How to change the debug logging level for ADSS Server?
In order to change the debug logging level for the ADSS Server, modify the log.properties files present at the following locations for all instances (Core, Console & Service) of ADSS Server and replace all occurrences of the word INFO with DEBUG or ERROR as needed.
- [ADSS Server installation directory]/core/log.properties
- [ADSS Server installation directory]/console/log.properties
- [ADSS Server installation directory]/service/log.properties
Restart the ADSS Server Windows services or UNIX daemons for the changes to take into effect.
How can I change the default debug logs path to my custom path?
To change the particular instance's log files path, edit the file [ADSS Server Installation Directory]/[Core or Console or Service]/log.properties and follow below steps:
- Change the value of property appender.DRFILE*.fileName to desired file name with complete folder path.
- Change the value of property appender.DRFILE*.filePattern to desired file name pattern.
- Change the value of property appender.DRFILE*.strategy.action.basepath to desired complete folder path.
- Restart the ADSS particular (Core or Console or Service) instance to take the changes into effect.
How can I turn on debug level logging for the Gemalto SafeNet Luna SA HSM?
You would have to install the Gemalto SafeNet SDK (if not already installed) on your ADSS Server machine. Modify the crystoki.ini file to look like the first two sections as in Sample_crystoki.ini:
How can I turn on debug level logging for for ADSS Server (v5.5 or older version) when communicating with HSM?
The following are the instructions to enable the debug log level for our underlying toolkit provider i.e. IAIK when communicating with HSM:
- Follow the above KB article (Enabling the debug logging for Luna HSM) to enable the debug logging for Luna SA HSM, you may also try the same configurations for Luna PCI or contact the Gemalto SafeNet support team for the relevant instructions.
- Stop the Ascertia-ADSS-Service from Windows Services Terminal / UNIX daemon.
- Download and extract the following zip file: PKCS#11 Wrapper
- Copy the relevant debug version (32 or 64 bit from the extracted zip) of the pkcs11wrapper.dll file based on your environment.
- Click here For instructions to turn on the ADSS Server debug logs.
Go to the location: [ADSS Server Installation Directory]/service and open log.properties file in a text editor and uncomment the last four lines as shown below and save this file.
- Launch the shell (cmd for windows / terminal for UNIX) under adminitrator/root user.
- Go to the location: [ADSS Server Installation Directory]/tomcat/bin on shell.
Run the following commands one by one to start ADSS Server Service component within shell:
- Execute the test case again and share the test.log file with us. This log file can be found under: [ADSS Server Installation Directory]/tomcat/bin.
- After having performed this testing, you may close the shell and start the Ascertia-ADSS-Service Windows Services Panel / UNIX daemon like before.
How can I turn on debug level logging for for ADSS Server (v5.6 or newer version) when communicating with HSM?
The following are the instructions to enable the debug log level for our underlying toolkit provider i.e. IAIK when communicating with HSM:
- Follow the above KB article (Enabling the debug logging for Luna HSM) to enable the debug logging for Luna SA HSM, you may also try the same configurations for Luna PCI or contact the Gemalto SafeNet support team for the relevant instructions.
- Stop the Ascertia-ADSS-Service from Windows Services Terminal / UNIX daemon.
- Download and extract the following zip file: PKCS#11 Wrapper
- Copy the relevant debug version (32 or 64 bit from the extracted zip) of the pkcs11wrapper.dll file based on your environment.
- Click here For instructions to turn on the ADSS Server debug logs.
Go to the location: [ADSS Server Installation Directory]/service and open log.properties file in a text editor and update value of the property logger.DRFILE14.level as shown below and save this file.
- Launch the shell (cmd for windows / terminal for UNIX) under adminitrator/root user.
- Go to the location: [ADSS Server Installation Directory]/tomcat/bin on shell.
Run the following commands one by one to start ADSS Server Service component within shell:
- Execute the test case again and share the test.log file with us. This log file can be found under: [ADSS Server Installation Directory]/tomcat/bin.
- After having performed this testing, you may close the shell and start the Ascertia-ADSS-Service Windows Services Panel / UNIX daemon like before.
How to protect archived files exported from the system?
The archiving module allows ADSS Server operators to enable/disable auto-archiving of the transactions logs. Auto-archiving refers to the automated removal of data records from the ADSS Server database at a configured time (the purpose is to ensure that the ADSS Server database does not continue to grow for ever or require manual removal of records). The removed records are stored in a CSV file and can later be re-imported into ADSS Server for viewing purposes if required.
How to import archived log files?
Archived files can be re-imported into ADSS Server for viewing purposes using the facility provided in each service’s Transaction Logs viewing area. When an archive file is imported then, if it is digitally signed, on import its signature will also be verified. In case the signature is not trusted then an error message will be shown.
What are the best logs archiving practices?
Here are best logs archiving practices and some important facts to know about logs archiving:
- The option "Delete records from database once archived" should be turned on. This is necessary so that the database size does not continue to grow.
- The value for the "Archive At" should be set to an off peak time so that the archiving of the records is not performed during working hours.
- It is recommended to set the archive file path to a network location so that the archive files do not consume space on the ADSS Server machine.
- Archived files can be moved from one location to another e.g. from a primary location (where the archive files are initially placed) to another backup location or removable media.
- Archived files can be viewed within ADSS Server Console at any time as explained above.
- Integrity check (HMAC Verification) can be performed for the archived files as explained above.
- HMAC values cannot be re-computed for the archive log files.
- Keep the value for "Auto Archive Every" field as low as possible so that the logs archiving is performed very frequently.
- Try to archive most of the database records by keeping the value for the "Archive records older than" field as low as possible.
- The archive files should be signed as explained above.
- HMAC Verification on the archive files will fail if the HMAC key has been changed since the archive file was produced.