ID of the symmetric key to be generated and archived. + # +-LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_PROCESSED=:[AuditEvent=OCSP_ADD_CA_REQUEST_PROCESSED]{0} Add CA for OCSP Responder ++LOGGING_SIGNED_AUDIT_SYMKEY_GENERATION_REQUEST=:[AuditEvent=SYMKEY_GENERATION_REQUEST]{0} symkey generation request made + # +-# Event: OCSP_REMOVE_CA_REQUEST +-# - used when a CA is attempted to be removed from the OCSP Responder +-# Applicable subsystems: OCSP +-# Enabled by default: No +-# Outcome is "success" as the request is made +-# CA must be the DN id of the CA +-LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST=:[AuditEvent=OCSP_REMOVE_CA_REQUEST]{0} request to remove a CA from OCSP Responder ++# Event: SYMKEY_GENERATION_REQUEST_PROCESSED ++# Description: This event is used when symmetric key generation request is processed. ++# This is when KRA receives and processes the request. ++# Applicable subsystems: KRA ++# Enabled by default: Yes ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - GenerationRequestID: ++# - ClientKeyID: The user supplied client ID associated with ++# the symmetric key to be generated and archived. ++# - KeyID: ++# - FailureReason: + # +-# Event: OCSP_REMOVE_CA_REQUEST_PROCESSED with [Outcome=Success] +-# - used when a remove CA request to the OCSP Responder is processed successfully +-# Applicable subsystems: OCSP ++LOGGING_SIGNED_AUDIT_SYMKEY_GEN_REQUEST_PROCESSED=:[AuditEvent=SYMKEY_GENERATION_REQUEST_PROCESSED]{0} symkey generation request processed ++# ++# Event: TOKEN_APPLET_UPGRADE with [Outcome=Failure] ++# Description: This event is used when token apple upgrade failed. ++# Applicable subsystems: TPS + # Enabled by default: Yes +-# Outcome is "success" when CA is removed successfully, "failure" otherwise +-# CASubjectDN is the subject DN of the leaf CA cert in the chain ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - IP: ++# - CUID: ++# - MSN: ++# - KeyVersion: ++# - oldAppletVersion: ++# - newAppletVersion: ++# - Info: + # +-LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS=:[AuditEvent=OCSP_REMOVE_CA_REQUEST_PROCESSED]{0} Remove CA for OCSP Responder is successful ++LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_FAILURE=:[AuditEvent=TOKEN_APPLET_UPGRADE]{0} token applet upgrade failure + # +-# Event: OCSP_REMOVE_CA_REQUEST_PROCESSED with [Outcome=Failure] +-# - used when a remove CA request to the OCSP Responder is processed and failed +-# Applicable subsystems: OCSP ++# Event: TOKEN_APPLET_UPGRADE with [Outcome=Success] ++# Description: This event is used when token apple upgrade succeeded. ++# Applicable subsystems: TPS + # Enabled by default: Yes +-# Outcome is "failure" +-# CASubjectDN is DN ID of the CA ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - IP: ++# - CUID: ++# - MSN: ++# - KeyVersion: ++# - oldAppletVersion: ++# - newAppletVersion: ++# - Info: + # +-LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE=:[AuditEvent=OCSP_REMOVE_CA_REQUEST_PROCESSED]{0} Remove CA for OCSP Responder has failed ++LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_SUCCESS=:[AuditEvent=TOKEN_APPLET_UPGRADE]{0} token applet upgrade success + # +-# Event: OCSP_GENERATION +-# - used when an OCSP response generated is complete +-# Applicable subsystems: CA, OCSP ++# Event: TOKEN_KEY_CHANGEOVER with [Outcome=Failure] ++# Description: This event is used when token key changeover failed. ++# Applicable subsystems: TPS + # Enabled by default: Yes +-# Outcome is "success" when OCSP response is generated successfully, "failure" otherwise ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - IP: ++# - CUID: ++# - MSN: ++# - tokenType: ++# - AppletVersion: ++# - oldKeyVersion: ++# - newKeyVersion: ++# - Info: Info in case of failure. + # +-LOGGING_SIGNED_AUDIT_OCSP_GENERATION=:[AuditEvent=OCSP_GENERATION]{0} OCSP response generation ++LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_FAILURE=:[AuditEvent=TOKEN_KEY_CHANGEOVER]{0} token key changeover failure + # +-# Event: RANDOM_GENERATION +-# - used when a random number generation is complete +-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS ++# Event: TOKEN_KEY_CHANGEOVER with [Outcome=Success] ++# Description: This event is used when token key changeover succeeded. ++# Applicable subsystems: TPS + # Enabled by default: Yes +-# Info: +-# - Caller is PKI code that calls the random number generator +-# - Size is size of random number in bytes +-# Outcome is "success" when a random number is generated successfully, "failure" otherwise +-LOGGING_SIGNED_AUDIT_RANDOM_GENERATION=:[AuditEvent=RANDOM_GENERATION]{0} Random number generation ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - IP: ++# - CUID: ++# - MSN: ++# - tokenType: ++# - AppletVersion: ++# - oldKeyVersion: ++# - newKeyVersion: ++# - Info: Usually is unused for success. + # +-# Event: CMC_SIGNED_REQUEST_SIG_VERIFY +-# - used when agent signed CMC certificate requests or revocation requests +-# are submitted and signature is verified +-# Applicable subsystems: CA ++LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_SUCCESS=:[AuditEvent=TOKEN_KEY_CHANGEOVER]{0} token key changeover success ++# ++# Event: TOKEN_KEY_CHANGEOVER_REQUIRED ++# Description: This event is used when token key changeover is required. ++# Applicable subsystems: TPS + # Enabled by default: Yes +-# ReqType must be the request type (enrollment, or revocation) +-# CertSubject must be the certificate subject name of the certificate request +-# SignerInfo must be a unique String representation for the signer ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - IP: ++# - CUID: ++# - MSN: ++# - tokenType: ++# - AppletVersion: ++# - oldKeyVersion: ++# - newKeyVersion: ++# - Info: + # +-LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY=:[AuditEvent=CMC_SIGNED_REQUEST_SIG_VERIFY]{0} agent signed CMC request signature verification ++LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_REQUIRED_10=:[AuditEvent=TOKEN_KEY_CHANGEOVER_REQUIRED][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][tokenType={5}][AppletVersion={6}][oldKeyVersion={7}][newKeyVersion={8}][Info={9}] token key changeover required ++######################################################################### ++# Available Audit Events - Enabled by default: No ++######################################################################### + # +-# Event: CMC_USER_SIGNED_REQUEST_SIG_VERIFY +-# - used when CMC (user-signed or self-signed) certificate requests or revocation requests +-# are submitted and signature is verified ++# Event: AUDIT_LOG_DELETE ++# Description: This event is used AFTER audit log gets expired. ++# The ACL should not allow this operation, but it is provided in case ACL gets compromised. ++# Make sure it is written AFTER the log expiration happens. ++# Applicable subsystems: CA, KRA, OCSP, TKS, TPS ++# Enabled by default: No ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - LogFile: The complete name (including the path) of the ++# signedAudit log that is attempted to be deleted. ++# ++LOGGING_SIGNED_AUDIT_LOG_DELETE_3=:[AuditEvent=AUDIT_LOG_DELETE][SubjectID={0}][Outcome={1}][LogFile={2}] signedAudit log deletion ++# ++# Event: AUDIT_LOG_SHUTDOWN ++# Description: This event is used at audit function shutdown. ++# Applicable subsystems: CA, KRA, OCSP, TKS, TPS ++# Enabled by default: No ++# Fields: ++# - SubjectID: ++# - Outcome: ++# ++LOGGING_SIGNED_AUDIT_AUDIT_LOG_SHUTDOWN_2=:[AuditEvent=AUDIT_LOG_SHUTDOWN][SubjectID={0}][Outcome={1}] audit function shutdown ++# ++# Event: CIMC_CERT_VERIFICATION ++# Description: This event is used for verifying CS system certificates. ++# Applicable subsystems: CA, KRA, OCSP, TKS, TPS ++# Enabled by default: No ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - CertNickName: The certificate nickname. ++# ++LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION_3=:[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID={0}][Outcome={1}][CertNickName={2}] CS certificate verification ++# ++# Event: CMC_ID_POP_LINK_WITNESS ++# Description: This event is used for identification and POP linking verification during CMC request processing. + # Applicable subsystems: CA +-# Enabled by default: Yes +-# ReqType must be the request type (enrollment, or revocation) +-# CertSubject must be the certificate subject name of the certificate request +-# CMCSignerInfo must be a unique String representation for the CMC request signer ++# Enabled by default: No ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - Info: + # +-LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS=:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY]{0} User signed CMC request signature verification success +-LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE=:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY]{0} User signed CMC request signature verification failure ++LOGGING_SIGNED_AUDIT_CMC_ID_POP_LINK_WITNESS_3=:[AuditEvent=CMC_ID_POP_LINK_WITNESS][SubjectID={0}][Outcome={1}][Info={2}] Identification Proof of Possession linking witness verification + # +-# Event: COMPUTE_RANDOM_DATA_REQUEST +-# - used for TPS to TKS to get random challenge data +-# Applicable subsystems: TKS, TPS ++# Event: CMC_PROOF_OF_IDENTIFICATION ++# Description: This event is used for proof of identification during CMC request processing. ++# Applicable subsystems: CA + # Enabled by default: No +-# AgentID must be the trusted agent id used to make the request ++# Fields: ++# - SubjectID: ++# In case of success, "SubjectID" is the actual identified identification. ++# In case of failure, "SubjectID" is the attempted identification. ++# - Outcome: ++# - Info: + # +-LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_2=:[AuditEvent=COMPUTE_RANDOM_DATA_REQUEST][Outcome={0}][AgentID={1}] TKS Compute random data request ++LOGGING_SIGNED_AUDIT_CMC_PROOF_OF_IDENTIFICATION_3=:[AuditEvent=CMC_PROOF_OF_IDENTIFICATION][SubjectID={0}][Outcome={1}][Info={2}] proof of identification in CMC request + # +-# Event: COMPUTE_RANDOM_DATA_REQUEST_PROCESSED with [Outcome=Success] +-# - used for TPS to TKS to get random challenge data ++# Event: COMPUTE_RANDOM_DATA_REQUEST ++# Description: This event is used when the request for TPS to TKS to get random challenge data is received. + # Applicable subsystems: TKS, TPS + # Enabled by default: No +-# Outcome is SUCCESS or FAILURE +-# Status is 0 for no error. +-# AgentID must be the trusted agent id used to make the request +-LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS=:[AuditEvent=COMPUTE_RANDOM_DATA_REQUEST_PROCESSED]{0} TKS Compute random data request processed successfully ++# Fields: ++# - Outcome: ++# - AgentID: The trusted agent ID used to make the request. ++# ++LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_2=:[AuditEvent=COMPUTE_RANDOM_DATA_REQUEST][Outcome={0}][AgentID={1}] TKS Compute random data request + # + # Event: COMPUTE_RANDOM_DATA_REQUEST_PROCESSED with [Outcome=Failure] +-# - used for TPS to TKS to get random challenge data ++# Description: This event is used when the request for TPS to TKS to get random challenge data is processed unsuccessfully. + # Applicable subsystems: TKS, TPS + # Enabled by default: No +-# Outcome is SUCCESS or FAILURE +-# Status is 0 for no error. +-# Error gives the error message +-# AgentID must be the trusted agent id used to make the request ++# Fields: ++# - Outcome: Success or Failure. ++# - Status: 0 for no error. ++# - Error: The error message. ++# - AgentID: The trusted agent ID used to make the request. + # + LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE=:[AuditEvent=COMPUTE_RANDOM_DATA_REQUEST_PROCCESED]{0} TKS Compute random data request failed + # ++# Event: COMPUTE_RANDOM_DATA_REQUEST_PROCESSED with [Outcome=Success] ++# Description: This event is used when the request for TPS to TKS to get random challenge data is processed successfully. ++# Applicable subsystems: TKS, TPS ++# Fields: ++# - Outcome: Success or Failure. ++# - Status: 0 for no error. ++# - AgentID: The trusted agent ID used to make the request. ++# ++LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS=:[AuditEvent=COMPUTE_RANDOM_DATA_REQUEST_PROCESSED]{0} TKS Compute random data request processed successfully ++# + # Event: COMPUTE_SESSION_KEY_REQUEST +-# - used for TPS to TKS to get a sessoin key for secure channel setup ++# Description: This event is used when the request for TPS to TKS to get a session key for secure channel is received. + # Applicable subsystems: TKS, TPS + # Enabled by default: No +-# SubjectID must be the CUID of the token establishing the secure channel +-# AgentID must be the trusted agent id used to make the request ++# Fields: ++# - Outcome: ++# - AgentID: The trusted agent ID used to make the request. + ## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the + ## CUID. Renamed to "CUID_encoded" and "KDD_encoded" to reflect fact that + ## encoded parameters are being logged. +-# CUID_encoded must be the special-encoded CUID of the token establishing the secure channel +-# KDD_encoded must be the special-encoded KDD of the token establishing the secure channel ++# - CUID_encoded: The special-encoded CUID of the token establishing the secure channel. ++# - KDD_encoded: The special-encoded KDD of the token establishing the secure channel. + # + LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_4=:[AuditEvent=COMPUTE_SESSION_KEY_REQUEST][CUID_encoded={0}][KDD_encoded={1}][Outcome={2}][AgentID={3}] TKS Compute session key request + # ++# Event: COMPUTE_SESSION_KEY_REQUEST_PROCESSED with [Outcome=Failure] ++# Description: This event is used when the request for TPS to TKS to get a session key for secure channel is processed unsuccessfully. ++# Applicable subsystems: TKS, TPS ++# Enabled by default: No ++# Fields: ++# - Outcome: Failure ++# - status: Error code or 0 for no error. ++# - AgentID: The trusted agent ID used to make the request. ++# - IsCryptoValidate: tells if the card cryptogram is to be validated ++# - IsServerSideKeygen: tells if the keys are to be generated on server ++# - SelectedToken: The cryptographic token performing key operations. ++# - KeyNickName: The numeric keyset, e.g. #01#01. ++# - Error: The error message. ++# ++## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the CUID. Renamed to "CUID_decoded" and "KDD_decoded" to reflect fact that decoded parameters are now logged. ++## Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd ++# - CUID_decoded: The ASCII-HEX representation of the CUID of the token establishing the secure channel. ++# - KDD_decoded: The ASCII-HEX representation of the KDD of the token establishing the secure channel. ++# - TKSKeyset: The name of the TKS keyset being used for this request. ++# - KeyInfo_KeyVersion: The key version number requested in hex. ++# - NistSP800_108KdfOnKeyVersion: The value of the corresponding setting in hex. ++# - NistSP800_108KdfUseCuidAsKdd: The value of the corresponding setting in hex. ++# ++LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE=:[AuditEvent=COMPUTE_SESSION_KEY_REQUEST_PROCESSED]{0} TKS Compute session key request failed ++# + # Event: COMPUTE_SESSION_KEY_REQUEST_PROCESSED with [Outcome=Success] +-# - request for TPS to TKS to get a sessoin key for