Software Design Document Logging/Audit



Similar documents
Software Design Document SAMLv2 IDP Proxying

PHP Integration Kit. Version User Guide

OpenSSO: Cross Domain Single Sign On

Configuring Single Sign-on from the VMware Identity Manager Service to AirWatch Applications

How to create a SP and a IDP which are visible across tenant space via Config files in IS

Liberty Alliance. CSRF Review. .NET Passport Review. Kerberos Review. CPSC 328 Spring 2009

Configuring Single Sign-on from the VMware Identity Manager Service to ServiceNow

Configuring SAML2 for Single Sign On to Smartsheet (Enterprise Only)

Using SAML for Single Sign-On in the SOA Software Platform

How To Use Saml 2.0 Single Sign On With Qualysguard

Security Assertion Markup Language (SAML) Site Manager Setup

Authentication and Single Sign On

Failover Support. DataDirect Connect for ODBC Drivers. Introduction. Connection Failover

Database Administration with MySQL

GUIDE. Web Client Application. Model: ER 4.0. Release / Version No.: 1.01

Installation and Administration Guide

PingFederate. Windows Live Cloud Identity Connector. User Guide. Version 1.0

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Drupal

Software Requirement Specification Web Services Security

WinCollect User Guide

SAML Security Option White Paper

CA Nimsoft Monitor. Probe Guide for NT Event Log Monitor. ntevl v3.8 series

Configuring EPM System for SAML2-based Federation Services SSO

Policy Guide Access Manager 3.1 SP5 January 2013

Configuring Apache Derby for Performance and Durability Olav Sandstå

Only LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.

Upgrade Guide BES12. Version 12.1

FileMaker 13. ODBC and JDBC Guide

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

Logging in Java Applications

Spring Security SAML module

Security Correlation Server Quick Installation Guide

Implementation Guide SAP NetWeaver Identity Management Identity Provider

Lifecycle Manager Installation and Configuration Guide

Alert Logic Log Manager

Secure the Web: OpenSSO

Ameritas Single Sign-On (SSO) and Enterprise SAML Standard. Architectural Implementation, Patterns and Usage Guidelines

Copyright Pivotal Software Inc, of 10

Oracle Forms Services Secure Web.Show_Document() calls to Oracle Reports Server 6i

MySQL for Beginners Ed 3

IBM Tivoli Storage Manager for Databases Version Data Protection for Microsoft SQL Server Messages IBM

IBM Security QRadar SIEM Version MR1. Log Sources User Guide

Determine the process of extracting monitoring information in Sun ONE Application Server

Software Design Document Securing Web Service with Proxy

Using SQL Server Management Studio

DBA Tutorial Kai Voigt Senior MySQL Instructor Sun Microsystems Santa Clara, April 12, 2010

McAfee Network Threat Response (NTR) 4.0

Enterprise Vault Whitepaper Move Archive Feature Overview

User Migration Tool. Note. Staging Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted Release 9.0(1) 1

System Administration and Log Management

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

Symantec Endpoint Encryption Full Disk

FileMaker 12. ODBC and JDBC Guide

English ETERNUS CS800 S3. Backup Exec OST Guide

How To Use The Jobscheduler On A Linux Box (Jid) On A Pcode (Jio) Or Macbook 2.2 On A Microsoft Powerbook 2 (For A Freebie

VMware vcenter Log Insight User's Guide

OpenSSO Monitoring Euro User Groups Winter 2010

Nimsoft Monitor. ntevl Guide. v3.6 series

Performance in the Infragistics WebDataGrid for Microsoft ASP.NET AJAX. Contents. Performance and User Experience... 2

HP A-IMC Firewall Manager

Web Services Security: OpenSSO and Access Management for SOA. Sang Shin Java Technology Evangelist Sun Microsystems, Inc. javapassion.

Central Administration QuickStart Guide

IBM. Implementing SMTP and POP3 Scenarios with WebSphere Business Integration Connect. Author: Ronan Dalton

Informatica Corporation Proactive Monitoring for PowerCenter Operations Version 3.0 Release Notes May 2014

SQL Server Replication Guide

Using EMC Documentum with Adobe LiveCycle ES

System Administration Guide

Add User to Administrators Group using SQL Lookup Table

Allidm.com. SSO Introduction. Discovering IAM Solutions. Leading the IAM facebook/allidm

Monitoring App V eg Enterprise v6

SAML Single-Sign-On (SSO)

ODBC Client Driver Help Kepware, Inc.

