Skip to content

KRA Audit Events

Jump to bottom
Endi S. Dewata edited this page May 19, 2023 · 9 revisions

Overview

KRA audit events can be configured in log.instance.SignedAudit.events property.

Default Events

Key Archival Events

These events are triggered when an archival request is received through the REST interface or from the CA. Since they are generated by different threads, they may be created in reversed order.

SECURITY_DATA_ARCHIVAL_REQUEST

SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED

CRMF-related events

There are additional events that are generated when keys are archived from the CA, when CRMF requests are submitted to the CA. In particular, the CA request ID is passed through and logged to allow the audit flow through the CA → KRA to be tracked.

The additional events are:

PROFILE_CERT_REQUEST:

  • subjectID: userID for the agent initiating the request. This is the user (trusted agent) mapped to the CA subsystem cert in the KRA.

  • outcome: success/failure

  • ReqID: the enrollment request in the CA. This is used to track the request and link it to the CA audit logs.

  • ProfileID: set to kraConnector

  • CertSubject: subject name of the certificate request

PROFILE_CERT_REQUEST:

  • subjectID: userID for the agent initiating the request. This is the user (trusted agent) mapped to the CA subsystem cert in the KRA.

  • outcome: success/failure

  • ReqID: the enrollment request in the CA

  • ProfileID: set to kraConnector

  • CertSubject: subject name of the certificate request

For example, archive a private key from the CA:

$ pki -d alias -c redhat123 client-cert-request uid=testuser --profile caDualCert --type crmf --transport transport.pem

TODO: add pki command to approve cert request

[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=][Outcome=Success] access session establish success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=$Unidentified$][Outcome=Success][aclResource=null][Op=null][Info=ACL mapping not found; OK:KRAInfoResource.getInfo] authorization success
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=example.com Security Domain][Outcome=Success] access session establish success
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=example.com Security Domain][Outcome=Success] access session establish success
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=example.com Security Domain][Outcome=Success] access session establish success
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=example.com Security Domain][Outcome=Success] access session establish success
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=example.com Security Domain][Outcome=Success] access session establish success
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=example.com Security Domain][Outcome=Success] access session establish success
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=][Outcome=Success] access session establish success
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=Subsystem Certificate,OU=pki-tomcat,O=example.com Security Domain][Outcome=Success] access session establish success
[AuditEvent=AUTH_SUCCESS][SubjectID=CA-aleelaptop.example.com-8443][Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=CA-aleelaptop.example.com-8443][Outcome=Success][aclResource=certServer.kra.connector][Op=submit] authorization success
[AuditEvent=ROLE_ASSUME][SubjectID=CA-aleelaptop.example.com-8443][Outcome=Success][Role=Data Recovery Manager Agents, Trusted Managers] assume privileged role
[AuditEvent=PROFILE_CERT_REQUEST][SubjectID=CA-aleelaptop.example.com-8443][Outcome=Success][ReqID=38][ProfileID=kraConnector][CertSubject=UID=testuser] certificate request made with certificate profiles
[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST][SubjectID=CA-aleelaptop.example.com-8443][Outcome=Success][ArchivalRequestID=38][RequestId=325][ClientKeyID=null] security data archival request made
[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED][SubjectID=CA-aleelaptop.example.com-8443][Outcome=Success][ArchivalRequestID=38][RequestId=325][ClientKeyID=null][KeyID=161][FailureReason=null][PubKey=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPwOzhpNANr4KdmRJ341Rp5k15xHWdTYQ3r5gf8Xx+ugQRmx7m4q1ot2X4AGbru0K3WIuIb04liSup8fuTPslGngS/vLcfHo1rdZBOz/DWMV/tW/5uURNVZCbwiiV+b97gRxpoKb+TJfp2qU9S35oUkAx11dwPZzRzpl4j1Gb7uQIDAQAB] security data archival request processed
[AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=CA-aleelaptop.example.com-8443][Outcome=Success][ReqID=38][InfoName=certificate][InfoValue=<null>] certificate request processed
[AuditEvent=INTER_BOUNDARY][SubjectID=CA-aleelaptop.example.com-8443][Outcome=Success][ProtectionMethod=ssl][ReqType=enrollment][ReqID=38] inter-CIMC_Boundary communication (data exchange)
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=Subsystem Certificate,OU=pki-tomcat,O=example.com Security Domain][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated

Key Recovery Events

SECURITY_DATA_RECOVERY_REQUEST

SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE

SECURITY_DATA_RECOVERY_REQUEST_PROCESSED, SECURITY_DATA_EXPORT_KEY

These events occur when an approved key recovery request is processed and the key is retrieved, wrapped appropriately and returned to the client.

