Installing the JMS-Audit Handler

The JMS-Audit handler is neither configured nor updated automatically as part of the normal installation and configuration. This chapter describes the manual steps for its deployment. It requires an existing DirX Audit installation.

Deploying the JMS-Audit Handler

The JMS-Audit Handler is delivered with the DirX Identity product.You find it in the folder

product_media_DirX Identity/Additions/jmsAuditHandler.

The handler depends on the DirX Identity version and might be different from version to version.Therefore, always take the plug-in from the corresponding DirX Identity installation media and perform the following steps.

The folder jmsAuditHandler contains a zip file com.siemens.idm.audit.jms.zip with the server.xml configuration file and especially the jar file(s) in the lib subfolder.The file com.siemens.idm.audit.jms.JmsAuditLogHandler.jar contains the plug-in itself.As of DirX Identity 8.3 no further jar files are needed.If you already deployed the handler in a previous version, please make sure that no other jar is in the lib folder.

You have to deploy the handler to each DirX Identity Java-based Server.In the folder

dxi_install_path/ids-j-domain-Sn/extensions

create a sub-folder com.siemens.idm.audit.jms and unzip to it the file com.siemens.idm.audit.jms.zip.

Configuring the JMS-Audit Handler

You configure the handler with DirX Identity Manager.In the Connectivity view’s Expert view, navigate to the LDAP entry representing the DirX Identity Java-based server (IdS-J) and open the tab Status and Auditing.

  • By checking the flag JMS-based Auditing, you enable auditing via JMS and disable auditing into files.

  • Make sure the value for the message broker URL matches what you have configured in the DirX Audit Configuration Wizard for the DirX Identity JMS collector.The typical URL for non-SSL is: tcp://host:30666; the corresponding URL for SSL is: ssl://host:30667.

  • The JMS queue must match what you have configured in the DirX Audit Configuration Wizard for the DirX Identity JMS collector.Note that beginning with DirX Audit V7, the queue names are tenant specific and so the queue name contains the tenant ID; for example, dxt.tenantID.dxi.

  • Make sure that user and password match a user of the Message Broker with enough access rights for writing into the queue.The default DirX Audit Configuration Wizard creates a writer user for DirX Identity.As of DirX Audit V7 this user is tenant specific; the default writer is: dxt-tenantID-writer.

  • If the JMS Audit handler is not able to send the audit records to the message server, it stores them temporarily into the Audit Trail Folder: one message per file.Per default the folder is local to the server.This is indicated by the placeholder ${IDM_HOME}: it represents the home folder of the Java server.If you specify a relative path, keep in mind that it is generated relative to the working folder of IdS-J, which is dxi_install_path /ids-j-domain-Sn/bin.As soon as the handler can connect to the message broker again, it sends the audit records from the files and then deletes the files.So normally you don’t have to manage these files yourself, unless the connection problems last too long and the files fill the disk space.

If you use SSL for connecting to the DirX Audit Message Broker, make sure to import the CA certificate of the broker into the truststore of the Java VM running the IdS-J server.By default, this is the file JRE_folder/lib/security/cacerts.You could use the following Java keytool command for the import assuming you have the CA certificate in file ca.crt (notation for Windows):

%JAVA_HOME%bin\keytool -importcert -trustcacerts -keystore cacerts -storepass cacerts-pwd -alias ca-alias -file ca.crt

If the handler doesn’t find its configuration in the IdS-J server configuration, it uses the configuration stored in the file server.xml from its extension folder.

Note that in this case the default LDAP configuration activates the audit file writer, which writes audit records into files (multiple records per file). This might be what you want or not. In any case, you have to care about moving or deleting these files to avoid filling up your disk.

You might use the same ActiveMQ message broker for DirX Identity and DirX Audit. This might help to simplify the overall installation by reducing the number of installed components and services.