PassMark Software BurnInTest Management Console. Quick start guide

FileNet P8 Platform Directory Service Migration Guide

CA SiteMinder. Federation Security Services Release Notes. r12.0 SP3

UltraLog HSPI User s Guide

OpenSSO: Simplify Your Single-Sign-On Needs. Sang Shin Java Technology Architect Sun Microsystems, inc. javapassion.com

DBMS / Business Intelligence, SQL Server

Configuring SonicWALL TSA on Citrix and Terminal Services Servers

RTI Database Integration Service. Release Notes

Egnyte Single Sign-On (SSO) Configuration for Active Directory Federation Services (ADFS)

CA SiteMinder. Implementation Guide. r12.0 SP2

Ocean Data Systems Ltd. The Art of Industrial Intelligence. Dream Report GETTING STARTED. User- Friendly Programming-Free Reporting for Automation

DataLogger Kepware, Inc.

TV Server Configuration Fails To Start - get_cards() error. Overview... 2 Origin of the error... 2 Resolution Related... 5

FileMaker 11. ODBC and JDBC Guide

EMC Documentum Repository Services for Microsoft SharePoint

Comparing SQL and NOSQL databases

The SkySQL Administration Console

SAP HANA - Main Memory Technology: A Challenge for Development of Business Applications. Jürgen Primsch, SAP AG July 2011

Merit Cloud Media User Guide

SQL Server Setup for Assistant/Pro applications Compliance Information Systems

TSM Studio Server User Guide

IceWarp to IceWarp Server Migration

Flight Workflow User's Guide. Release

SETTING UP AND RUNNING A WEB SITE ON YOUR LENOVO STORAGE DEVICE WORKING WITH WEB SERVER TOOLS

Release Bulletin Sybase ETL Small Business Edition 4.2

Nimsoft Monitor. sysloggtw Guide. v1.4 series

Transcription:

Software Design Document Logging/Audit FM 7.5 Version 0.2 (Draft) Please send comments to: dev@opensso.dev.java.net

Contents 1 Introduction......1 1.1 Document Status...1 1.2 Revision History...1 1.3 Summary...1 1.4 Scope...1 1.5 Context......1 1.6 Glossary...2 1.7 References...2 2 Overview...3 3 Design Considerations......4 3.1 Assumptions and Dependencies......4 3.2 Goals and Guidelines...4 3.3 Development Method...4 4 Architectural Strategies...5 5 System Architecture...6 6 Detailed System Architecture...7 7 Appendices...8 Copyright 2007 Sun Microsystems, Inc. All rights reserved. iii

1 Introduction 1.1 Document Status Project Name Federation Manager 7.5 Document Title Logging/Audit Date of Issue 02/22/07 Current Version 0.3 Author Burt Fujii Issuing Organization Sun Microsystems, Inc. Feedback E-mail dev@opensso.dev.java.net 1.2 Revision History Date Version Author Comments 02/22/07 0.1 Burt Fujii Initial draft 03/06/07 0.2 Burt Fujii Updates 03/14/07 0.3 Burt Fujii Added change to DB Date/Time column 1.3 Summary The purpose of this document is to provide a design for the features added in the Logging/Auditing services. The scope of this document details the implementation of the logging/auditing enhancements recently identified. The intended audience is the engineering and support groups, and those who would be in contact with the customers. 1.4 Scope The designs of the additions of the NameID field in the Log Record, and of the Dynamic Logging Level feature are detailed. The Complete Logs and Options To See Detailed XML Messages items mentioned in the Requirements Document are mentioned here, as a reminder for the components that must effect the changes. Copyright 2007 Sun Microsystems, Inc. All rights reserved. 1

0, Version 0 Introduction 1.5 Context This document should be read in the context of a Federation Manager administrator and/or developer using the Logging API. 1.6 Glossary Level As defined by java.util.logging.level 1.7 References [1] FM 7.5 Logging/Audit Software Requirement Specification 2 Copyright 2007 Sun Microsystems, Inc. All rights reserved.

2 Overview In the area of logging/auditing, several specific requirements have been identified: The Federation log records need to contain (in addition to the already included local userid and ContextID) an opaque handle providing the subject's NameID from the IDP. This field would be used to correlate IDP/SP log entries. Complete logs for all events; e.g., single sign-on, single-logout, etc. Options to see detailed XML messages between SPs and IDPs; e.g., whole assertion XML. Dynamic logging level setting, without having to restart the server. This document details implementation of the additional log record field (opaque handle for NameId) and dynamic logging level setting. The other two requirements are controlled by the components providing the logging information, so they should be covered in other documents. An additional change when specifically logging to a database is also detailed. The current VARCHAR data type definition makes it unnatural for writing SQL reports that query or sort on the Time column. Copyright 2007 Sun Microsystems, Inc. All rights reserved. 3

