Skip to end of metadata
Go to start of metadata

How to change the debug logging level for ADSS Server?

In order to change the debug logging level for the ADSS Server, modify the log.properties files present at the following locations for all instances (Core, Console & Service) of ADSS Server and replace all occurrences of the word INFO with DEBUG or ERROR as needed

  • [ADSS Server installation directory]/core/log.properties
  • [ADSS Server installation directory]/console/log.properties
  • [ADSS Server installation directory]/service/log.properties

Restart the ADSS Server Windows services or UNIX daemons for the changes to take into effect.

 

How can I change the default debug logs path to my custom path?

 To change the particular instance's log files path, edit the file [ADSS Server Installation Directory]/[Core or Console or Service]/log.properties and follow below steps:

  1. Change the value of property appender.DRFILE*.fileName to desired file name with complete folder path.
  2. Change the value of property appender.DRFILE*.filePattern to desired file name pattern.
  3. Change the value of property appender.DRFILE*.strategy.action.basepath to desired complete folder path.
  4. Restart the ADSS particular (Core or Console or Service) instance to take the changes into effect.

Note: The * symbol in the property name is appender's distinct number for each distinct logger.

 

Icon

Following is an example of changing the path for ADSS Server Console instance:

Old Path:

appender.DRFILE2.fileName = D:/Ascertia/adss-server/logs/console/console.log

appender.DRFILE2.filePattern = D:/Ascertia/adss-server/logs/console/console.%d{yyyy-MM-dd}.log

appender.DRFILE2.strategy.action.basepath= D:/Ascertia/adss-server/logs/console


New Path: 

appender.DRFILE2.fileName = E:/ADSS_Logs/console.log

appender.DRFILE2.filePattern = E:/ADSS_Logs/console.%d{yyyymmdd}.log

appender.DRFILE2.strategy.action.basepath= E:/ADSS_Logs

How can I turn on debug level logging for the Gemalto SafeNet Luna SA HSM?

You would have to install the Gemalto SafeNet SDK (if not already installed) on your ADSS Server machine. Modify the crystoki.ini file to look like the first two sections as in Sample_crystoki.ini:


Instead of using cryptoki.dll, use the cklog201.dll in your hardware crypto profile and then restart the ADSS Server Service instance from the Windows Services Panel / UNIX daemon after saving the changes.

How can I turn on debug level logging for for ADSS Server (v5.5 or older version) when communicating with HSM?

The following are the instructions to enable the debug log level for our underlying toolkit provider i.e. IAIK when communicating with HSM:

  1. Follow the above KB article (Enabling the debug logging for Luna HSM) to enable the debug logging for Luna SA HSM, you may also try the same configurations for Luna PCI or contact the Gemalto SafeNet support team for the relevant instructions.
  2. Stop the Ascertia-ADSS-Service from Windows Services Terminal / UNIX daemon.
  3. Download and extract the following zip file: PKCS#11 Wrapper
  4. Copy the relevant debug version (32 or 64 bit from the extracted zip) of the pkcs11wrapper.dll file based on your environment.
  5. Click here For instructions to turn on the ADSS Server debug logs.
  6. Go to the location: [ADSS Server Installation Directory]/service and open log.properties file in a text editor and uncomment the last four lines as shown below and save this file.

  7. Launch the shell (cmd for windows / terminal for UNIX) under adminitrator/root user.
  8. Go to the location: [ADSS Server Installation Directory]/tomcat/bin on shell.
  9. Run the following commands one by one to start ADSS Server Service component within shell:

  10. Execute the test case again and share the test.log file with us. This log file can be found under: [ADSS Server Installation Directory]/tomcat/bin.
  11. After having performed this testing, you may close the shell and start the Ascertia-ADSS-Service Windows Services Panel / UNIX daemon like before.

How can I turn on debug level logging for for ADSS Server (v5.6 or newer version) when communicating with HSM?