secure channel processed ++# Description: This event is used when the request for TPS to TKS to get a session key for secure channel is processed successfully. + # Applicable subsystems: TKS, TPS + # Enabled by default: No +-# SubjectID must be the CUID of the token establishing the secure channel +-# AgentID must be the trusted agent id used to make the request +-# Outcome is SUCCESS or FAILURE +-# Status is 0 for no error. +-# IsCryptoValidate tells if the card cryptogram is to be validated +-# IsServerSideKeygen tells if the keys are to be generated on server +-# SelectedToken is the cryptographic token performing key operations +-# KeyNickName is the number keyset ex: #01#01 ++# Fields: ++# - AgentID: The trusted agent ID used to make the request. ++# - Outcome: Success ++# - status: 0 for no error. ++# - IsCryptoValidate: tells if the card cryptogram is to be validated ++# - IsServerSideKeygen: tells if the keys are to be generated on server ++# - SelectedToken: The cryptographic token performing key operations. ++# - KeyNickName: The number keyset, e.g. #01#01. + # + ## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the + ## CUID. Renamed to "CUID_decoded" and "KDD_decoded" to reflect fact + ## that decoded parameters are now logged. + ## Also added TKSKeyset, KeyInfo_KeyVersion, + ## NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd +-# CUID_decoded must be the ASCII-HEX representation of the CUID of the token establishing the secure channel +-# KDD_decoded must be the ASCII-HEX representation of the KDD of the token establishing the secure channel +-# TKSKeyset is the name of the TKS keyset being used for this request. +-# KeyInfo_KeyVersion is the key version number requested in hex. +-# NistSP800_108KdfOnKeyVersion lists the value of the corresponding setting in hex. +-# NistSP800_108KdfUseCuidAsKdd lists the value of the corresponding setting in hex. ++# - CUID_decoded: The ASCII-HEX representation of the CUID of the token establishing the secure channel. ++# - KDD_decoded: The ASCII-HEX representation of the KDD of the token establishing the secure channel. ++# - TKSKeyset: The name of the TKS keyset being used for this request. ++# - KeyInfo_KeyVersion: The key version number requested in hex. ++# - NistSP800_108KdfOnKeyVersion: The value of the corresponding setting in hex. ++# - NistSP800_108KdfUseCuidAsKdd: The value of the corresponding setting in hex. + # + LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS=:[AuditEvent=COMPUTE_SESSION_KEY_REQUEST_PROCESSED]{0} TKS Compute session key request processed successfully + # +-# Event: COMPUTE_SESSION_KEY_REQUEST_PROCESSED with [Outcome=Failure] +-# - request for TPS to TKS to get a sessoin key for secure channel processed +-# Applicable subsystems: TKS, TPS ++# Event: CONFIG_CERT_POLICY ++# Description: This event is used when configuring certificate policy constraints and extensions. ++# Applicable subsystems: CA + # Enabled by default: No +-# SubjectID must be the CUID of the token establishing the secure channel +-# Outcome is SUCCESS or FAILURE +-# Status is error code or 0 for no error. +-# AgentID must be the trusted agent id used to make the request +-# status is 0 for success, non-zero for various errors +-# IsCryptoValidate tells if the card cryptogram is to be validated +-# IsServerSideKeygen tells if the keys are to be generated on server +-# SelectedToken is the cryptographic token performing key operations +-# KeyNickName is the numeric keyset ex: #01#01 +-# Error gives the error message ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - ParamNameValPairs: A name-value pair ++# (where name and value are separated by the delimiter ;;) ++# separated by + (if more than one name-value pair) of config params changed. + # +-## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the CUID. Renamed to "CUID_decoded" and "KDD_decoded" to reflect fact that decoded parameters are now logged. +-## Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd +-# CUID_decoded must be the ASCII-HEX representation of the CUID of the token establishing the secure channel +-# KDD_decoded must be the ASCII-HEX representation of the KDD of the token establishing the secure channel +-# TKSKeyset is the name of the TKS keyset being used for this request. +-# KeyInfo_KeyVersion is the key version number requested in hex. +-# NistSP800_108KdfOnKeyVersion lists the value of the corresponding setting in hex. +-# NistSP800_108KdfUseCuidAsKdd lists the value of the corresponding setting in hex ++LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY_3=:[AuditEvent=CONFIG_CERT_POLICY][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] certificate policy constraint or extension configuration parameter(s) change + # +-LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE=:[AuditEvent=COMPUTE_SESSION_KEY_REQUEST_PROCESSED]{0} TKS Compute session key request failed ++# Event: CONFIG_TOKEN_GENERAL ++# Description: This event is used when doing general TPS configuration. ++# Applicable subsystems: TPS ++# Enabled by default: No ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - ParamNameValPairs: A name-value pair ++# (where name and value are separated by the delimiter ;;) ++# separated by + (if more than one name-value pair) of config params changed. ++# --- secret component (password) MUST NOT be logged --- ++# - Info: Error info for failed cases. ++# ++LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_GENERAL_5=:[AuditEvent=CONFIG_TOKEN_GENERAL][SubjectID={0}][Outcome={1}][Service={2}][ParamNameValPairs={3}][Info={4}] TPS token configuration parameter(s) change ++# ++# Event: CONFIG_TOKEN_PROFILE ++# Description: This event is used when configuring token profile. ++# Applicable subsystems: TPS ++# Enabled by default: No ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - Service: can be any of the methods offered ++# - ProfileID: ++# - ParamNameValPairs: A name-value pair ++# (where name and value are separated by the delimiter ;;) ++# separated by + (if more than one name-value pair) of config params changed. ++# --- secret component (password) MUST NOT be logged --- ++# - Info: Error info for failed cases. ++# ++LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_PROFILE_6=:[AuditEvent=CONFIG_TOKEN_PROFILE][SubjectID={0}][Outcome={1}][Service={2}][ProfileID={3}][ParamNameValPairs={4}][Info={5}] token profile configuration parameter(s) change ++# ++# Event: CRL_RETRIEVAL ++# Description: This event is used when CRLs are retrieved by the OCSP Responder. ++# Applicable subsystems: OCSP ++# Enabled by default: No ++# Fields: ++# - SubjectID: ++# - Outcome: "Success" when CRL is retrieved successfully, "Failure" otherwise. ++# - CRLnum: The CRL number that identifies the CRL. ++# ++LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL_3=:[AuditEvent=CRL_RETRIEVAL][SubjectID={0}][Outcome={1}][CRLnum={2}] CRL retrieval ++# ++# Event: CRL_VALIDATION ++# Description: This event is used when CRL is retrieved and validation process occurs. ++# Applicable subsystems: OCSP ++# Enabled by default: No ++# Fields: ++# - SubjectID: ++# - Outcome: ++# ++LOGGING_SIGNED_AUDIT_CRL_VALIDATION_2=:[AuditEvent=CRL_VALIDATION][SubjectID={0}][Outcome={1}] CRL validation ++# ++# Event: DELTA_CRL_PUBLISHING ++# Description: This event is used when delta CRL publishing is complete. ++# Applicable subsystems: CA ++# Enabled by default: No ++# Fields: ++# - SubjectID: ++# - Outcome: "Success" when delta CRL is publishing successfully, "Failure" otherwise. ++# - CRLnum: ++# - FailureReason: ++# ++LOGGING_SIGNED_AUDIT_DELTA_CRL_PUBLISHING=:[AuditEvent=DELTA_CRL_PUBLISHING]{0} Delta CRL publishing + # + # Event: DIVERSIFY_KEY_REQUEST +-# - request for TPS to TKS to do key change over ++# Description: This event is used when the request for TPS to TKS to do key changeover is received. + # Applicable subsystems: TKS, TPS + # Enabled by default: No +-# SubjectID must be the CUID of the token requesting key change over +-# AgentID must be the trusted agent id used to make the request +-# status is 0 for success, non-zero for various errors +-# oldMasterKeyName is the old master key name +-# newMasterKeyName is the new master key name ++# Fields: ++# - Outcome: ++# - AgentID: The trusted agent ID used to make the request. ++# - oldMasterKeyName: The old master key name. ++# - newMasterKeyName: The new master key name. + # + ## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the CUID. Renamed to "CUID_encoded" and "KDD_encoded" to reflect fact that encoded parameters are being logged. +-# CUID_encoded must be the special-encoded CUID of the token establishing the secure channel +-# KDD_encoded must be the special-encoded KDD of the token establishing the secure channel ++# - CUID_encoded: The special-encoded CUID of the token establishing the secure channel. ++# - KDD_encoded: The special-encoded KDD of the token establishing the secure channel. + # + LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_6=:[AuditEvent=DIVERSIFY_KEY_REQUEST][CUID_encoded={0}][KDD_encoded={1}][Outcome={2}][AgentID={3}][oldMasterKeyName={4}][newMasterKeyName={5}] TKS Key Change Over request + # +-# Event: DIVERSIFY_KEY_REQUEST_PROCESSED with [Outcome=Success] +-# - request for TPS to TKS to do key change over request processed ++# Event: DIVERSIFY_KEY_REQUEST_PROCESSED with [Outcome=Failure] ++# Description: This event is when the request for TPS to TKS to do key changeover is processed unsuccessfully. + # Applicable subsystems: TKS, TPS + # Enabled by default: No +-# SubjectID must be the CUID of the token requesting key change over +-# AgentID must be the trusted agent id used to make the request +-# Outcome is SUCCESS or FAILURE +-# status is 0 for success, non-zero for various errors +-# oldMasterKeyName is the old master key name +-# newMasterKeyName is the new master key name ++# Fields: ++# - AgentID: The trusted agent ID used to make the request. ++# - Outcome: Failure ++# - status: 0 for success, non-zero for various errors. ++# - oldMasterKeyName: The old master key name. ++# - newMasterKeyName: The new master key name. ++# - Error: The error message. + # + ## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the CUID. Renamed to "CUID_decoded" and "KDD_decoded" to reflect fact that decoded parameters are now logged. + ## Also added TKSKeyset, OldKeyInfo_KeyVersion, NewKeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd +-# CUID_decoded must be the ASCII-HEX representation of the CUID of the token establishing the secure channel +-# KDD_decoded must be the ASCII-HEX representation of the KDD of the token establishing the secure channel +-# TKSKeyset is the name of the TKS keyset being used for this request. +-# OldKeyInfo_KeyVersion is the old key version number in hex. +-# NewKeyInfo_KeyVersion is the new key version number in hex. +-# NistSP800_108KdfOnKeyVersion lists the value of the corresponding setting in hex. +-# NistSP800_108KdfUseCuidAsKdd lists the value of the corresponding setting in hex. ++# - CUID_decoded: The ASCII-HEX representation of the CUID of the token establishing the secure channel. ++# - KDD_decoded: The ASCII-HEX representation of the KDD of the token establishing the secure channel. ++# - TKSKeyset: The name of the TKS keyset being used for this request. ++# - OldKeyInfo_KeyVersion: The old key version number in hex. ++# - NewKeyInfo_KeyVersion: The new key version number in hex. ++# - NistSP800_108KdfOnKeyVersion: The value of the corresponding setting in hex. ++# - NistSP800_108KdfUseCuidAsKdd: The value of the corresponding setting in hex. + # +-LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS=:[AuditEvent=DIVERSIFY_KEY_REQUEST_PROCESSED]{0} TKS Key Change Over request processed successfully ++LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE=:[AuditEvent=DIVERSIFY_KEY_REQUEST_PROCESSED]{0} TKS Key Change Over request failed + # +-# Event: DIVERSIFY_KEY_REQUEST_PROCESSED with [Outcome=Failure] +-# - request for TPS to TKS to do key change over request processed ++# Event: DIVERSIFY_KEY_REQUEST_PROCESSED with [Outcome=Success] ++# Description: This event is used when the request for TPS to TKS to do key changeover is processed successfully. + # Applicable subsystems: TKS, TPS + # Enabled by default: No +-# SubjectID must be the CUID of the token requesting key change over +-# AgentID must be the trusted agent id used to make the request +-# Outcome is SUCCESS or FAILURE +-# status is 0 for success, non-zero for various errors +-# oldMasterKeyName is the old master key name +-# newMasterKeyName is the new master key name +-# Error gives the error message ++# Fields: ++# - AgentID: The trusted agent ID used to make the request. ++# - Outcome: Success ++# - status: 0 for success, non-zero for various errors. ++# - oldMasterKeyName: The old master key name. ++# - newMasterKeyName: The new master key name. + # + ## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the CUID. Renamed to "CUID_decoded" and "KDD_decoded" to reflect fact that decoded parameters are now logged. + ## Also added TKSKeyset, OldKeyInfo_KeyVersion, NewKeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd +-# CUID_decoded must be the ASCII-HEX representation of the CUID of the token establishing the secure channel +-# KDD_decoded must be the ASCII-HEX representation of the KDD of the token establishing the secure channel +-# TKSKeyset is the name of the TKS keyset being used for this request. +-# OldKeyInfo_KeyVersion is the old key version number in hex. +-# NewKeyInfo_KeyVersion is the new key version number in hex. +-# NistSP800_108KdfOnKeyVersion lists the value of the corresponding setting in hex. +-# NistSP800_108KdfUseCuidAsKdd lists the value of the corresponding setting in hex ++# - CUID_decoded: The ASCII-HEX representation of the CUID of the token establishing the secure channel. ++# - KDD_decoded: The ASCII-HEX representation of the KDD of the token establishing the secure channel. ++# - TKSKeyset: The name of the TKS keyset being used for this request. ++# - OldKeyInfo_KeyVersion: The old key version number in hex. ++# - NewKeyInfo_KeyVersion: The new key version number in hex. ++# - NistSP800_108KdfOnKeyVersion: The value of the corresponding setting in hex. ++# - NistSP800_108KdfUseCuidAsKdd: The value of the corresponding setting in hex. + # +-LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE=:[AuditEvent=DIVERSIFY_KEY_REQUEST_PROCESSED]{0} TKS Key Change Over request failed ++LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS=:[AuditEvent=DIVERSIFY_KEY_REQUEST_PROCESSED]{0} TKS Key Change Over request processed successfully + # + # Event: ENCRYPT_DATA_REQUEST +-# - request from TPS to TKS to encrypt data +-# (or generate random data and encrypt) ++# Description: This event is used when the request from TPS to TKS to encrypt data ++# (or generate random data and encrypt) is received. + # Applicable subsystems: TKS, TPS + # Enabled by default: No +-# SubjectID must be the CUID of the token requesting encrypt data +-# AgentID must be the trusted agent id used to make the request +-# status is 0 for success, non-zero for various errors +-# isRandom tells if the data is randomly generated on TKS +-# +-LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_4=:[AuditEvent=ENCRYPT_DATA_REQUEST][SubjectID={0}][status={1}][AgentID={2}][isRandom={3}] TKS encrypt data request ++# Fields: ++# - SubjectID: The CUID of the token requesting encrypt data. ++# - AgentID: The trusted agent ID used to make the request. ++# - status: 0 for success, non-zero for various errors. ++# - isRandom: tells if the data is randomly generated on TKS + # + ## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the CUID. Renamed to "CUID_encoded" and "KDD_encoded" to reflect fact that encoded parameters are being logged. +-# CUID_encoded must be the special-encoded CUID of the token establishing the secure channel +-# KDD_encoded must be the special-encoded KDD of the token establishing the secure channel ++# - CUID_encoded: The special-encoded CUID of the token establishing the secure channel. ++# - KDD_encoded: The special-encoded KDD of the token establishing the secure channel. + # ++LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_4=:[AuditEvent=ENCRYPT_DATA_REQUEST][SubjectID={0}][status={1}][AgentID={2}][isRandom={3}] TKS encrypt data request + LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_5=:[AuditEvent=ENCRYPT_DATA_REQUEST][CUID_encoded={0}][KDD_encoded={1}][status={2}][AgentID={3}][isRandom={4}] TKS encrypt data request + # +-# Event: ENCRYPT_DATA_REQUEST_PROCESSED with [Outcome=Success] +-# - request from TPS to TKS to encrypt data +-# (or generate random data and encrypt) ++# Event: ENCRYPT_DATA_REQUEST_PROCESSED with [Outcome=Failure] ++# Description: This event is used when the request from TPS to TKS to encrypt data ++# (or generate random data and encrypt) is processed unsuccessfully. + # Applicable subsystems: TKS, TPS + # Enabled by default: No +-# SubjectID must be the CUID of the token requesting encrypt data +-# AgentID must be the trusted agent id used to make the request +-# Outcome is SUCCESS or FAILURE +-# status is 0 for success, non-zero for various errors +-# isRandom tells if the data is randomly generated on TKS +-# SelectedToken is the cryptographic token performing key operations +-# KeyNickName is the numeric keyset ex: #01#01 ++# Fields: ++# - AgentID: The trusted agent ID used to make the request. ++# - Outcome: Failure ++# - status: 0 for success, non-zero for various errors. ++# - isRandom: tells if the data is randomly generated on TKS ++# - SelectedToken: The cryptographic token performing key operations. ++# - KeyNickName: The numeric keyset, e.g. #01#01. ++# - Error: The error message. + # + ## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the CUID. Renamed to "CUID_decoded" and "KDD_decoded" to reflect fact that decoded parameters are now logged. + ## Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd +-# CUID_decoded must be the ASCII-HEX representation of the CUID of the token establishing the secure channel +-# KDD_decoded must be the ASCII-HEX representation of the KDD of the token establishing the secure channel +-# TKSKeyset is the name of the TKS keyset being used for this request. +-# KeyInfo_KeyVersion is the key version number requested in hex. +-# NistSP800_108KdfOnKeyVersion lists the value of the corresponding setting in hex. +-# NistSP800_108KdfUseCuidAsKdd lists the value of the corresponding setting in hex. ++# - CUID_decoded: The ASCII-HEX representation of the CUID of the token establishing the secure channel. ++# - KDD_decoded: The ASCII-HEX representation of the KDD of the token establishing the secure channel. ++# - TKSKeyset: The name of the TKS keyset being used for this request. ++# - KeyInfo_KeyVersion: The key version number requested in hex. ++# - NistSP800_108KdfOnKeyVersion: The value of the corresponding setting in hex. ++# - NistSP800_108KdfUseCuidAsKdd: The value of the corresponding setting in hex. + # +-LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS=:[AuditEvent=ENCRYPT_DATA_REQUEST_PROCESSED]{0} TKS encrypt data request processed successfully ++LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE=:[AuditEvent=ENCRYPT_DATA_REQUEST_PROCESSED]{0} TKS encrypt data request failed + # +-# Event: ENCRYPT_DATA_REQUEST_PROCESSED with [Outcome=Failure] +-# - request from TPS to TKS to encrypt data +-# (or generate random data and encrypt) ++# Event: ENCRYPT_DATA_REQUEST_PROCESSED with [Outcome=Success] ++# Description: This event is used when the request from TPS to TKS to encrypt data ++# (or generate random data and encrypt) is processed successfully. + # Applicable subsystems: TKS, TPS + # Enabled by default: No +-# SubjectID must be the CUID of the token requesting encrypt data +-# AgentID must be the trusted agent id used to make the request +-# Outocme is SUCCESS or FAILURE +-# status is 0 for success, non-zero for various errors +-# isRandom tells if the data is randomly generated on TKS +-# SelectedToken is the cryptographic token performing key operations +-# KeyNickName is the numeric keyset ex: #01#01 +-# Error gives the error message ++# Fields: ++# - AgentID: The trusted agent ID used to make the request. ++# - Outcome: Success ++# - status: 0 for success, non-zero for various errors. ++# - isRandom: tells if the data is randomly generated on TKS ++# - SelectedToken: The cryptographic token performing key operations. ++# - KeyNickName: The numeric keyset, e.g. #01#01. + # + ## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the CUID. Renamed to "CUID_decoded" and "KDD_decoded" to reflect fact that decoded parameters are now logged. + ## Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd +-# CUID_decoded must be the ASCII-HEX representation of the CUID of the token establishing the secure channel +-# KDD_decoded must be the ASCII-HEX representation of the KDD of the token establishing the secure channel +-# TKSKeyset is the name of the TKS keyset being used for this request. +-# KeyInfo_KeyVersion is the key version number requested in hex. +-# NistSP800_108KdfOnKeyVersion lists the value of the corresponding setting in hex. +-# NistSP800_108KdfUseCuidAsKdd lists the value of the corresponding setting in hex. ++# - CUID_decoded: The ASCII-HEX representation of the CUID of the token establishing the secure channel. ++# - KDD_decoded: The ASCII-HEX representation of the KDD of the token establishing the secure channel. ++# - TKSKeyset: The name of the TKS keyset being used for this request. ++# - KeyInfo_KeyVersion: The key version number requested in hex. ++# - NistSP800_108KdfOnKeyVersion: The value of the corresponding setting in hex. ++# - NistSP800_108KdfUseCuidAsKdd: The value of the corresponding setting in hex. + # +-LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE=:[AuditEvent=ENCRYPT_DATA_REQUEST_PROCESSED]{0} TKS encrypt data request failed ++LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS=:[AuditEvent=ENCRYPT_DATA_REQUEST_PROCESSED]{0} TKS encrypt data request processed successfully + # +-# Event: SECURITY_DOMAIN_UPDATE +-# - used when updating contents of security domain +-# (add/remove a subsystem) ++# Event: FULL_CRL_PUBLISHING ++# Description: This event is used when full CRL publishing is complete. + # Applicable subsystems: CA +-# Enabled by default: Yes +-# ParamNameValPairs must be a name;;value pair +-# (where name and value are separated by the delimiter ;;) +-# separated by + (if more than one name;;value pair) of config params changed ++# Enabled by default: No ++# Fields: ++# - SubjectID: ++# - Outcome: "Success" when full CRL is publishing successfully, "Failure" otherwise. ++# - CRLnum: ++# - FailureReason: + # +-LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE_1=:[AuditEvent=SECURITY_DOMAIN_UPDATE][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] security domain update ++LOGGING_SIGNED_AUDIT_FULL_CRL_PUBLISHING=:[AuditEvent=FULL_CRL_PUBLISHING]{0} Full CRL publishing + # +-# Event: CONFIG_SERIAL_NUMBER +-# - used when configuring serial number ranges +-# (when requesting a serial number range when cloning, for example) +-# Applicable subsystems: CA, KRA +-# Enabled by default: Yes +-# ParamNameValPairs must be a name;;value pair +-# (where name and value are separated by the delimiter ;;) +-# separated by + (if more than one name;;value pair) of config params changed ++# Event: INTER_BOUNDARY ++# Description: This event is used when inter-CS boundary data transfer is successful. ++# This is used when data does not need to be captured. ++# Applicable subsystems: CA, KRA, OCSP, TKS, TPS ++# Enabled by default: No ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - ProtectionMethod: "SSL" or "unknown". ++# - ReqType: The request type. ++# - ReqID: The request ID. + # +-LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER_1=:[AuditEvent=CONFIG_SERIAL_NUMBER][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] serial number range update ++LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS_5=:[AuditEvent=INTER_BOUNDARY][SubjectID={0}][Outcome={1}][ProtectionMethod={2}][ReqType={3}][ReqID={4}] inter-CS boundary communication (data exchange) success + # +-# Event: SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED +-# - used when user security data archive request is processed +-# this is when DRM receives and processed the request ++# Event: KEY_RECOVERY_AGENT_LOGIN ++# Description: This event is used when KRA agents login as recovery agents to approve ++# key recovery requests. + # Applicable subsystems: KRA +-# Enabled by default: Yes +-# ArchivalRequestID is the requestID provided by the CA through the connector +-# It is used to track the request through from CA to KRA. +-# RequestId is the KRA archival request ID +-# ClientKeyID must be the user supplied client ID associated with +-# the security data to be archived ++# Enabled by default: No ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - RecoveryID: The recovery request ID. ++# - RecoveryAgent: The recovery agent the KRA agent is ++# logging in with. + # +-LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED=:[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED]{0} security data archival request processed ++LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN_4=:[AuditEvent=KEY_RECOVERY_AGENT_LOGIN][SubjectID={0}][Outcome={1}][RecoveryID={2}][RecoveryAgent={3}] key recovery agent login + # +-# Event: SECURITY_DATA_ARCHIVAL_REQUEST +-# - used when security data recovery request is made +-# Applicable subsystems: CA, KRA +-# Enabled by default: Yes +-# ArchivalRequestID is the requestID provided by the CA through the connector +-# It is used to track the request through from CA to KRA. +-# RequestId is the KRA archival request ID +-# ClientKeyID must be the user supplied client ID associated with +-# the security data to be archived ++# Event: KEY_RECOVERY_REQUEST ++# Description: This event is used when key recovery request is made. ++# Applicable subsystems: CA, OCSP, TKS, TPS, TPS ++# Enabled by default: No ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - RecoveryID: The recovery request ID. ++# - PubKey: The base-64 encoded public key associated with ++# the private key to be recovered. + # +-LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST=:[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST]{0} security data archival request made ++LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4=:[AuditEvent=KEY_RECOVERY_REQUEST][SubjectID={0}][Outcome={1}][RecoveryID={2}][PubKey={3}] key recovery request made + # +-# Event: SECURITY_DATA_RECOVERY_REQUEST_PROCESSED +-# - used when security data recovery request is processed ++# Event: KEY_STATUS_CHANGE ++# Description: This event is used when modify key status is executed. + # Applicable subsystems: KRA +-# Enabled by default: Yes +-# RecoveryID must be the recovery request ID +-# KeyID is the ID of the security data being requested to be recovered +-# RecoveryAgents are the UIDs of the recovery agents approving this request ++# Enabled by default: No ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - KeyID: An existing key ID in the database. ++# - OldStatus: The old status to change from. ++# - NewStatus: The new status to change to. ++# - Info: + # +-LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED=:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST_PROCESSED]{0} security data recovery request processed ++LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE=:[AuditEvent=KEY_STATUS_CHANGE]{0} Key Status Change + # +-# Event: SECURITY_DATA_RECOVERY_REQUEST +-# - used when security data recovery request is made +-# Applicable subsystems: KRA +-# Enabled by default: Yes +-# RecoveryID must be the recovery request ID +-# DataID is the ID of the security data to be recovered ++# Event: LOG_EXPIRATION_CHANGE (disabled) ++# Description: This event is used when log expiration time change is attempted. ++# The ACL should not allow this operation, but make sure it's written after the attempt. ++# Applicable subsystems: CA, KRA, OCSP, TKS, TPS ++# Enabled by default: No ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - LogType: "System", "Transaction", or "SignedAudit". ++# - ExpirationTime: The amount of time (in seconds) that is ++# attempted to be changed to. + # +-LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST=:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST]{0} security data recovery request made ++#LOGGING_SIGNED_AUDIT_LOG_EXPIRATION_CHANGE_4=:[AuditEvent=LOG_EXPIRATION_CHANGE][SubjectID={0}][Outcome={1}][LogType={2}][ExpirationTime={3}] log expiration time change attempt + # +-# Event: SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE +-# - used when DRM agents login as recovery agents to change +-# the state of key recovery requests +-# Applicable subsystems: KRA +-# Enabled by default: Yes +-# RecoveryID must be the recovery request ID +-# Operation is the operation performed (approve, reject, cancel etc.) ++# Event: NON_PROFILE_CERT_REQUEST ++# Description: This event is used when a non-profile certificate request is made (before approval process). ++# Applicable subsystems: CA, KRA, OCSP, TKS, TPS ++# Enabled by default: No ++# Fields: ++# - SubjectID: The UID of user that triggered this event. ++# If CMC enrollment requests signed by an agent, SubjectID should ++# be that of the agent. ++# - Outcome: ++# - CertSubject: The certificate subject name of the certificate request. ++# - ReqID: The certificate request ID. ++# - ServiceID: The identity of the servlet that submitted the original ++# request. + # +-LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE=:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE]{0} security data recovery request state change ++LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST_5=:[AuditEvent=NON_PROFILE_CERT_REQUEST][SubjectID={0}][Outcome={1}][ReqID={2}][ServiceID={3}][CertSubject={4}] certificate request made without certificate profiles ++# ++# Event: OCSP_ADD_CA_REQUEST ++# Description: This event is used when a CA is attempted to be added to the OCSP Responder. ++# Applicable subsystems: OCSP ++# Enabled by default: No ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - CA: The base-64 encoded PKCS7 certificate (or chain). ++# ++LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST=:[AuditEvent=OCSP_ADD_CA_REQUEST]{0} request to add a CA