0, Version 0 Design Considerations 3 Design Considerations 3.1 Assumptions and Dependencies Inclusion of the new NameID log record field depends on the logging client providing that property and value. Logging of all events depends upon the components effecting those log records/requests. Options for logging detailed XML messages between SPs and IDPs can be effected by logging at appropriate logging levels (e.g., FINE, FINER, and FINEST corresponding to more detailed levels than the default INFO). Upgrade/Migration Upgrade/migration of the Logging service will be necessary if FM7.5 is applied to an existing OpenSSO (or AM7.1?) installation. Also, existing log files or tables should be saved or moved, then deleted before starting logging with the added NameID field, so that the log files will have consistent log records. 3.2 Goals and Guidelines System performance impacts should be as expected with increased logging load. It should be expected that more logging, particularly by specifying more detailed logging levels, may have an effect on the server's transaction throughput. Also, the change of the data type for the Data column (when logging to a database) from a VARCHAR(255) to a large object (CLOB in Oracle, LONGTEXT in MySQL) may have some effect on the database server's storage requirements. 3.3 Development Method <State development method if it differs from the OpenSSO development method> 4 Copyright 2007 Sun Microsystems, Inc. All rights reserved.

Architectural Strategies 0, Version 0 4 Architectural Strategies <State any existing technologies/libraries used.> <State any new strategy introduced.> Copyright 2007 Sun Microsystems, Inc. All rights reserved. 5

0, Version 0 System Architecture 5 System Architecture Currently, the log record fields logged are controlled by the "Configurable Log Fields" selections in the Logging Configuration page of the Administration Console. The logging service is dependent on the client creating the LogRecord to provide the values for the log record fields. The server's logging level is defaulted to INFO, though specific log files' logging level can be specified in the AMConfig.properties file. Also, overall logging can be inactivated with an entry in the AMConfig.properties file. 6 Copyright 2007 Sun Microsystems, Inc. All rights reserved.

Detailed System Architecture 0, Version 0 6 Detailed System Architecture 6.1 NameID Opaque Handle The attributes in the Administration Console's Logging configuration page reflect what is specified in the Logging service's amlogging.xml file. An addition for the nameid opaque handle must be made. Specifically, the addition will be to the iplanet-am-logging-logfields attribute in the amlogging.xml file. An associated addition to the amlogging.properties file will be made for internationalization purposes. The LogRecord class requires changes to handle the added nameid property. The LogRecord(Level level, String msg, Object token) method extracts properties from the SSOToken included. If the new property is not supplied in that manner, then each component must supply it using the LogRecord's addloginfo(string key, Object value) method. The authentication service utilizes the LogRecord(Level level, String msg, Hashtable properties) method. To provide the nameid property and value, it must be supplied in the Hashtable passed. If the nameid property and value are not supplied, the log record's nameid field will display "Not Available". Sample Log Records with the nameid not supplied (first) and supplied (second): #Fields: time Data ModuleName MessageID Domain ContextID LogLevel LoginID NameID IPAddr LoggedBy HostName "2007-02-22 17:34:50" "this is the new test log message" MyModule "Not Available" dc=opensso,dc=java,dc=net 786d16c9d25bfbb601 WARNING id=amadmin,ou=user,dc=opensso,dc=java,dc=net "Not Available" 192.18.120.170 id=amadmin,ou=user,dc=opensso,dc=java,dc=net alisun31 "2007-02-22 17:37:35 "this is the second test log message" MyModule "Not Available" dc=opensso,dc=java,dc=net 6e1d5b606a277b9901 SEVERE id=amadmin,ou=user,dc=opensso,dc=java,dc=net JoseJ 192.18.120.170 id=amadmin,ou=user,dc=opensso,dc=java,dc=net alisun31 Note that the logging level for the first record was specified as "WARNING", and "SEVERE" for the second. The code snippet for specifying the NameID property to the LogRecord uses the LogRecord's addloginfo method: LogRecord logrecord = new LogRecord(logLevel, logargs[messageindex], usertoken); logrecord.addloginfo("modulename", "MyModule"); logrecord.addloginfo("nameid", logargs[nameidindex]); Copyright 2007 Sun Microsystems, Inc. All rights reserved. 7

