Installing the JMS-Audit Handler

The JMS-Audit Handler is not installed or updated automatically during standard setup. This section explains how to manually deploy and configure it.

Prerequisite: A working DirX Audit installation.

Deploying the JMS-Audit Handler

The JMS-Audit Handler is included with the DirX Identity product. Locate it in:

product_media_DirX Identity/Additions/jmsAuditHandler

Steps:

  1. Open the folder jmsAuditHandler. It contains:

    • com.siemens.idm.audit.jms.zip – includes server.xml and required JAR files.

    • lib subfolder – contains com.siemens.idm.audit.jms.JmsAuditLogHandler.jar (the plug-in).

  2. Ensure you use the handler version matching your DirX Identity installation.

  3. If upgrading, remove old JAR files from lib to avoid conflicts.

  4. Deploy the handler to each DirX Identity Java-based server:

    dxi_install_path/ids-j-domain-Sn/extensions/com.siemens.idm.audit.jms Unzip com.siemens.idm.audit.jms.zip into this folder.

Configuring the JMS-Audit Handler

Configure the handler using DirX Identity Manager:

  1. Navigate to:

    • ConnectivityExpert view

    • Select the LDAP entry for the DirX Identity Java-based server (IdS-J)

    • Open the Status and Auditing tab

  2. Settings:

    • Enable JMS-based Auditing – Activates JMS auditing and disables file-based auditing.

    • Message Broker URL – Must match the DirX Audit Configuration Wizard:

      • Non-SSL: tcp://host:30666

      • SSL: ssl://host:30667

    • JMS Queue – Matches the queue configured in DirX Audit Wizard:

      • Example: dxt.<tenantID>.dxi

    • User and Password – Use a broker user with write access:

      • Default writer: dxt-<tenantID>-writer

    • Audit Trail Folder – Temporary storage if JMS is unavailable:

      • Default: ${IDM_HOME}

      • Relative paths are based on <dxi_install_path>/ids-j-<domain>-S<n>/bin

If the JMS Audit handler cannot send audit records to the message server, it stores them temporarily in the Audit Trail Folder (one message per file). Once the connection is restored, the handler sends and deletes these files automatically.

SSL Configuration

To enable SSL, import the broker’s CA certificate into the Java VM truststore:

Default truststore location: <JRE_folder>/lib/security/cacerts

Command (Windows example):

%JAVA_HOME%bin\keytool -importcert -trustcacerts -keystore cacerts -storepass* cacerts-pwd -alias ca-alias *-file ca.crt

Fallback Behavior

If the handler cannot find its configuration in IdS-J, it falls back to server.xml in the extension folder.

  • Default LDAP configuration activates file-based auditing (multiple records per file).

  • Manage these files to prevent disk space issues.

Additional Recommendation

You can use the same ActiveMQ message broker for DirX Identity and DirX Audit to simplify installation and reduce the number of components.