for OCSP Responder ++# ++# Event: OCSP_REMOVE_CA_REQUEST ++# Description: This event is used when a CA is attempted to be removed from the OCSP Responder. ++# Applicable subsystems: OCSP ++# Enabled by default: No ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - CASubjectDN: The DN ID of the CA. ++# ++LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST=:[AuditEvent=OCSP_REMOVE_CA_REQUEST]{0} request to remove a CA from OCSP Responder + # + # Event: SECURITY_DATA_EXPORT_KEY +-# - used when user attempts to retrieve key after the recovery request ++# Description: This event is used when user attempts to retrieve key after the recovery request + # has been approved. + # Applicable subsystems: KRA + # Enabled by default: No +-# RecoveryID must be the recovery request ID +-# KeyID is the key being retrieved +-# Info is the failure reason if the export fails. +-# PubKey is the public key for the private key being retrieved ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - RecoveryID: The recovery request ID. ++# - KeyID: The key being retrieved. ++# - Info: The failure reason if the export fails. ++# - PubKey: The public key for the private key being retrieved. + # + LOGGING_SIGNED_AUDIT_SECURITY_DATA_EXPORT_KEY=:[AuditEvent=SECURITY_DATA_EXPORT_KEY]{0} security data retrieval request + # + # Event: SECURITY_DATA_INFO +-# - used when user attempts to get metadata information about a key ++# Description: This event is used when user attempts to get metadata information about a key. + # Applicable subsystems: KRA + # Enabled by default: No +-# RecoveryID must be the recovery request ID +-# KeyID is the key being retrieved +-# Info is the failure reason if the export fails. +-# PubKey is the public key for the private key being retrieved ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - KeyID: The key being retrieved. ++# - ClientKeyId: ++# - Info: The failure reason if the export fails. ++# - PubKey: The public key for the private key being retrieved. + # + LOGGING_SIGNED_AUDIT_SECURITY_DATA_INFO=:[AuditEvent=SECURITY_DATA_INFO]{0} security data info request + # +-# Event: KEY_STATUS_CHANGE +-# - used when modify key status is executed +-# Applicable subsystems: KRA ++# Event: TOKEN_AUTH with [Outcome=Failure] ++# Description: This event is used when authentication failed. ++# Applicable subsystems: TPS + # Enabled by default: No +-# keyID must be an existing key id in the database +-# oldStatus is the old status to change from +-# newStatus is the new status to change to +-# +-LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE=:[AuditEvent=KEY_STATUS_CHANGE]{0} Key Status Change +-# +-# Event: SYMKEY_GENERATION_REQUEST_PROCESSED +-# - used when symmetric key generation request is processed +-# this is when DRM receives and processes the request +-# Applicable subsystems: KRA +-# Enabled by default: Yes +-# Client ID must be the user supplied client ID associated with +-# the symmetric key to be generated and archived +-# +-LOGGING_SIGNED_AUDIT_SYMKEY_GEN_REQUEST_PROCESSED=:[AuditEvent=SYMKEY_GENERATION_REQUEST_PROCESSED]{0} symkey generation request processed +-# +-# Event: SYMKEY_GENERATION_REQUEST +-# - used when symmetric key generation request is made +-# Applicable subsystems: KRA +-# Enabled by default: Yes +-# ClientKeyID is the ID of the symmetirc key to be generated and archived +-# +-LOGGING_SIGNED_AUDIT_SYMKEY_GENERATION_REQUEST=:[AuditEvent=SYMKEY_GENERATION_REQUEST]{0} symkey generation request made +-# +-# Event: ASYMKEY_GENERATION_REQUEST +-# - used when asymmetric key generation request is made +-# Applicable subsystems: KRA +-# Enabled by default: Yes ++# Fields: ++# - SubjectID: ++# - Outcome: Failure ++# (obviously, if authentication failed, you won't have a valid SubjectID, so ++# in this case, AttemptedID is recorded) ++# - IP: ++# - CUID: ++# - MSN: ++# - OP: ++# - tokenType: ++# - AppletVersion: ++# - AuthMgr: The authentication manager instance name that did ++# this authentication. + # +-LOGGING_SIGNED_AUDIT_ASYMKEY_GENERATION_REQUEST=:[AuditEvent=ASYMKEY_GENERATION_REQUEST]{0} Asymkey generation request made ++LOGGING_SIGNED_AUDIT_TOKEN_AUTH_FAILURE=:[AuditEvent=TOKEN_AUTH]{0} token authentication failure + # +-# Event: ASYMKEY_GENERATION_REQUEST_PROCESSED +-# - used when a request to generate asymmetric keys received by the DRM +-# is processed. +-# Applicable subsystems: KRA +-# Enabled by default: Yes ++# Event: TOKEN_AUTH with [Outcome=Success] ++# Description: This event is used when authentication succeeded. ++# Applicable subsystems: TPS ++# Enabled by default: No ++# Fields: ++# - SubjectID: ++# - Outcome: Success ++# - IP: ++# - CUID: ++# - MSN: ++# - OP: ++# - tokenType: ++# - AppletVersion: ++# - AuthMgr: The authentication manager instance name that did ++# this authentication. + # +-LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED=:[AuditEvent=ASYMKEY_GENERATION_REQUEST_PROCESSED]{0} Asymkey generation request processed ++LOGGING_SIGNED_AUDIT_TOKEN_AUTH_SUCCESS=:[AuditEvent=TOKEN_AUTH]{0} token authentication success + # + # Event: TOKEN_CERT_ENROLLMENT +-# - used for TPS when token certificate enrollment request is made ++# Description: This event is used for TPS when token certificate enrollment request is made. + # Applicable subsystems: TPS + # Enabled by default: No +-# - Info is normally used to store more info in case of failure ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - IP: ++# - CUID: ++# - tokenType: ++# - KeyVersion: ++# - Serial: ++# - CA_ID: ++# - Info: Info in case of failure. + # + LOGGING_SIGNED_AUDIT_TOKEN_CERT_ENROLLMENT_9=:[AuditEvent=TOKEN_CERT_ENROLLMENT][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][Info={8}] token certificate enrollment request made + # + # Event: TOKEN_CERT_RENEWAL +-# - used for TPS when token certificate renewal request is made ++# Description: This event is used for TPS when token certificate renewal request is made. + # Applicable subsystems: TPS + # Enabled by default: No +-# - Info is normally used to store more info in case of failure ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - IP: ++# - CUID: ++# - tokenType: ++# - KeyVersion: ++# - Serial: ++# - CA_ID: ++# - Info: Info in case of failure. + # + LOGGING_SIGNED_AUDIT_TOKEN_CERT_RENEWAL_9=:[AuditEvent=TOKEN_CERT_RENEWAL][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][Info={8}] token certificate renewal request made + # + # Event: TOKEN_CERT_RETRIEVAL +-# - used for TPS when token certificate retrieval request is made; +-# usually used during recovery, along with LOGGING_SIGNED_AUDIT_TOKEN_KEY_RECOVERY ++# Description: This event is used for TPS when token certificate retrieval request is made; ++# usually used during recovery, along with TOKEN_KEY_RECOVERY. + # Applicable subsystems: TPS + # Enabled by default: No ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - IP: ++# - CUID: ++# - tokenType: ++# - KeyVersion: ++# - Serial: ++# - CA_ID: ++# - Info: + # + LOGGING_SIGNED_AUDIT_TOKEN_CERT_RETRIEVAL_9=:[AuditEvent=TOKEN_CERT_RETRIEVAL][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][Info={8}] token certificate retrieval request made + # +-# Event: TOKEN_KEY_RECOVERY +-# - used for TPS when token certificate key recovery request is made +-# Applicable subsystems: TPS +-# Enabled by default: No +-# +-LOGGING_SIGNED_AUDIT_TOKEN_KEY_RECOVERY_10=:[AuditEvent=TOKEN_KEY_RECOVERY][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][KRA_ID={8}][Info={9}] token certificate/key recovery request made +-# + # Event: TOKEN_CERT_STATUS_CHANGE_REQUEST +-# - used when a token certificate status change request (e.g. revocation) is made ++# Description: This event is used when a token certificate status change request (e.g. revocation) is made. + # Applicable subsystems: TPS + # Enabled by default: No +-# CUID must be the last token that the certificate was associated with +-# CertSerialNum must be the serial number (in decimal) of the certificate to be revoked +-# RequestType must be "revoke", "on-hold", "off-hold" ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - IP: ++# - CUID: The last token that the certificate was associated with. ++# - tokenType: ++# - CertSerialNum: The serial number (in decimal) of the certificate to be revoked. ++# - RequestType: "revoke", "on-hold", "off-hold". ++# - RevokeReasonNum: ++# - CA_ID: ++# - Info: + # + LOGGING_SIGNED_AUDIT_TOKEN_CERT_STATUS_CHANGE_REQUEST_10=:[AuditEvent=TOKEN_CERT_STATUS_CHANGE_REQUEST][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][CertSerialNum={5}][RequestType={6}][RevokeReasonNum={7}][CA_ID={8}][Info={9}] token certificate revocation/unrevocation request made + # +-# Event: TOKEN_PIN_RESET with [Outcome=Success] +-# - used when token pin reset request succeeded +-# Applicable subsystems: TPS +-# Enabled by default: No +-# +-LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_SUCCESS=:[AuditEvent=TOKEN_PIN_RESET]{0} token op pin reset success +-# +-# Event: TOKEN_PIN_RESET with [Outcome=Failure] +-# - used when token pin reset request failed +-# Applicable subsystems: TPS +-# Enabled by default: No +-# +-LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_FAILURE=:[AuditEvent=TOKEN_PIN_RESET]{0} token op pin reset failure +-# +-# Event: TOKEN_OP_REQUEST +-# - used when token processor op request is made ++# Event: TOKEN_FORMAT with [Outcome=Failure] ++# Description: This event is used when token format operation failed. + # Applicable subsystems: TPS + # Enabled by default: No +-# - OP can be "format", "enroll", or "pinReset" ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - IP: ++# - CUID: ++# - MSN: ++# - tokenType: ++# - AppletVersion: ++# - Info: + # +-LOGGING_SIGNED_AUDIT_TOKEN_OP_REQUEST_6=:[AuditEvent=TOKEN_OP_REQUEST][IP={0}][CUID={1}][MSN={2}][Outcome={3}][OP={4}][AppletVersion={5}] token processor op request made ++LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_FAILURE=:[AuditEvent=TOKEN_FORMAT]{0} token op format failure + # + # Event: TOKEN_FORMAT with [Outcome=Success] +-# - used when token format op succeeded ++# Description: This event is used when token format operation succeeded. + # Applicable subsystems: TPS + # Enabled by default: No ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - IP: ++# - CUID: ++# - MSN: ++# - tokenType: ++# - AppletVersion: ++# - KeyVersion: + # + LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_SUCCESS=:[AuditEvent=TOKEN_FORMAT]{0} token op format success + # +-# Event: TOKEN_FORMAT with [Outcome=Failure] +-# - used when token format op failed +-# Applicable subsystems: TPS +-# Enabled by default: No +-# +-LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_FAILURE=:[AuditEvent=TOKEN_FORMAT]{0} token op format failure +-# +-# Event: TOKEN_APPLET_UPGRADE with [Outcome=Success] +-# - used when token apple upgrade succeeded +-# Applicable subsystems: TPS +-# Enabled by default: Yes +-# +-LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_SUCCESS=:[AuditEvent=TOKEN_APPLET_UPGRADE]{0} token applet upgrade success +-# +-# Event: TOKEN_APPLET_UPGRADE with [Outcome=Failure] +-# - used when token apple upgrade failed +-# Applicable subsystems: TPS +-# Enabled by default: Yes +-# +-LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_FAILURE=:[AuditEvent=TOKEN_APPLET_UPGRADE]{0} token applet upgrade failure +-# +-# Event: TOKEN_KEY_CHANGEOVER_REQUIRED +-# - used when token key changeover is required +-# Applicable subsystems: TPS +-# Enabled by default: Yes +-# +-LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_REQUIRED_10=:[AuditEvent=TOKEN_KEY_CHANGEOVER_REQUIRED][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][tokenType={5}][AppletVersion={6}][oldKeyVersion={7}][newKeyVersion={8}][Info={9}] token key changeover required +-# +-# Event: TOKEN_KEY_CHANGEOVER with [Outcome=Success] +-# - used when token key changeover succeeded +-# Applicable subsystems: TPS +-# Enabled by default: Yes +-# - Info usually is unused for success +-# +-LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_SUCCESS=:[AuditEvent=TOKEN_KEY_CHANGEOVER]{0} token key changeover success +-# +-# Event: TOKEN_KEY_CHANGEOVER with [Outcome=Failure] +-# - used when token key changeover failed +-# Applicable subsystems: TPS +-# Enabled by default: Yes +-# - Info is used for storing more info in case of failure +-# +-LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_FAILURE=:[AuditEvent=TOKEN_KEY_CHANGEOVER]{0} token key changeover failure +-# +-# Event: TOKEN_AUTH with [Outcome=Failure] +-# - used when authentication failed ++# Event: TOKEN_KEY_RECOVERY ++# Description: This event is used for TPS when token certificate key recovery request is made. + # Applicable subsystems: TPS + # Enabled by default: No +-# Outcome should always be "failure" in this event +-# (obviously, if authentication failed, you won't have a valid SubjectID, so +-# in this case, AttemptedID is recorded) +-# AuthMgr must be the authentication manager instance name that did +-# this authentication ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - IP: ++# - CUID: ++# - tokenType: ++# - KeyVersion: ++# - Serial: ++# - CA_ID: ++# - KRA_ID: ++# - Info: + # +-LOGGING_SIGNED_AUDIT_TOKEN_AUTH_FAILURE=:[AuditEvent=TOKEN_AUTH]{0} token authentication failure ++LOGGING_SIGNED_AUDIT_TOKEN_KEY_RECOVERY_10=:[AuditEvent=TOKEN_KEY_RECOVERY][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][KRA_ID={8}][Info={9}] token certificate/key recovery request made + # +-# Event: TOKEN_AUTH with [Outcome=Success] +-# - used when authentication succeeded ++# Event: TOKEN_OP_REQUEST ++# Description: This event is used when token processor operation request is made. + # Applicable subsystems: TPS + # Enabled by default: No +-# Outcome should always be "success" in this event +-# AuthMgr must be the authentication manager instance name that did +-# this authentication ++# Fields: ++# - IP: ++# - CUID: ++# - MSN: ++# - Outcome: ++# - OP: "format", "enroll", or "pinReset" ++# - AppletVersion: + # +-LOGGING_SIGNED_AUDIT_TOKEN_AUTH_SUCCESS=:[AuditEvent=TOKEN_AUTH]{0} token authentication success ++LOGGING_SIGNED_AUDIT_TOKEN_OP_REQUEST_6=:[AuditEvent=TOKEN_OP_REQUEST][IP={0}][CUID={1}][MSN={2}][Outcome={3}][OP={4}][AppletVersion={5}] token processor op request made + # +-# Event: CONFIG_TOKEN_GENERAL +-# - used when doing general TPS configuration ++# Event: TOKEN_PIN_RESET with [Outcome=Failure] ++# Description: This event is used when token pin reset request failed. + # Applicable subsystems: TPS + # Enabled by default: No +-# ParamNameValPairs must be a name;;value pair +-# (where name and value are separated by the delimiter ;;) +-# separated by + (if more than one name;;value pair) of config params changed +-# --- secret component (password) MUST NOT be logged --- +-# - info in general is used for caturing error info for failed cases ++# Fields: ++# - IP: ++# - SubjectID: ++# - CUID: ++# - Outcome: ++# - tokenType: ++# - AppletVersion: ++# - Info: + # +-LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_GENERAL_5=:[AuditEvent=CONFIG_TOKEN_GENERAL][SubjectID={0}][Outcome={1}][Service={2}][ParamNameValPairs={3}][Info={4}] TPS token configuration parameter(s) change ++LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_FAILURE=:[AuditEvent=TOKEN_PIN_RESET]{0} token