The following are the instructions to enable the debug log level for our underlying toolkit provider i.e. IAIK when communicating with HSM:

  1. Follow the above KB article (Enabling the debug logging for Luna HSM) to enable the debug logging for Luna SA HSM, you may also try the same configurations for Luna PCI or contact the Gemalto SafeNet support team for the relevant instructions.
  2. Stop the Ascertia-ADSS-Service from Windows Services Terminal / UNIX daemon.
  3. Download and extract the following zip file: PKCS#11 Wrapper
  4. Copy the relevant debug version (32 or 64 bit from the extracted zip) of the pkcs11wrapper.dll file based on your environment.
  5. Click here For instructions to turn on the ADSS Server debug logs.
  6. Go to the location: [ADSS Server Installation Directory]/service and open log.properties file in a text editor and update value of the property logger.DRFILE14.level as shown below and save this file.

  7. Launch the shell (cmd for windows / terminal for UNIX) under adminitrator/root user.
  8. Go to the location: [ADSS Server Installation Directory]/tomcat/bin on shell.
  9. Run the following commands one by one to start ADSS Server Service component within shell:

  10. Execute the test case again and share the test.log file with us. This log file can be found under: [ADSS Server Installation Directory]/tomcat/bin.
  11. After having performed this testing, you may close the shell and start the Ascertia-ADSS-Service Windows Services Panel / UNIX daemon like before.

How to protect archived files exported from the system?

The archiving module allows ADSS Server operators to enable/disable auto-archiving of the transactions logs. Auto-archiving refers to the automated removal of data records from the ADSS Server database at a configured time (the purpose is to ensure that the ADSS Server database does not continue to grow for ever or require manual removal of records). The removed records are stored in a CSV file and can later be re-imported into ADSS Server for viewing purposes if required.

ADSS Server is implemented to ensure all data which is archived remains secure and any unauthorised modifications can be detected. It is possible to digitally sign archive log files by configuring the log signing certificate in Global Settings > System Certificates. Ensure that when the configuration change has been made then the configurations are reloaded using the Server Manager module.

How to import archived log files?

Archived files can be re-imported into ADSS Server for viewing purposes using the facility provided in each service’s Transaction Logs viewing area. When an archive file is imported then, if it is digitally signed, on import its signature will also be verified. In case the signature is not trusted then an error message will be shown.

Icon
  • In case the archives were taken some time in the past and if since then the ADSS Server database table structure has changed as a result of upgrading to new versions, then the previously generated HMAC records in the archived files will not be verified successfully. However this should be not a cause for concern as the overall digital signature is the mechanism which is providing the data integrity for the archived files (and not the old HMAC values).
  • Import of archive files does not mean that they are re-inserted into the original database area and will remain there; rather they are only imported temporarily in a separate area for viewing purpose and are removed afterwards.

What are the best logs archiving practices?

Here are best logs archiving practices and some important facts to know about logs archiving:

  1. The option "Delete records from database once archived" should be turned on. This is necessary so that the database size does not continue to grow.
  2. The value for the "Archive At" should be set to an off peak time so that the archiving of the records is not performed during working hours.
  3. It is recommended to set the archive file path to a network location so that the archive files do not consume space on the ADSS Server machine.
  4. Archived files can be moved from one location to another e.g. from a primary location (where the archive files are initially placed) to another backup location or removable media.
  5. Archived files can be viewed within ADSS Server Console at any time as explained above.
  6. Integrity check (HMAC Verification) can be performed for the archived files as explained above.
  7. HMAC values cannot be re-computed for the archive log files.
  8. Keep the value for "Auto Archive Every" field as low as possible so that the logs archiving is performed very frequently.
  9. Try to archive most of the database records by keeping the value for the "Archive records older than" field as low as possible.
  10. The archive files should be signed as explained above.
  11. HMAC Verification on the archive files will fail if the HMAC key has been changed since the archive file was produced.
  • No labels