Properties: (SECURITY_DATA_RECOVERY_REQUEST_PROCESSED)

  • SubjectID: UID of agent that is recovering the key

  • Outcome: Success/ Failure

  • RecoveryID=: ID of recovery request

  • KeyID: ID of key being retrieved.

  • FailureReason: Null if successful.

  • RecoveryAgents: list of agents who have approved the recovery request.

Properties: (SECURITY_DATA_EXPORT_KEY)

  • SubjectID: UID of agent that is retrieving the key/secret

  • Outcome: Success/ Failure

  • RecoveryID: ID of recovery request

  • Info: Information about the request, including failure reason if the request fails.

  • PukKey: public key associated with the export

If the key is recovered from the UI, info will not be populated (except for failure cases). For a request through the REST API, info such as the following may be seen:

Info=KeyService.getKey:;keyID=156;requestID=319;synchronous=false;ephemeral=false

For example, these are the logs created when the key is retrieved as a pk12 file from the KRA UI.

[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=example.com Security Domain][Outcome=Success] access session establish success
[AuditEvent=AUTH_SUCCESS][SubjectID=kraadmin][Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=kraadmin][Outcome=Success][aclResource=certServer.kra.request][Op=read] authorization success
[AuditEvent=ROLE_ASSUME][SubjectID=kraadmin][Outcome=Success][Role=Data Recovery Manager Agents, Administrators] assume privileged role
[AuditEvent=AUTH_SUCCESS][SubjectID=kraadmin][Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=kraadmin][Outcome=Success][aclResource=certServer.kra.key][Op=download] authorization success
[AuditEvent=ROLE_ASSUME][SubjectID=kraadmin][Outcome=Success][Role=Data Recovery Manager Agents, Administrators] assume privileged role
[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST_PROCESSED][SubjectID=kraadmin][Outcome=Success][RecoveryID=316][KeyID=157][FailureReason=null][RecoveryAgents=kraadmin,kraadmin] security data recovery request processed
[AuditEvent=SECURITY_DATA_EXPORT_KEY][SubjectID=kraadmin][Outcome=Success][RecoveryID=316][KeyID=null][Info=null][PubKey=null] security data retrieval request

These are the logs when a secret is retrieved from the KRA CLI.

$ pki -d alias -c redhat123 -n "PKI Administrator for example.com" key-retrieve --requestID  0x13f
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=example.com Security Domain][Outcome=Success] access session establish success
[AuditEvent=AUTH_SUCCESS][SubjectID=kraadmin][Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=kraadmin][Outcome=Success][aclResource=certServer.kra.account][Op=login][Info=AccountResource.login] authorization success
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=example.com Security Domain][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
[AuditEvent=AUTHZ_SUCCESS][SubjectID=$Unidentified$][Outcome=Success][aclResource=null][Op=null][Info=ACL mapping not found; OK:SystemCertResource.getTransportCert] authorization success
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=example.com Security Domain][Outcome=Success] access session establish success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=kraadmin][Outcome=Success][aclResource=certServer.kra.keys][Op=execute][Info=KeyResource.retrieveKey] authorization success
<font color="red">[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST_PROCESSED][SubjectID=kraadmin][Outcome=Success][RecoveryID=319][KeyID=156][FailureReason=KeyService.getKey:;keyID=156;requestID=319;synchronous=false;ephemeral=false][RecoveryAgents=kraadmin,kraadmin] security data recovery request processed
[AuditEvent=SECURITY_DATA_EXPORT_KEY][SubjectID=kraadmin][Outcome=Success][RecoveryID=319][KeyID=156][Info=KeyService.getKey:;keyID=156;requestID=319;synchronous=false;ephemeral=false][PubKey=null] security data retrieval request </font>
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=example.com Security Domain][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=example.com Security Domain][Outcome=Success] access session establish success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=kraadmin][Outcome=Success][aclResource=certServer.kra.account][Op=logout][Info=AccountResource.logout] authorization success
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=example.com Security Domain][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated

Another example of a key being retrieved with the CLI, showing all the above events:

$ pki -d alias -c redhat123 -n "PKI Administrator for example.com" key-retrieve --keyID 0x9c
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=example.com Security Domain][Outcome=Success] access session establish success
[AuditEvent=AUTH_SUCCESS][SubjectID=kraadmin][Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=kraadmin][Outcome=Success][aclResource=certServer.kra.account][Op=login][Info=AccountResource.login] authorization success
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=example.com Security Domain][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
[AuditEvent=AUTHZ_SUCCESS][SubjectID=$Unidentified$][Outcome=Success][aclResource=null][Op=null][Info=ACL mapping not found; OK:SystemCertResource.getTransportCert] authorization success
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=example.com Security Domain][Outcome=Success] access session establish success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=kraadmin][Outcome=Success][aclResource=certServer.kra.keys][Op=execute][Info=KeyResource.retrieveKey] authorization success
[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST][SubjectID=kraadmin][Outcome=Success][RecoveryID=320][DataID=156][PubKey=null] security data recovery request made
[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST_PROCESSED][SubjectID=kraadmin][Outcome=Success][RecoveryID=320][KeyID=156][FailureReason=KeyService.getKey:;keyID=156;requestID=320;synchronous=true;ephemeral=false][RecoveryAgents=kraadmin] security data recovery request processed
[AuditEvent=SECURITY_DATA_EXPORT_KEY][SubjectID=kraadmin][Outcome=Success][RecoveryID=320][KeyID=156][Info=KeyService.getKey:;keyID=156;requestID=320;synchronous=true;ephemeral=false][PubKey=null] security data retrieval request
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=example.com Security Domain][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=example.com Security Domain][Outcome=Success] access session establish success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=kraadmin][Outcome=Success][aclResource=certServer.kra.account][Op=logout][Info=AccountResource.logout] authorization success
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=example.com Security Domain][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated

Same example - this time with ephemeral requests enabled.

[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=example.com Security Domain][Outcome=Success] access session establish success
[AuditEvent=AUTH_SUCCESS][SubjectID=kraadmin][Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=kraadmin][Outcome=Success][aclResource=certServer.kra.account][Op=login][Info=AccountResource.login] authorization success
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=example.com Security Domain][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
[AuditEvent=AUTHZ_SUCCESS][SubjectID=$Unidentified$][Outcome=Success][aclResource=null][Op=null][Info=ACL mapping not found; OK:SystemCertResource.getTransportCert] authorization success
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=example.com Security Domain][Outcome=Success] access session establish success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=kraadmin][Outcome=Success][aclResource=certServer.kra.keys][Op=execute][Info=KeyResource.retrieveKey] authorization success
[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST][SubjectID=kraadmin][Outcome=Success][RecoveryID=14954844711196918][DataID=156][PubKey=null] security data recovery request made
[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST_PROCESSED][SubjectID=kraadmin][Outcome=Success][RecoveryID=14954844711196918][KeyID=156][FailureReason=KeyService.getKey:;keyID=156;requestID=14954844711196918;synchronous=true;ephemeral=true][RecoveryAgents=kraadmin] security data recovery request processed
[AuditEvent=SECURITY_DATA_EXPORT_KEY][SubjectID=kraadmin][Outcome=Success][RecoveryID=14954844711196918][KeyID=156][Info=KeyService.getKey:;keyID=156;requestID=14954844711196918;synchronous=true;ephemeral=true][PubKey=null] security data retrieval request
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=example.com Security Domain][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=example.com Security Domain][Outcome=Success] access session establish success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=kraadmin][Outcome=Success][aclResource=certServer.kra.account][Op=logout][Info=AccountResource.logout] authorization success
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=example.com Security Domain][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated

Key Generation Events

Tip
 To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis.
Clone this wiki locally