op pin reset failure + # +-# Event: CONFIG_TOKEN_PROFILE +-# - used when configuring token profile ++# Event: TOKEN_PIN_RESET with [Outcome=Success] ++# Description: This event is used when token pin reset request succeeded. + # Applicable subsystems: TPS + # Enabled by default: No +-# Service can be any of the methods offered +-# ParamNameValPairs must be a name;;value pair +-# (where name and value are separated by the delimiter ;;) +-# separated by + (if more than one name;;value pair) of config params changed +-# --- secret component (password) MUST NOT be logged --- +-# - info in general is used for caturing error info for failed cases +-# +-LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_PROFILE_6=:[AuditEvent=CONFIG_TOKEN_PROFILE][SubjectID={0}][Outcome={1}][Service={2}][ProfileID={3}][ParamNameValPairs={4}][Info={5}] token profile configuration parameter(s) change +-# +-# Event: CONFIG_TOKEN_MAPPING_RESOLVER +-# - used when configuring token mapping resolver +-# Applicable subsystems: TPS +-# Enabled by default: Yes +-# ParamNameValPairs must be a name;;value pair +-# (where name and value are separated by the delimiter ;;) +-# separated by + (if more than one name;;value pair) of config params changed +-# --- secret component (password) MUST NOT be logged --- +-# - info in general is used for caturing error info for failed cases +-# +-LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_MAPPING_RESOLVER_6=:[AuditEvent=CONFIG_TOKEN_MAPPING_RESOLVER][SubjectID={0}][Outcome={1}][Service={2}][MappingResolverID={3}][ParamNameValPairs={4}][Info={5}] token mapping resolver configuration parameter(s) change +-# +-# Event: CONFIG_TOKEN_AUTHENTICATOR +-# - used when configuring token authenticators +-# Applicable subsystems: TPS +-# Enabled by default: Yes +-# Service can be any of the methods offered +-# ParamNameValPairs must be a name;;value pair +-# (where name and value are separated by the delimiter ;;) +-# separated by + (if more than one name;;value pair) of config params changed +-# --- secret component (password) MUST NOT be logged --- +-# - info in general is used for caturing error info for failed cases +-# +-LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_AUTHENTICATOR_6=:[AuditEvent=CONFIG_TOKEN_AUTHENTICATOR][SubjectID={0}][Outcome={1}][OP={2}][Authenticator={3}][ParamNameValPairs={4}][Info={5}] token authenticator configuration parameter(s) change +-# +-# Event: CONFIG_TOKEN_CONNECTOR +-# - used when configuring token connectors +-# Applicable subsystems: TPS +-# Enabled by default: Yes +-# Service can be any of the methods offered +-# ParamNameValPairs must be a name;;value pair +-# (where name and value are separated by the delimiter ;;) +-# separated by + (if more than one name;;value pair) of config params changed +-# --- secret component (password) MUST NOT be logged --- +-# - info in general is used for caturing error info for failed cases +-# +-LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_CONNECTOR_6=:[AuditEvent=CONFIG_TOKEN_CONNECTOR][SubjectID={0}][Outcome={1}][Service={2}][Connector={3}][ParamNameValPairs={4}][Info={5}] token connector configuration parameter(s) change +-# +-# Event: CONFIG_TOKEN_RECORD +-# - used when information in token record changed +-# Applicable subsystems: TPS +-# Enabled by default: Yes +-# ParamNameValPairs must be a name;;value pair +-# (where name and value are separated by the delimiter ;;) +-# separated by + (if more than one name;;value pair) of config params changed +-# --- secret component (password) MUST NOT be logged --- +-# - info in general is used for caturing error info for failed cases ++# Fields: ++# - IP: ++# - SubjectID: ++# - CUID: ++# - Outcome: ++# - tokenType: ++# - AppletVersion: ++# - KeyVersion: + # +-LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_RECORD_6=:[AuditEvent=CONFIG_TOKEN_RECORD][SubjectID={0}][Outcome={1}][OP={2}][TokenID={3}][ParamNameValPairs={4}][Info={5}] token record configuration parameter(s) change ++LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_SUCCESS=:[AuditEvent=TOKEN_PIN_RESET]{0} token op pin reset success + # + # Event: TOKEN_STATE_CHANGE +-# - used when token state changed ++# Description: This event is used when token state changed. + # Applicable subsystems: TPS + # Enabled by default: No +-# ParamNameValPairs must be a name;;value pair +-# (where name and value are separated by the delimiter ;;) +-# separated by + (if more than one name;;value pair) of config params changed +-# --- secret component (password) MUST NOT be logged --- +-# - info in general is used for caturing error info for failed cases ++# Fields: ++# - SubjectID: ++# - Outcome: ++# - oldState: ++# - oldReason: ++# - newState: ++# - newReason: ++# - ParamNameValPairs: A name-value pair ++# (where name and value are separated by the delimiter ;;) ++# separated by + (if more than one name-value pair) of config params changed. ++# --- secret component (password) MUST NOT be logged --- ++# - Info: Error info for failed cases. + # + LOGGING_SIGNED_AUDIT_TOKEN_STATE_CHANGE_8=:[AuditEvent=TOKEN_STATE_CHANGE][SubjectID={0}][Outcome={1}][oldState={2}][oldReason={3}][newState={4}][newReason={5}][ParamNameValPairs={6}][Info={7}] token state changed +-# +-# Event: AUTHORITY_CONFIG +-# - used when configuring lightweight authorities +-# Applicable subsystems: CA +-# Enabled by default: Yes +-# ParamNameValPairs must be a name;;value pair +-# (where name and value are separated by the delimiter ;;) +-# separated by + (if more than one name;;value pair) of config params changed +-# +-LOGGING_SIGNED_AUDIT_AUTHORITY_CONFIG_3=:[AuditEvent=AUTHORITY_CONFIG][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] lightweight authority configuration change +-# +-# Event: ACCESS_SESSION_ESTABLISH with [Outcome=Failure] +-# - used when access session failed to establish +-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS +-# Enabled by default: Yes +-# ParamNameValPairs must be a name;;value pair +-# (where name and value are separated by the delimiter ;;) +-# separated by + (if more than one name;;value pair) of config params changed +-# +-LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_FAILURE=\ +-:[AuditEvent=ACCESS_SESSION_ESTABLISH]{0} access session establish failure +-# +-# Event: ACCESS_SESSION_ESTABLISH with [Outcome=Success] +-# - used when access session was established successfully +-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS +-# Enabled by default: Yes +-# ParamNameValPairs must be a name;;value pair +-# (where name and value are separated by the delimiter ;;) +-# separated by + (if more than one name;;value pair) of config params changed +-# +-LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_SUCCESS=\ +-:[AuditEvent=ACCESS_SESSION_ESTABLISH]{0} access session establish success +-# +-# Event: ACCESS_SESSION_TERMINATED +-# - used when access session was terminated +-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS +-# Enabled by default: Yes +-# ParamNameValPairs must be a name;;value pair +-# (where name and value are separated by the delimiter ;;) +-# separated by + (if more than one name;;value pair) of config params changed +-# +-LOGGING_SIGNED_AUDIT_ACCESS_SESSION_TERMINATED=\ +-:[AuditEvent=ACCESS_SESSION_TERMINATED]{0} access session terminated +-# +-# Event: CLIENT_ACCESS_SESSION_ESTABLISH with [Outcome=Failure] +-# access session failed to establish when Certificate System acts as client +-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS +-# Enabled by default: Yes +-# +-LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE=\ +-:[AuditEvent=CLIENT_ACCESS_SESSION_ESTABLISH]{0} access session failed to establish when Certificate System acts as client +-# +-# Event: CLIENT_ACCESS_SESSION_ESTABLISH with [Outcome=Success] +-# - used when access session was established successfully when +-# Certificate System acts as client +-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS +-# Enabled by default: Yes +-# +-LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS=\ +-:[AuditEvent=CLIENT_ACCESS_SESSION_ESTABLISH]{0} access session establish successfully when Certificate System acts as client +-# +-# Event: CLIENT_ACCESS_SESSION_TERMINATED +-# - used when access session was terminated when Certificate System acts as client +-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS +-# Enabled by default: Yes +-# +-LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_TERMINATED=\ +-:[AuditEvent=CLIENT_ACCESS_SESSION_TERMINATED]{0} access session terminated when Certificate System acts as client +-# +-######################################################################### +-# Unselectable Signed Audit Events +-# +-# Event: AUDIT_LOG_SIGNING +-# - used when a signature on the audit log is generated (same as "flush" time) +-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS +-# Enabled by default: Yes +-# SubjectID is predefined to be "$System$" because this operation +-# associates with no user +-# sig must be the base-64 encoded signature of the buffer just flushed +-# +-LOGGING_SIGNED_AUDIT_AUDIT_LOG_SIGNING_3=[AuditEvent=AUDIT_LOG_SIGNING][SubjectID={0}][Outcome={1}] signature of audit buffer just flushed: sig: {2} +diff --git a/base/tks/shared/conf/CS.cfg b/base/tks/shared/conf/CS.cfg +index 2face58..9227c27 100644 +--- a/base/tks/shared/conf/CS.cfg ++++ b/base/tks/shared/conf/CS.cfg +@@ -214,7 +214,7 @@ log.instance.SignedAudit._007=## $ pki-server tks-audit-event-enable/disable +diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java +index 98d5e29..c289245 100644 +--- a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java ++++ b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java +@@ -29,7 +29,6 @@ import java.io.ByteArrayInputStream; + import java.io.ByteArrayOutputStream; + import java.io.IOException; + import java.math.BigInteger; +-import java.security.cert.X509Certificate; + import java.security.MessageDigest; + import java.security.PublicKey; + import java.security.cert.X509Certificate; +diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java +index 97971dd..b3136a0 100644 +--- a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java ++++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java +@@ -28,7 +28,6 @@ package com.netscape.cms.authentication; + import java.io.ByteArrayInputStream; + import java.io.ByteArrayOutputStream; + import java.io.IOException; +-import java.security.cert.X509Certificate; + import java.math.BigInteger; + import java.security.MessageDigest; + import java.security.PublicKey; +diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +index 7398891..cc65c78 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +@@ -54,34 +54,6 @@ import javax.ws.rs.core.MultivaluedMap; + import javax.ws.rs.core.Response; + import javax.xml.parsers.ParserConfigurationException; + +-import netscape.ldap.LDAPAttribute; +-import netscape.ldap.LDAPAttributeSet; +-import netscape.ldap.LDAPConnection; +-import netscape.ldap.LDAPDN; +-import netscape.ldap.LDAPEntry; +-import netscape.ldap.LDAPException; +-import netscape.ldap.LDAPModification; +-import netscape.ldap.LDAPSearchConstraints; +-import netscape.ldap.LDAPSearchResults; +-import netscape.ldap.LDAPv3; +-import netscape.security.pkcs.ContentInfo; +-import netscape.security.pkcs.PKCS10; +-import netscape.security.pkcs.PKCS12; +-import netscape.security.pkcs.PKCS12Util; +-import netscape.security.pkcs.PKCS7; +-import netscape.security.pkcs.SignerInfo; +-import netscape.security.util.DerOutputStream; +-import netscape.security.util.ObjectIdentifier; +-import netscape.security.x509.AlgorithmId; +-import netscape.security.x509.BasicConstraintsExtension; +-import netscape.security.x509.CertificateChain; +-import netscape.security.x509.Extension; +-import netscape.security.x509.Extensions; +-import netscape.security.x509.KeyUsageExtension; +-import netscape.security.x509.X500Name; +-import netscape.security.x509.X509CertImpl; +-import netscape.security.x509.X509Key; +- + import org.apache.commons.lang.StringUtils; + import org.apache.velocity.context.Context; + import org.mozilla.jss.CryptoManager; +diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/GetStatus.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/GetStatus.java +index 338e26b..1cb8a4c 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/GetStatus.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/GetStatus.java +@@ -138,7 +138,7 @@ public class GetStatus extends CMSServlet { + try { + inputStream = new FileInputStream(versionFilePathName); + String contents = IOUtils.toString(inputStream); +- ++ + if(contents != null) { + CMS.debug("Returning product version: " + version); + version = contents.trim(); +diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg +index 0ae0764..515136b 100644 +--- a/base/server/etc/default.cfg ++++ b/base/server/etc/default.cfg +@@ -399,11 +399,6 @@ pki_master_crl_enable=True + # based on the CMS hostname and port. + pki_default_ocsp_uri= + +-# Default OCSP URI added by AuthInfoAccessExtDefault if the profile +-# config is blank. If both are blank, the value is constructed +-# based on the CMS hostname and port. +-pki_default_ocsp_uri= +- + # Paths + # These are used in the processing of pkispawn and are not supposed + # to be overwritten by user configuration files. +diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py +index e0989a9..45af9a0 100644 +--- a/base/server/python/pki/server/__init__.py ++++ b/base/server/python/pki/server/__init__.py +@@ -202,20 +202,21 @@ class PKISubsystem(object): + def load(self): + self.config.clear() + +- lines = open(self.cs_conf).read().splitlines() +- +- for index, line in enumerate(lines): +- if not line or line.startswith('#'): +- continue +- parts = line.split('=', 1) +- if len(parts) < 2: +- raise Exception('Missing delimiter in %s line %d' % (self.cs_conf, index + 1)) +- name = parts[0] +- value = parts[1] +- self.config[name] = value +- +- self.type = self.config['cs.type'] +- self.prefix = self.type.lower() ++ if os.path.exists(self.cs_conf): ++ lines = open(self.cs_conf).read().splitlines() ++ ++ for index, line in enumerate(lines): ++ if not line or line.startswith('#'): ++ continue ++ parts = line.split('=', 1) ++ if len(parts) < 2: ++ raise Exception('Missing delimiter in %s line %d' % (self.cs_conf, index + 1)) ++ name = parts[0] ++ value = parts[1] ++ self.config[name] = value ++ ++ self.type = self.config['cs.type'] ++ self.prefix = self.type.lower() + + def find_system_certs(self): + certs = [] +diff --git a/base/server/python/pki/server/deployment/pkiconfig.py b/base/server/python/pki/server/deployment/pkiconfig.py +index 9e1cab5..cb71db9 100644 +--- a/base/server/python/pki/server/deployment/pkiconfig.py ++++ b/base/server/python/pki/server/deployment/pkiconfig.py +@@ -39,9 +39,7 @@ PKI_DEPLOYMENT_DEFAULT_SHELL = "/sbin/nologin" + PKI_DEPLOYMENT_DEFAULT_UID = 17 + PKI_DEPLOYMENT_DEFAULT_USER = "pkiuser" + +-PKI_SUBSYSTEMS = ["CA", "KRA", "OCSP", "RA", "TKS", "TPS"] +-PKI_SIGNED_AUDIT_SUBSYSTEMS = ["CA", "KRA", "OCSP", "TKS", "TPS"] +-PKI_TOMCAT_SUBSYSTEMS = ["CA", "KRA", "OCSP", "TKS", "TPS"] ++PKI_SUBSYSTEMS = ["CA", "KRA", "OCSP", "TKS", "TPS"] + PKI_BASE_RESERVED_NAMES = ["alias", "bin", "ca", "common", "conf", "kra", + "lib", "logs", "ocsp", "temp", "tks", "tps", + "webapps", "work"] +diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py +index 77594ec..9b9e1b8 100644 +--- a/base/server/python/pki/server/deployment/pkihelper.py ++++ b/base/server/python/pki/server/deployment/pkihelper.py +@@ -914,7 +914,7 @@ class Instance: + # Return list of PKI subsystems in the specified tomcat instance + rv = [] + try: +- for subsystem in config.PKI_TOMCAT_SUBSYSTEMS: ++ for subsystem in config.PKI_SUBSYSTEMS: + path = os.path.join( + self.mdict['pki_instance_path'], + subsystem.lower() +diff --git a/base/server/python/pki/server/deployment/scriptlets/initialization.py b/base/server/python/pki/server/deployment/scriptlets/initialization.py +index 4515b55..b35e82c 100644 +--- a/base/server/python/pki/server/deployment/scriptlets/initialization.py ++++ b/base/server/python/pki/server/deployment/scriptlets/initialization.py +@@ -155,7 +155,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + deployer.security_domain.deregister(None) + + except Exception as e: # pylint: disable=broad-except +- config.pki_log.error(str(e)) ++ config.pki_log.error(log.PKI_OSERROR_1, e, ++ extra=config.PKI_INDENTATION_LEVEL_0) + # If it is a normal destroy, pass any exception + if not deployer.mdict['pki_force_destroy']: + raise +diff --git a/base/server/python/pki/server/deployment/scriptlets/subsystem_layout.py b/base/server/python/pki/server/deployment/scriptlets/subsystem_layout.py +index fb9f754..32b716a 100644 +--- a/base/server/python/pki/server/deployment/scriptlets/subsystem_layout.py ++++ b/base/server/python/pki/server/deployment/scriptlets/subsystem_layout.py +@@ -42,10 +42,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + deployer.directory.create(deployer.mdict['pki_subsystem_log_path']) + deployer.directory.create( + deployer.mdict['pki_subsystem_archive_log_path']) +- if deployer.mdict['pki_subsystem'] in \ +- config.PKI_SIGNED_AUDIT_SUBSYSTEMS: +- deployer.directory.create( +- deployer.mdict['pki_subsystem_signed_audit_log_path']) ++ ++ deployer.directory.create( ++ deployer.mdict['pki_subsystem_signed_audit_log_path']) + + # create /var/lib/pki///conf + deployer.directory.create( +@@ -127,10 +126,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + + # remove instance-based subsystem logs only if --remove-logs flag is specified + if deployer.mdict['pki_remove_logs']: +- if deployer.mdict['pki_subsystem'] in \ +- config.PKI_SIGNED_AUDIT_SUBSYSTEMS: +- deployer.directory.delete( +- deployer.mdict['pki_subsystem_signed_audit_log_path']) ++ deployer.directory.delete( ++ deployer.mdict['pki_subsystem_signed_audit_log_path']) + deployer.directory.delete( + deployer.mdict['pki_subsystem_archive_log_path']) + deployer.directory.delete( +diff --git a/base/server/upgrade/10.3.5/03-UpdateAJPLoopbackAddress b/base/server/upgrade/10.3.5/03-UpdateAJPLoopbackAddress +deleted file mode 100755 +index b7d5c0e..0000000 +--- a/base/server/upgrade/10.3.5/03-UpdateAJPLoopbackAddress ++++ /dev/null +@@ -1,62 +0,0 @@ +-#!/usr/bin/python +-# Authors: +-# Endi S. Dewata +-# +-# This program is free software; you can redistribute it and/or modify +-# it under the terms of the GNU General Public License as published by +-# the Free Software Foundation; version 2 of the License. +-# +-# This program is distributed in the hope that it will be useful, +-# but WITHOUT ANY WARRANTY; without even the implied warranty of +-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +-# GNU General Public License for more details. +-# +-# You should have received a copy of the GNU General Public License along +-# with this program; if not, write to the Free Software Foundation, Inc., +-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +-# +-# Copyright (C) 2017 Red Hat, Inc. +-# All rights reserved. +-# +- +-from __future__ import absolute_import +-import os +-from lxml import etree +- +-import pki +- +- +-class UpdateAJPLoopbackAddress( +- pki.server.upgrade.PKIServerUpgradeScriptlet): +- +- def __init__(self): +- super(UpdateAJPLoopbackAddress, self).__init__() +- self.message = 'Update AJP loopback address' +- +- self.parser = etree.XMLParser(remove_blank_text=True) +- +- def upgrade_instance(self, instance): +- +- server_xml = os.path.join(instance.conf_dir, 'server.xml') +- self.backup(server_xml) +- +- document = etree.parse(server_xml, self.parser) +- +- server = document.getroot() +- connectors = server.findall('.//Connector') +- +- # replace IPv4- or IPv6-specific AJP loopback address with localhost +- for connector in connectors: +- +- protocol = connector.get('protocol') +- if protocol != 'AJP/1.3': +- continue +- +- address = connector.get('address') +- if address != '127.0.0.1' and address != '::1': +- continue +- +- connector.set('address', 'localhost') +- +- with open(server_xml, 'wb') as f: +- document.write(f, pretty_print=True, encoding='utf-8') diff --git a/SOURCES/pki-core-Audit-Event-Names-Upgrade-Scripts.patch b/SOURCES/pki-core-Audit-Event-Names-Upgrade-Scripts.patch new file mode 100644 index 0000000..9fbf423 --- /dev/null +++ b/SOURCES/pki-core-Audit-Event-Names-Upgrade-Scripts.patch @@ -0,0 +1,13020 @@ +From f06a4c36834fae773da8ed429d0a91fbcda8d6aa Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Wed, 31 Oct 2018 21:56:14 +0100 +Subject: [PATCH 01/26] Updated upgrade framework + +The upgrade framework has been updated to match PKI 10.6 +which no longer requires an upgrade folder for each +upgradable version. + +https://pagure.io/dogtagpki/issue/2686 +(cherry picked from commit b4e5de9d618b57868be8b8d9a49d574ea58a7d40) +--- + base/common/python/pki/upgrade.py | 118 +++++++-------------- + base/common/python/pki/util.py | 86 ++++++++++++++- + base/common/sbin/pki-upgrade | 3 +- + .../python/pki/server/deployment/pkiparser.py | 4 +- + base/server/python/pki/server/upgrade.py | 10 ++ + base/server/sbin/pki-server-upgrade | 19 +++- + 6 files changed, 152 insertions(+), 88 deletions(-) + +diff --git a/base/common/python/pki/upgrade.py b/base/common/python/pki/upgrade.py +index 3106c70..c2d217f 100644 +--- a/base/common/python/pki/upgrade.py ++++ b/base/common/python/pki/upgrade.py +@@ -22,8 +22,8 @@ + from __future__ import absolute_import + from __future__ import print_function + import functools ++import logging + import os +-import re + import shutil + import traceback + +@@ -36,70 +36,9 @@ DEFAULT_VERSION = '10.0.0' + UPGRADE_DIR = pki.SHARE_DIR + '/upgrade' + BACKUP_DIR = pki.LOG_DIR + '/upgrade' + SYSTEM_TRACKER = pki.CONF_DIR + '/pki.version' +-verbose = False +- +- +-@functools.total_ordering +-class Version(object): +- +- def __init__(self, obj): +- +- if isinstance(obj, str): +- +- # parse - +- pos = obj.find('-') +- +- if pos > 0: +- self.version = obj[0:pos] +- elif pos < 0: +- self.version = obj +- else: +- raise Exception('Invalid version number: ' + obj) +- +- # parse .. +- match = re.match(r'^(\d+)\.(\d+)\.(\d+)$', self.version) +- +- if match is None: +- raise Exception('Invalid version number: ' + self.version) +- +- self.major = int(match.group(1)) +- self.minor = int(match.group(2)) +- self.patch = int(match.group(3)) +- +- elif isinstance(obj, Version): +- +- self.major = obj.major +- self.minor = obj.minor +- self.patch = obj.patch +- +- else: +- raise Exception('Unsupported version type: ' + str(type(obj))) +- +- # release is ignored in comparisons +- def __eq__(self, other): +- return (self.major == other.major and +- self.minor == other.minor and +- self.patch == other.patch) +- +- def __lt__(self, other): +- if self.major < other.major: +- return True + +- if self.major == other.major and self.minor < other.minor: +- return True +- +- if (self.major == other.major and +- self.minor == other.minor and +- self.patch < other.patch): +- return True +- +- return False +- +- # not hashable +- __hash__ = None +- +- def __repr__(self): +- return self.version ++logger = logging.getLogger(__name__) ++verbose = False + + + class PKIUpgradeTracker(object): +@@ -203,9 +142,9 @@ class PKIUpgradeTracker(object): + + version = self.properties.get(self.version_key) + if version: +- return Version(version) ++ return pki.util.Version(version) + +- return Version(DEFAULT_VERSION) ++ return pki.util.Version(DEFAULT_VERSION) + + def set_version(self, version): + +@@ -479,7 +418,7 @@ class PKIUpgrader(object): + + if os.path.exists(self.upgrade_dir): + for version in os.listdir(self.upgrade_dir): +- version = Version(version) ++ version = pki.util.Version(version) + all_versions.append(version) + + all_versions.sort() +@@ -489,25 +428,46 @@ class PKIUpgrader(object): + def versions(self): + + current_version = self.get_current_version() ++ logger.debug('Current version: %s', current_version) ++ + target_version = self.get_target_version() ++ logger.debug('Target version: %s', target_version) + +- current_versions = [] ++ upgrade_path = [] + + for version in self.all_versions(): + +- # skip old versions +- if version >= current_version: +- current_versions.append(version) ++ # skip older versions ++ if version < current_version: ++ continue ++ ++ # skip newer versions ++ if version > target_version: ++ continue ++ ++ upgrade_path.append(version) + +- current_versions.sort() ++ upgrade_path.sort() ++ ++ # start from current version ++ if not upgrade_path or upgrade_path[0] != current_version: ++ upgrade_path.insert(0, current_version) ++ ++ # stop at target version ++ if not upgrade_path or upgrade_path[-1] != target_version: ++ upgrade_path.append(target_version) ++ ++ logger.debug('Upgrade path:') ++ for version in upgrade_path: ++ logger.debug(' - %s', version) + + versions = [] + +- for index, version in enumerate(current_versions): ++ for index, version in enumerate(upgrade_path): + + # link versions +- if index < len(current_versions) - 1: +- version.next = current_versions[index + 1] ++ if index < len(upgrade_path) - 1: ++ version.next = upgrade_path[index + 1] + else: + version.next = target_version + +@@ -587,7 +547,7 @@ class PKIUpgrader(object): + return tracker.get_version() + + def get_target_version(self): +- return Version(pki.implementation_version()) ++ return pki.util.Version(pki.implementation_version()) + + def is_complete(self): + +@@ -632,9 +592,6 @@ class PKIUpgrader(object): + scriptlet.init() + scriptlet.upgrade() + +- except pki.PKIException: +- raise +- + except Exception as e: # pylint: disable=W0703 + + print() +@@ -699,9 +656,6 @@ class PKIUpgrader(object): + try: + scriptlet.revert() + +- except pki.PKIException: +- raise +- + except Exception as e: # pylint: disable=W0703 + + print() +diff --git a/base/common/python/pki/util.py b/base/common/python/pki/util.py +index 871c899..65a861f 100644 +--- a/base/common/python/pki/util.py ++++ b/base/common/python/pki/util.py +@@ -24,7 +24,9 @@ Module containing utility functions and classes for the Dogtag python code + + + from __future__ import absolute_import ++import functools + import os ++import re + import shutil + from shutil import Error + try: +@@ -32,6 +34,7 @@ try: + except ImportError: + WindowsError = None + ++import six + import subprocess + + DEFAULT_PKI_ENV_LIST = [ +@@ -124,11 +127,14 @@ def copydirs(source, dest): + + def chown(path, uid, gid): + """ +- Change ownership of a folder and its contents. ++ Change ownership of a file or folder recursively. + """ + + os.chown(path, uid, gid) + ++ if not os.path.isdir(path): ++ return ++ + for item in os.listdir(path): + itempath = os.path.join(path, item) + +@@ -138,6 +144,25 @@ def chown(path, uid, gid): + chown(itempath, uid, gid) + + ++def chmod(path, perms): ++ """ ++ Change permissions of a file or folder recursively. ++ """ ++ ++ os.chmod(path, perms) ++ ++ if not os.path.isdir(path): ++ return ++ ++ for item in os.listdir(path): ++ itempath = os.path.join(path, item) ++ ++ if os.path.isfile(itempath): ++ os.chmod(itempath, perms) ++ elif os.path.isdir(itempath): ++ chmod(itempath, perms) ++ ++ + def customize_file(input_file, output_file, params): + """ + Customize a file with specified parameters. +@@ -275,3 +300,62 @@ def read_environment_files(env_file_list=None): + if not key.strip() or key == u'_': + continue + os.environ[key] = value ++ ++ ++@functools.total_ordering ++class Version(object): ++ ++ def __init__(self, obj): ++ ++ if isinstance(obj, six.string_types): ++ ++ # parse ..[] ++ match = re.match(r'^(\d+)\.(\d+)\.(\d+)', obj) ++ ++ if match is None: ++ raise Exception('Unable to parse version number: %s' % obj) ++ ++ self.major = int(match.group(1)) ++ self.minor = int(match.group(2)) ++ self.patch = int(match.group(3)) ++ ++ elif isinstance(obj, Version): ++ ++ self.major = obj.major ++ self.minor = obj.minor ++ self.patch = obj.patch ++ ++ else: ++ raise Exception('Unsupported version type: %s' % type(obj)) ++ ++ # release is ignored in comparisons ++ def __eq__(self, other): ++ return (self.major == other.major and ++ self.minor == other.minor and ++ self.patch == other.patch) ++ ++ def __ne__(self, other): ++ return not self.__eq__(other) ++ ++ def __lt__(self, other): ++ if self.major < other.major: ++ return True ++ ++ if self.major == other.major and self.minor < other.minor: ++ return True ++ ++ if (self.major == other.major and ++ self.minor == other.minor and ++ self.patch < other.patch): ++ return True ++ ++ return False ++ ++ def __gt__(self, other): ++ return not self.__lt__(other) and not self.__eq__(other) ++ ++ # not hashable ++ __hash__ = None ++ ++ def __repr__(self): ++ return '%d.%d.