0, Version 0 Detailed System Architecture Logger logger = (Logger)Logger.getLogger(logArgs[LogNameIndex]); logger.log(logrecord, loggedbytoken); In the Administration Console's Logging configuration page, the Configurable Log Fields attribute gets the added NAMEID selection (not accurately depicted): Configurable Log Fields: CONTEXTID DOMAIN HOSTNAME IPADDR LOGGEDBY LOGINID LOGLEVEL MESSAGEID MODULENAME NAMEID 6.2 Dynamic Logging Level To effect dynamic setting of the server's logging level, an addition to the Administration Console's Logging configuration page will be made. Likewise with the nameid opaque handle, an addition to the amlogging.xml and amlogging.properties files are made. An attribute (sun-am-log-level) is added with ChoiceValues corresponding to the java.util.logging.level values (SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST, OFF), with default INFO. The Logging Level setting applies to all logs, except as noted below. Logging levels for individual log files could be provided, but then the Logging configuration page would get very long. Currently, the sms.dtd supports a radio uitype, but a pulldown type would allow for a more compact display. Another drawback of listing individual log names is the difficulty in supporting additional log names. Currently, logging levels for individual logs can be statically set by adding properties to the AMConfig.properties file of the form: iplanet-am-logging.<logname>.level=finer where <logname> is the log's full name, e.g., amsaml.access. Note that the Liberty, SAML, and Federation are the only components that implement any levels other than INFO. In order to observe AMConfig.properties logging level additions, Logging configuration page changes will apply to all logs other than those specified in AMConfig.properties. Also note that the AMConfig.properties entries are only read once, then cached by the SystemProperties class, so adding or changing logging level properties in that file after server startup will have no effect until the next server restart. Example amlogging.xml addition: <AttributeSchema name="sun-am-log-level" type="single_choice" syntax="string" 8 Copyright 2007 Sun Microsystems, Inc. All rights reserved.

Detailed System Architecture 0, Version 0 i18nkey="a130"> <ChoiceValues> <ChoiceValue i18nkey="choicelogsevere">severe</choicevalue> <ChoiceValue i18nkey="choicelogwarning">warning</choicevalue> <ChoiceValue i18nkey="choiceloginfo">info</choicevalue> <ChoiceValue i18nkey="choicelogconfig">config</choicevalue> <ChoiceValue i18nkey="choicelogfine">fine</choicevalue> <ChoiceValue i18nkey="choicelogfiner">finer</choicevalue> <ChoiceValue i18nkey="choicelogfinest">finest</choicevalue> <ChoiceValue i18nkey="choicelogoff">off</choicevalue> </ChoiceValues> <DefaultValues> <Value>INFO</Value> </DefaultValues> </AttributeSchema> and associated amlogging.properties additions: a130=logging Level choicelogsevere=severe choicelogwarning=warning choiceloginfo=info choicelogconfig=config choicelogfine=fine choicelogfiner=finer choicelogfinest=finest choicelogoff=off The resulting Logging service configuration addition would look like (not accurately depicted): Logging Level: CONFIG FINE FINER FINEST INFO OFF SEVERE WARNING Copyright 2007 Sun Microsystems, Inc. All rights reserved. 9

0, Version 0 Detailed System Architecture 6.3 Detailed XML Messages When logging to flatfiles, there should be no issue with the log record's Data field ( column in database parlance) having a massive (e.g., something like up to 10KBytes) amount of characters. There may be some issue trying to read the records with a simple utility such as vi, but that is not addressed here. When logging to a database (supported ones are Oracle and MySQL), the Data column has been defined as a VARCHAR(255), or a character data type of up to 255 bytes. The maximum for (the now deprecated) Oracle VARCHAR type is 4KBytes, and for the MySQL VARCHAR type is 65,532 bytes (or 255 bytes for MySQL 3.x/4.0/4.1). In order to support a Data column of up to 10KBytes, the Oracle CLOB (Character Large Object) data type should be used; and for MySQL, the LONGTEXT data type, with its 4GB (4294967296) maximum should be used. The maximum size for LONGTEXT is 4GB for MySQL 3.x through 5.0, so using it rather than VARCHAR would allow for more universal support for the large Data column, even if there is a statement of support for MySQL 4.2 and later. There may be some issue with using a larger data type for the Data column for all logging. The bulk of logging by the server does not need more than the currently allotted 255 bytes. The database's storage requirements may be affected by the change to the larger data type. A not-so-attractive alternative is to have the data type switchable between VARCHAR2/VARCHAR(255) and CLOB/LONGTEXT, but the existing tables would all have to be deleted, and the opensso server restarted. Incidentally, the VARCHAR2 data type will replace the VARCHAR type when defining the other columns when logging to an Oracle database. The new large object type for the Data column makes existing AM log tables incompatible with the new log tables. Existing tables would need to be archived and deleted. 6.4 Time Column The current data type for the Time (actually containing date and time) column is VARCHAR for both Oracle and MySQL tables. To use the appropriate data type for the respective databases, the DATE type should be used in Oracle and DATETIME type in MySQL. Changing the Time column from a VARCHAR to DATE/DATETIME type makes existing AM log tables incompatible with the new log tables. Existing tables would need to be archived and deleted. 10 Copyright 2007 Sun Microsystems, Inc. All rights reserved.

0, Version 0 Copyright 2007 Sun Microsystems, Inc. All rights reserved. 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information