Configuring Secure Auditing

During installation, the Maintenance Wizard will allow you to enable secure auditing via the Use Secure Auditing option on the Secure Auditing page.

Specify whether to use Secure Auditing from the list.

• If you chose to use a hardware security module (HSM):

  1. Specify the epoch details.

     Epochs can be measured in elapsed time or lines in the audit file; you can configure either or both.

  2. Specify the HSM key settings.

     A self-signed certificate will be generated based on the master audit public key. The name of the certificate is IDENTIKEY Master Audit Certificate.

• If you chose to use a software security module:

  1. Specify the epoch details.

     Epochs can be measured in elapsed time or lines in the audit file; you can configure either or both.

  2. Specify the SSM master keypair settings.

     • Generate and install new keypair and certificate (self-signed). Provide the passwords to the master audit key store. The keys in the master audit keypair will generate an ECDSA keypair for use as master audit keypair. This keypair will be NIST P-256 compliant and will be stored in PKCS #12 format. The name of the certificate is IDENTIKEY Master Audit Certificate.

     • Install my own keypair. Provide the certificate file and its corresponding private key password.

       Certification authority (CA) files should be located on the same host as OneSpan Authentication Server. If your CA file is located on a network share, you need to copy the file locally before you browse to it and select it.

The password for the master audit key store must comply with the following requirements:

• At least 16 characters long
• Contains at least 1 lowercase character
• Contains at least 1 uppercase character
• Contains at least 1 numeric character

Manually created Secure Auditing certificate files must be generated from supported elliptic curve keys. Secure Auditing for OneSpan Authentication Server only supports elliptic curve keys that are:

• ECDSA
• NIST P-256 compliant
• Stored in PKCS #12 format
• Password-protected (i.e. empty password is not valid)

Additionally, the certificate file must meet the following requirements:

• It must be in the correct file format:

  • If you are installing the certificate file via the Configuration Wizard during installation, it should be in .pem file format
  • If you are installing the certificate file via the Configuration Utility, it should be in .p12 file format.
• The elliptic curve must be password-protected (i.e. an empty password is not valid).
• The certificate must be generated from the elliptic curve key.
• The elliptic curve key must be placed in the certificate file.

For more information about manually generating Secure Auditing certificate files, see Creating secure auditing certificate files manually.

To enable secure auditing after installation, you need to re-run the Installation Wizard. To do so, start the Maintenance Wizard and select Re-run Installation Wizard. The wizard will guide you through the different configuration screens available during installation, including the Secure Auditing page where can enable and configure secure auditing.