%d' % (self.major, self.minor, self.patch) +diff --git a/base/common/sbin/pki-upgrade b/base/common/sbin/pki-upgrade +index 1833de8..b6bf930 100755 +--- a/base/common/sbin/pki-upgrade ++++ b/base/common/sbin/pki-upgrade +@@ -26,6 +26,7 @@ import signal + import sys + + import pki ++import pki.util + import pki.upgrade + + # pylint: disable=W0613 +@@ -113,7 +114,7 @@ def main(argv): + reset_tracker = True + + elif o == '--set-tracker': +- tracker_version = pki.upgrade.Version(a) ++ tracker_version = pki.util.Version(a) + + elif o in ('-v', '--verbose'): + pki.upgrade.verbose = True +diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py +index 2ea7319..8971bb5 100644 +--- a/base/server/python/pki/server/deployment/pkiparser.py ++++ b/base/server/python/pki/server/deployment/pkiparser.py +@@ -40,7 +40,7 @@ from six.moves.urllib.parse import urlparse # pylint: disable=F0401,E0611 + + # PKI Imports + import pki +-import pki.upgrade ++import pki.util + import pki.account + import pki.client + import pki.system +@@ -337,7 +337,7 @@ class PKIConfigParser: + default_http_port = '8080' + default_https_port = '8443' + +- application_version = str(pki.upgrade.Version( ++ application_version = str(pki.util.Version( + pki.implementation_version())) + + self.deployer.main_config = configparser.SafeConfigParser({ +diff --git a/base/server/python/pki/server/upgrade.py b/base/server/python/pki/server/upgrade.py +index 926c683..e636b8a 100644 +--- a/base/server/python/pki/server/upgrade.py ++++ b/base/server/python/pki/server/upgrade.py +@@ -20,6 +20,7 @@ + + from __future__ import absolute_import + from __future__ import print_function ++import logging + import os + import traceback + +@@ -35,6 +36,8 @@ BACKUP_DIR = pki.LOG_DIR + '/server/upgrade' + INSTANCE_TRACKER = '%s/tomcat.conf' + SUBSYSTEM_TRACKER = '%s/CS.cfg' + ++logger = logging.getLogger(__name__) ++ + + class PKIServerUpgradeScriptlet(pki.upgrade.PKIUpgradeScriptlet): + +@@ -65,8 +68,11 @@ class PKIServerUpgradeScriptlet(pki.upgrade.PKIUpgradeScriptlet): + tracker.set_version(self.version.next) + + def upgrade(self): ++ + for instance in self.upgrader.instances(): + ++ logger.info('Upgrading %s instance', instance.name) ++ + self.upgrade_subsystems(instance) + + # If upgrading a specific subsystem don't upgrade the instance. +@@ -81,6 +87,7 @@ class PKIServerUpgradeScriptlet(pki.upgrade.PKIUpgradeScriptlet): + try: + if verbose: + print('Upgrading ' + str(instance) + ' instance.') ++ + self.upgrade_instance(instance) + self.update_server_tracker(instance) + +@@ -106,8 +113,11 @@ class PKIServerUpgradeScriptlet(pki.upgrade.PKIUpgradeScriptlet): + 'Upgrade failed in %s: %s' % (instance, e), e, instance) + + def upgrade_subsystems(self, instance): ++ + for subsystem in self.upgrader.subsystems(instance): + ++ logger.info('Upgrading %s subsystem', subsystem.name) ++ + if not self.can_upgrade_server(instance, subsystem): + if verbose: + print('Skipping ' + str(subsystem) + ' subsystem.') +diff --git a/base/server/sbin/pki-server-upgrade b/base/server/sbin/pki-server-upgrade +index 73e0e4a..932f1c5 100755 +--- a/base/server/sbin/pki-server-upgrade ++++ b/base/server/sbin/pki-server-upgrade +@@ -22,6 +22,7 @@ + from __future__ import absolute_import + from __future__ import print_function + import getopt ++import logging + import signal + import sys + +@@ -29,6 +30,8 @@ import pki + import pki.upgrade + import pki.server.upgrade + ++logger = logging.getLogger('pki.server.cli.upgrade') ++ + + # pylint: disable=W0613 + def interrupt_handler(event, frame): +@@ -71,13 +74,15 @@ def main(argv): + + signal.signal(signal.SIGINT, interrupt_handler) + ++ logging.basicConfig(format='%(levelname)s: %(message)s') ++ + try: + opts, _ = getopt.getopt(argv[1:], 'hi:s:t:vX', [ + 'instance=', 'subsystem=', 'instance-type=', + 'scriptlet-version=', 'scriptlet-index=', + 'silent', 'status', 'revert', + 'remove-tracker', 'reset-tracker', 'set-tracker=', +- 'verbose', 'help']) ++ 'verbose', 'debug', 'help']) + + except getopt.GetoptError as e: + print('ERROR: ' + str(e)) +@@ -132,10 +137,14 @@ def main(argv): + reset_tracker = True + + elif o == '--set-tracker': +- tracker_version = pki.upgrade.Version(a) ++ tracker_version = pki.util.Version(a) + + elif o in ('-v', '--verbose'): + pki.upgrade.verbose = True ++ logging.getLogger().setLevel(logging.INFO) ++ ++ elif o == '--debug': ++ logging.getLogger().setLevel(logging.DEBUG) + + elif o in ('-h', '--help'): + usage() +@@ -171,21 +180,27 @@ def main(argv): + silent=silent) + + if status: ++ logger.info('Getting PKI server upgrade status') + upgrader.status() + + elif revert: ++ logger.info('Reverting PKI server last upgrade') + upgrader.revert() + + elif remove_tracker: ++ logger.info('Removing PKI server upgrade tracker') + upgrader.remove_tracker() + + elif reset_tracker: ++ logger.info('Resetting PKI server upgrade tracker') + upgrader.reset_tracker() + + elif tracker_version is not None: ++ logger.info('Setting PKI server upgrade tracker') + upgrader.set_tracker(tracker_version) + + else: ++ logger.info('Upgrading PKI server') + upgrader.upgrade() + + except pki.PKIException as e: +-- +1.8.3.1 + + +From a7e4a037ed99dfc44de67dd4396627d452c34355 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Wed, 31 Oct 2018 22:57:17 +0100 +Subject: [PATCH 02/26] Removed empty upgrade folders + +The empty upgrade folders have been removed since they +are no longer necessary for upgrades. + +https://pagure.io/dogtagpki/issue/2686 +(cherry picked from commit 42f14ef88deb25336563a23c67fb2ad3a3a8aa3c) +--- + base/common/upgrade/10.0.0/.gitignore | 4 ---- + base/common/upgrade/10.0.2/.gitignore | 4 ---- + base/common/upgrade/10.0.4/.gitignore | 4 ---- + base/common/upgrade/10.0.5/.gitignore | 4 ---- + base/common/upgrade/10.0.6/.gitignore | 4 ---- + base/common/upgrade/10.1.0/.gitignore | 4 ---- + base/common/upgrade/10.1.1/.gitignore | 4 ---- + base/common/upgrade/10.1.2/.gitignore | 4 ---- + base/common/upgrade/10.1.99/.gitignore | 4 ---- + base/common/upgrade/10.2.0/.gitignore | 4 ---- + base/common/upgrade/10.2.1/.gitignore | 4 ---- + base/common/upgrade/10.2.2/.gitignore | 4 ---- + base/common/upgrade/10.2.3/.gitignore | 4 ---- + base/common/upgrade/10.2.4/.gitignore | 0 + base/common/upgrade/10.2.5/.gitignore | 4 ---- + base/common/upgrade/10.2.6/.gitignore | 4 ---- + base/common/upgrade/10.3.0/.gitignore | 4 ---- + base/common/upgrade/10.3.1/.gitignore | 4 ---- + base/common/upgrade/10.3.2/.gitignore | 4 ---- + base/common/upgrade/10.3.3/.gitignore | 4 ---- + base/common/upgrade/10.3.4/.gitignore | 4 ---- + base/common/upgrade/10.3.5/.gitignore | 4 ---- + base/common/upgrade/10.4.0/.gitignore | 4 ---- + base/common/upgrade/10.4.1/.gitignore | 4 ---- + base/common/upgrade/10.4.2/.gitignore | 4 ---- + base/common/upgrade/10.4.3/.gitignore | 4 ---- + base/common/upgrade/10.4.4/.gitignore | 4 ---- + base/common/upgrade/10.4.5/.gitignore | 4 ---- + base/common/upgrade/10.4.6/.gitignore | 4 ---- + base/server/upgrade/10.0.0/.gitignore | 4 ---- + base/server/upgrade/10.0.2/.gitignore | 4 ---- + base/server/upgrade/10.0.3/.gitignore | 4 ---- + base/server/upgrade/10.0.4/.gitignore | 4 ---- + base/server/upgrade/10.0.6/.gitignore | 4 ---- + base/server/upgrade/10.1.0/.gitignore | 4 ---- + base/server/upgrade/10.1.2/.gitignore | 4 ---- + base/server/upgrade/10.2.0/.gitignore | 4 ---- + base/server/upgrade/10.3.1/.gitignore | 4 ---- + base/server/upgrade/10.3.2/.gitignore | 4 ---- + base/server/upgrade/10.3.4/.gitignore | 4 ---- + base/server/upgrade/10.4.1/.gitignore | 4 ---- + base/server/upgrade/10.4.3/.gitignore | 4 ---- + base/server/upgrade/10.4.4/.gitignore | 4 ---- + base/server/upgrade/10.4.5/.gitignore | 4 ---- + base/server/upgrade/10.5.1/.gitignore | 4 ---- + 45 files changed, 176 deletions(-) + delete mode 100644 base/common/upgrade/10.0.0/.gitignore + delete mode 100644 base/common/upgrade/10.0.2/.gitignore + delete mode 100644 base/common/upgrade/10.0.4/.gitignore + delete mode 100644 base/common/upgrade/10.0.5/.gitignore + delete mode 100644 base/common/upgrade/10.0.6/.gitignore + delete mode 100644 base/common/upgrade/10.1.0/.gitignore + delete mode 100644 base/common/upgrade/10.1.1/.gitignore + delete mode 100644 base/common/upgrade/10.1.2/.gitignore + delete mode 100644 base/common/upgrade/10.1.99/.gitignore + delete mode 100644 base/common/upgrade/10.2.0/.gitignore + delete mode 100644 base/common/upgrade/10.2.1/.gitignore + delete mode 100644 base/common/upgrade/10.2.2/.gitignore + delete mode 100644 base/common/upgrade/10.2.3/.gitignore + delete mode 100644 base/common/upgrade/10.2.4/.gitignore + delete mode 100644 base/common/upgrade/10.2.5/.gitignore + delete mode 100644 base/common/upgrade/10.2.6/.gitignore + delete mode 100644 base/common/upgrade/10.3.0/.gitignore + delete mode 100644 base/common/upgrade/10.3.1/.gitignore + delete mode 100644 base/common/upgrade/10.3.2/.gitignore + delete mode 100644 base/common/upgrade/10.3.3/.gitignore + delete mode 100644 base/common/upgrade/10.3.4/.gitignore + delete mode 100644 base/common/upgrade/10.3.5/.gitignore + delete mode 100644 base/common/upgrade/10.4.0/.gitignore + delete mode 100644 base/common/upgrade/10.4.1/.gitignore + delete mode 100644 base/common/upgrade/10.4.2/.gitignore + delete mode 100644 base/common/upgrade/10.4.3/.gitignore + delete mode 100644 base/common/upgrade/10.4.4/.gitignore + delete mode 100644 base/common/upgrade/10.4.5/.gitignore + delete mode 100644 base/common/upgrade/10.4.6/.gitignore + delete mode 100644 base/server/upgrade/10.0.0/.gitignore + delete mode 100644 base/server/upgrade/10.0.2/.gitignore + delete mode 100644 base/server/upgrade/10.0.3/.gitignore + delete mode 100644 base/server/upgrade/10.0.4/.gitignore + delete mode 100644 base/server/upgrade/10.0.6/.gitignore + delete mode 100644 base/server/upgrade/10.1.0/.gitignore + delete mode 100644 base/server/upgrade/10.1.2/.gitignore + delete mode 100644 base/server/upgrade/10.2.0/.gitignore + delete mode 100644 base/server/upgrade/10.3.1/.gitignore + delete mode 100644 base/server/upgrade/10.3.2/.gitignore + delete mode 100644 base/server/upgrade/10.3.4/.gitignore + delete mode 100644 base/server/upgrade/10.4.1/.gitignore + delete mode 100644 base/server/upgrade/10.4.3/.gitignore + delete mode 100644 base/server/upgrade/10.4.4/.gitignore + delete mode 100644 base/server/upgrade/10.4.5/.gitignore + delete mode 100644 base/server/upgrade/10.5.1/.gitignore + +diff --git a/base/common/upgrade/10.0.0/.gitignore b/base/common/upgrade/10.0.0/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/common/upgrade/10.0.0/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/common/upgrade/10.0.2/.gitignore b/base/common/upgrade/10.0.2/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/common/upgrade/10.0.2/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/common/upgrade/10.0.4/.gitignore b/base/common/upgrade/10.0.4/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/common/upgrade/10.0.4/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/common/upgrade/10.0.5/.gitignore b/base/common/upgrade/10.0.5/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/common/upgrade/10.0.5/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/common/upgrade/10.0.6/.gitignore b/base/common/upgrade/10.0.6/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/common/upgrade/10.0.6/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/common/upgrade/10.1.0/.gitignore b/base/common/upgrade/10.1.0/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/common/upgrade/10.1.0/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/common/upgrade/10.1.1/.gitignore b/base/common/upgrade/10.1.1/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/common/upgrade/10.1.1/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/common/upgrade/10.1.2/.gitignore b/base/common/upgrade/10.1.2/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/common/upgrade/10.1.2/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/common/upgrade/10.1.99/.gitignore b/base/common/upgrade/10.1.99/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/common/upgrade/10.1.99/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/common/upgrade/10.2.0/.gitignore b/base/common/upgrade/10.2.0/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/common/upgrade/10.2.0/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/common/upgrade/10.2.1/.gitignore b/base/common/upgrade/10.2.1/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/common/upgrade/10.2.1/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/common/upgrade/10.2.2/.gitignore b/base/common/upgrade/10.2.2/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/common/upgrade/10.2.2/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/common/upgrade/10.2.3/.gitignore b/base/common/upgrade/10.2.3/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/common/upgrade/10.2.3/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/common/upgrade/10.2.4/.gitignore b/base/common/upgrade/10.2.4/.gitignore +deleted file mode 100644 +index e69de29..0000000 +diff --git a/base/common/upgrade/10.2.5/.gitignore b/base/common/upgrade/10.2.5/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/common/upgrade/10.2.5/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/common/upgrade/10.2.6/.gitignore b/base/common/upgrade/10.2.6/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/common/upgrade/10.2.6/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/common/upgrade/10.3.0/.gitignore b/base/common/upgrade/10.3.0/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/common/upgrade/10.3.0/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/common/upgrade/10.3.1/.gitignore b/base/common/upgrade/10.3.1/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/common/upgrade/10.3.1/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/common/upgrade/10.3.2/.gitignore b/base/common/upgrade/10.3.2/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/common/upgrade/10.3.2/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/common/upgrade/10.3.3/.gitignore b/base/common/upgrade/10.3.3/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/common/upgrade/10.3.3/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/common/upgrade/10.3.4/.gitignore b/base/common/upgrade/10.3.4/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/common/upgrade/10.3.4/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/common/upgrade/10.3.5/.gitignore b/base/common/upgrade/10.3.5/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/common/upgrade/10.3.5/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/common/upgrade/10.4.0/.gitignore b/base/common/upgrade/10.4.0/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/common/upgrade/10.4.0/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/common/upgrade/10.4.1/.gitignore b/base/common/upgrade/10.4.1/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/common/upgrade/10.4.1/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/common/upgrade/10.4.2/.gitignore b/base/common/upgrade/10.4.2/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/common/upgrade/10.4.2/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/common/upgrade/10.4.3/.gitignore b/base/common/upgrade/10.4.3/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/common/upgrade/10.4.3/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/common/upgrade/10.4.4/.gitignore b/base/common/upgrade/10.4.4/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/common/upgrade/10.4.4/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/common/upgrade/10.4.5/.gitignore b/base/common/upgrade/10.4.5/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/common/upgrade/10.4.5/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/common/upgrade/10.4.6/.gitignore b/base/common/upgrade/10.4.6/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/common/upgrade/10.4.6/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/server/upgrade/10.0.0/.gitignore b/base/server/upgrade/10.0.0/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/server/upgrade/10.0.0/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/server/upgrade/10.0.2/.gitignore b/base/server/upgrade/10.0.2/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/server/upgrade/10.0.2/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/server/upgrade/10.0.3/.gitignore b/base/server/upgrade/10.0.3/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/server/upgrade/10.0.3/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/server/upgrade/10.0.4/.gitignore b/base/server/upgrade/10.0.4/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/server/upgrade/10.0.4/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/server/upgrade/10.0.6/.gitignore b/base/server/upgrade/10.0.6/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/server/upgrade/10.0.6/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/server/upgrade/10.1.0/.gitignore b/base/server/upgrade/10.1.0/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/server/upgrade/10.1.0/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/server/upgrade/10.1.2/.gitignore b/base/server/upgrade/10.1.2/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/server/upgrade/10.1.2/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/server/upgrade/10.2.0/.gitignore b/base/server/upgrade/10.2.0/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/server/upgrade/10.2.0/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/server/upgrade/10.3.1/.gitignore b/base/server/upgrade/10.3.1/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/server/upgrade/10.3.1/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/server/upgrade/10.3.2/.gitignore b/base/server/upgrade/10.3.2/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/server/upgrade/10.3.2/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/server/upgrade/10.3.4/.gitignore b/base/server/upgrade/10.3.4/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/server/upgrade/10.3.4/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/server/upgrade/10.4.1/.gitignore b/base/server/upgrade/10.4.1/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/server/upgrade/10.4.1/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/server/upgrade/10.4.3/.gitignore b/base/server/upgrade/10.4.3/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/server/upgrade/10.4.3/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/server/upgrade/10.4.4/.gitignore b/base/server/upgrade/10.4.4/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/server/upgrade/10.4.4/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/server/upgrade/10.4.5/.gitignore b/base/server/upgrade/10.4.5/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/server/upgrade/10.4.5/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/server/upgrade/10.5.1/.gitignore b/base/server/upgrade/10.5.1/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/server/upgrade/10.5.1/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +-- +1.8.3.1 + + +From 8bdcb3dcb6d304604dc68e44917847b71724cde5 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Thu, 1 Nov 2018 04:34:50 +0100 +Subject: [PATCH 03/26] Updated pki-server -audit-event-find + +The pki-server -audit-event-find has been modified +to support searching all events, enabled events, and disabled +events. + +https://pagure.io/dogtagpki/issue/2686 +(cherry picked from commit 1d7b48538cc6ede7780489cc22bc631caffebe04) +--- + base/server/python/pki/server/__init__.py | 95 ++++++++++++++++++++++++++++--- + 1 file changed, 88 insertions(+), 7 deletions(-) + +diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py +index b5180f0..ace98f3 100644 +--- a/base/server/python/pki/server/__init__.py ++++ b/base/server/python/pki/server/__init__.py +@@ -428,24 +428,105 @@ class PKISubsystem(object): + + def find_audit_events(self, enabled=None): + +- if not enabled: +- raise Exception('This operation is not yet supported. Specify --enabled True.') +- + events = [] + +- names = self.config['log.instance.SignedAudit.events'].split(',') +- names = list(map(str.strip, names)) +- names.sort() ++ # get enabled events ++ enabled_event_names = self.get_enabled_audit_events() ++ ++ if enabled is None: ++ # get all events ++ names = self.get_audit_events() ++ ++ elif enabled: # enabled == True ++ # get enabled events ++ names = enabled_event_names ++ ++ else: # enabled == False ++ # get all events ++ all_event_names = self.get_audit_events() ++ ++ # get disabled events by subtracting enabled events from all events ++ names = sorted(set(all_event_names) - set(enabled_event_names)) + ++ # get event properties + for name in names: + event = {} + event['name'] = name +- event['enabled'] = True ++ event['enabled'] = name in enabled_event_names + event['filter'] = self.config.get('log.instance.SignedAudit.filters.%s' % name) + events.append(event) + + return events + ++ def get_audit_events(self): ++ ++ # get the full list of audit events from LogMessages.properties ++ ++ properties = {} ++ tmpdir = tempfile.mkdtemp() ++ ++ try: ++ # export LogMessages.properties from cmsbundle.jar ++ cmsbundle_jar = \ ++ '/usr/share/pki/%s/webapps/%s/WEB-INF/lib/pki-cmsbundle.jar' \ ++ % (self.name, self.name) ++ ++ cmd = [ ++ 'jar', ++ 'xf', ++ cmsbundle_jar, ++ 'LogMessages.properties' ++ ] ++ ++ logger.debug('Command: %s', ' '.join(cmd)) ++ ++ subprocess.check_output( ++ cmd, ++ cwd=tmpdir, ++ stderr=subprocess.STDOUT) ++ ++ # load LogMessages.properties ++ log_messages_properties = os.path.join(tmpdir, 'LogMessages.properties') ++ pki.util.load_properties(log_messages_properties, properties) ++ ++ finally: ++ shutil.rmtree(tmpdir) ++ ++ # get audit events ++ events = set() ++ name_pattern = re.compile(r'LOGGING_SIGNED_AUDIT_') ++ value_pattern = re.compile(r':') ++ ++ for name in properties: ++ ++ name_match = name_pattern.match(name) ++ if not name_match: ++ continue ++ ++ value = properties[name] ++ ++ value_match = value_pattern.match(value) ++ if not value_match: ++ continue ++ ++ event = value_match.group(1) ++ events.add(event) ++ ++ return sorted(events) ++ ++ def get_enabled_audit_events(self): ++ ++ # parse enabled audit events ++ value = self.config['log.instance.SignedAudit.events'] ++ event_list = value.replace(' ', '').split(',') ++ ++ # remove duplicates ++ events = set() ++ for event in event_list: ++ events.add(event) ++ ++ return sorted(events) ++ + def get_audit_log_dir(self): + + current_file_path = self.config['log.instance.SignedAudit.fileName'] +-- +1.8.3.1 + + +From bcc43b903a67a88c254240840e885407e7c51f3c Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Wed, 7 Nov 2018 16:53:57 +0100 +Subject: [PATCH 04/26] Updated pki.util.load_properties() + +The pki.util.load_properties() has been modified to support +multi-line property value. + +https://pagure.io/dogtagpki/issue/2686 +(cherry picked from commit 618c5aec2cf1f16bcf30e676d3ed1f84722a32e3) +--- + base/common/python/pki/util.py | 38 +++++++++++++++++++++++++++++--------- + 1 file changed, 29 insertions(+), 9 deletions(-) + +diff --git a/base/common/python/pki/util.py b/base/common/python/pki/util.py +index 65a861f..a5d220f 100644 +--- a/base/common/python/pki/util.py ++++ b/base/common/python/pki/util.py +@@ -180,22 +180,42 @@ def load_properties(filename, properties): + with open(filename) as f: + + lines = f.read().splitlines() ++ name = None ++ multi_line = False + + for index, line in enumerate(lines): + +- line = line.strip() ++ if multi_line: ++ # append line to previous property + +- if not line or line.startswith('#'): +- continue ++ value = properties[name] ++ value = value + line + +- parts = line.split('=', 1) ++ else: ++ # parse line for new property ++ ++ line = line.lstrip() ++ if not line or line.startswith('#'): ++ continue ++ ++ parts = line.split('=', 1) ++ if len(parts) < 2: ++ raise Exception('Missing delimiter in %s line %d' % ++ (filename, index + 1)) + +- if len(parts) < 2: +- raise Exception('Missing delimiter in %s line %d' % +- (filename, index + 1)) ++ name = parts[0].rstrip() ++ value = parts[1].lstrip() ++ ++ # check if the value is multi-line ++ if value.endswith('\\'): ++ value = value[:-1] ++ multi_line = True ++ ++ else: ++ value = value.rstrip() ++ multi_line = False + +- name = parts[0].strip() +- value = parts[1].strip() ++ # store value in properties + properties[name] = value + + +-- +1.8.3.1 + + +From 68427be67b3b5cf1c55b2ffe5eefd37f45dd8cab Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Fri, 9 Nov 2018 16:34:14 +0100 +Subject: [PATCH 05/26] Added audit event management tools + +The pki-server -audit-* commands have been backported +to PKI 10.5. + +https://pagure.io/dogtagpki/issue/2686 +(cherry picked from commit adc316972072789b12ab2c2feb391bbdb01768d5) +--- + base/server/python/pki/server/__init__.py | 83 +++- + base/server/python/pki/server/cli/audit.py | 587 ++++++++++++++++++++++++++++- + 2 files changed, 662 insertions(+), 8 deletions(-) + +diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py +index ace98f3..6cbda2f 100644 +--- a/base/server/python/pki/server/__init__.py ++++ b/base/server/python/pki/server/__init__.py +@@ -426,7 +426,65 @@ class PKISubsystem(object): + + pki.util.customize_file(input_file, output_file, params) + +- def find_audit_events(self, enabled=None): ++ def enable_audit_event(self, event_name): ++ ++ if not event_name: ++ raise ValueError("Please specify the Event name") ++ ++ names = self.get_audit_events() ++ if event_name not in names: ++ raise PKIServerException('Invalid audit event: %s' % event_name) ++ ++ value = self.config['log.instance.SignedAudit.events'] ++ events = set(value.replace(' ', '').split(',')) ++ ++ if event_name in events: ++ return False ++ ++ events.add(event_name) ++ event_list = ','.join(sorted(events)) ++ self.config['log.instance.SignedAudit.events'] = event_list ++ ++ return True ++ ++ def update_audit_event_filter(self, event_name, event_filter): ++ ++ if not event_name: ++ raise ValueError("Please specify the Event name") ++ ++ names = self.get_audit_events() ++ if event_name not in names: ++ raise PKIServerException('Invalid audit event: %s' % event_name) ++ ++ name = 'log.instance.SignedAudit.filters.%s' % event_name ++ ++ if event_filter: ++ self.config[name] = event_filter ++ else: ++ self.config.pop(name, None) ++ ++ def disable_audit_event(self, event_name): ++ ++ if not event_name: ++ raise ValueError("Please specify the Event name") ++ ++ names = self.get_audit_events() ++ if event_name not in names: ++ raise PKIServerException('Invalid audit event: %s' % event_name) ++ ++ value = self.config['log.instance.SignedAudit.events'] ++ events = set(value.replace(' ', '').split(',')) ++ ++ if event_name not in events: ++ return False ++ ++ events.remove(event_name) ++ event_list = ','.join(sorted(events)) ++ self.config['log.instance.SignedAudit.events'] = event_list ++ ++ return True ++ ++ def find_audit_event_configs(self, enabled=None): + + events = [] + +@@ -458,6 +516,22 @@ class PKISubsystem(object): + + return events + ++ def get_audit_event_config(self, name): ++ ++ names = self.get_audit_events() ++ ++ if name not in names: ++ raise PKIServerException('Invalid audit event: %s' % name) ++ ++ enabled_event_names = self.get_enabled_audit_events() ++ ++ event = {} ++ event['name'] = name ++ event['enabled'] = name in enabled_event_names ++ event['filter'] = self.config.get('log.instance.SignedAudit.filters.%s' % name) ++ ++ return event ++ + def get_audit_events(self): + + # get the full list of audit events from LogMessages.properties +@@ -518,12 +592,7 @@ class PKISubsystem(object): + + # parse enabled audit events + value = self.config['log.instance.SignedAudit.events'] +- event_list = value.replace(' ', '').split(',') +- +- # remove duplicates +- events = set() +- for event in event_list: +- events.add(event) ++ events = set(value.replace(' ', '').split(',')) + + return sorted(events) + +diff --git a/base/server/python/pki/server/cli/audit.py b/base/server/python/pki/server/cli/audit.py +index bbbdd10..44fd86a 100644 +--- a/base/server/python/pki/server/cli/audit.py ++++ b/base/server/python/pki/server/cli/audit.py +@@ -20,6 +20,7 @@ + + from __future__ import absolute_import + from __future__ import print_function ++ + import getopt + import os + import shutil +@@ -37,10 +38,271 @@ class AuditCLI(pki.cli.CLI): + 'audit', 'Audit management commands') + + self.parent = parent ++ self.add_module(AuditConfigShowCLI(self)) ++ self.add_module(AuditConfigModifyCLI(self)) + self.add_module(AuditEventFindCLI(self)) ++ self.add_module(AuditEventShowCLI(self)) ++ self.add_module(AuditEventEnableCLI(self)) ++ self.add_module(AuditEventDisableCLI(self)) ++ self.add_module(AuditEventUpdateCLI(self)) + self.add_module(AuditFileFindCLI(self)) + self.add_module(AuditFileVerifyCLI(self)) + ++ @staticmethod ++ def print_audit_config(subsystem): ++ ++ name = 'log.instance.SignedAudit.%s' ++ ++ enabled = subsystem.config[name % 'enable'].lower() == 'true' ++ ++ fileName = subsystem.config[name % 'fileName'] ++ bufferSize = subsystem.config[name % 'bufferSize'] ++ flushInterval = subsystem.config[name % 'flushInterval'] ++ ++ maxFileSize = subsystem.config[name % 'maxFileSize'] ++ rolloverInterval = subsystem.config[name % 'rolloverInterval'] ++ expirationTime = subsystem.config[name % 'expirationTime'] ++ ++ logSigning = subsystem.config[name % 'logSigning'].lower() == 'true' ++ signedAuditCertNickname = subsystem.config[name % 'signedAuditCertNickname'] ++ ++ print(' Enabled: %s' % enabled) ++ ++ print(' Log File: %s' % fileName) ++ print(' Buffer Size (bytes): %s' % bufferSize) ++ print(' Flush Interval (seconds): %s' % flushInterval) ++ ++ print(' Max File Size (bytes): %s' % maxFileSize) ++ print(' Rollover Interval (seconds): %s' % rolloverInterval) ++ print(' Expiration Time (seconds): %s' % expirationTime) ++ ++ print(' Log Signing: %s' % logSigning) ++ print(' Signing Certificate: %s' % signedAuditCertNickname) ++ ++ @staticmethod ++ def print_audit_event_config(event): ++ print(' Event Name: %s' % event.get('name')) ++ print(' Enabled: %s' % event.get('enabled')) ++ print(' Filter: %s' % event.get('filter')) ++ ++ ++class AuditConfigShowCLI(pki.cli.CLI): ++ ++ def __init__(self, parent): ++ super(AuditConfigShowCLI, self).__init__( ++ 'config-show', 'Display audit configuration') ++ self.parent = parent ++ ++ def print_help(self): ++ print('Usage: pki-server %s-audit-config-show [OPTIONS]' % self.parent.parent.name) ++ print() ++ print(' -i, --instance Instance ID (default: pki-tomcat).') ++ print(' --help Show help message.') ++ print() ++ ++ def execute(self, argv): ++ try: ++ opts, _ = getopt.gnu_getopt(argv, 'i:v', [ ++ 'instance=', ++ 'verbose', 'help']) ++ ++ except getopt.GetoptError as e: ++ print('ERROR: ' + str(e)) ++ self.print_help() ++ sys.exit(1) ++ ++ instance_name = 'pki-tomcat' ++ ++ for o, a in opts: ++ if o in ('-i', '--instance'): ++ instance_name = a ++ ++ elif o == '--help': ++ self.print_help() ++ sys.exit() ++ ++ else: ++ print('ERROR: unknown option ' + o) ++ self.print_help() ++ sys.exit(1) ++ ++ instance = pki.server.PKIInstance(instance_name) ++ if not instance.is_valid(): ++ print('ERROR: Invalid instance %s.' % instance_name) ++ sys.exit(1) ++ ++ instance.load() ++ ++ subsystem_name = self.parent.parent.name ++ subsystem = instance.get_subsystem(subsystem_name) ++ ++ if not subsystem: ++ print('ERROR: No %s subsystem in instance %s.' ++ % (subsystem_name.upper(), instance_name)) ++ sys.exit(1) ++ ++ AuditCLI.print_audit_config(subsystem) ++ ++ ++class AuditConfigModifyCLI(pki.cli.CLI): ++ ++ def __init__(self, parent): ++ super(AuditConfigModifyCLI, self).__init__( ++ 'config-mod', 'Modify audit configuration') ++ self.parent = parent ++ ++ def print_help(self): ++ print('Usage: pki-server %s-audit-config-mod [OPTIONS]' % self.parent.parent.name) ++ print() ++ print(' -i, --instance Instance ID (default: pki-tomcat).') ++ print(' --enabled Enable/disable audit logging.') ++ print(' --logFile Set log file.') ++ print(' --bufferSize Set buffer size (bytes).') ++ print(' --flushInterval Set flush interval (seconds).') ++ print(' --maxFileSize Set maximum file size (bytes).') ++ print(' --rolloverInterval Set rollover interval (seconds).') ++ print(' --expirationTime