[OPENIDM-4933] Tamper-evident audit logs: Verification command does not give meaningful results Created: 23/Dec/15  Updated: 09/Feb/17  Resolved: 29/Apr/16

Status: Closed
Project: OpenIDM
Component/s: Module - Audit
Affects Version/s: OpenIDM 4.0.0, OpenIDM 4.5.0
Fix Version/s: OpenIDM 4.5.0

Type: Bug Priority: Major
Reporter: Tinghua.Xu Assignee: Jason Lemay
Resolution: Cannot Reproduce Votes: 0
Labels: release-notes
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

OpenIDM 4.0 RC1 runs on a CentOS with MySQL as repo

Issue Links:
relates to OPENIDM-4947 Audit: Doc manual configuration of ne... Closed
is related to CAUD-394 CSV audit handler tamper-evident veri... Closed
is related to OPENIDM-4931 Add Audit Tamper-Evident Verification... Closed
Target Version/s:
QA Assignee: Tinghua.Xu
Sprint: OpenIDM Sprint 55


After made changes to tamper evident audit files, the verification command didn't give any meaningful result

To reproduce:
1. started openidm using sample2b(just for running recon easily)
2. Followed the integrator's guide http://openidm.forgerock.org/doc/bootstrap/integrators-guide/index.html#tamper-evident-operation to configure the signature algorithm and password key.
3. Enabled the feature on UI through System Preference->Audit->CsvAuditEventHandler
used space for quoteChar, - for delimitChar and ***** for symbols between lines. enabled tamper evident, used openidm for the handler and 5 minutes as signature interval. submit changes, removed the existing audit files and save changes on UI.
3. observed the new audit files name changed to tamper-evident-access.csv and etc and the audit files have HMAC and signature values included. run more recons and make changes to the recon audit file.
4. Run the following command to detect changes in openidm directory.
java -jar bundle/forgerock-audit-handler-csv-4.1.0.jar --archive audit/ --topic recon --keystore security/keystore.jceks --password changeit

The output is as follow:
SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.

and no other meaningful info to show the audit file is changed or not. according to Alin and Andi, the slf4j warnings should be harmless.

Comment by Tinghua.Xu [ 05/Jan/16 ]

Worked with JasonJ on this, first there is a UI issue OPENIDM-4945 which didn't save the new line character correctly and caused only one line in the audit files. When manually configured the audit.json with \n in place, records in audit files are separated by newlines.
However, the verification command would still fail with the same output with this manual config. JasonL mentioned this command is only applicable to rotated archive files. When used rest command to generate rotated recon file and run this command again

curl  -k  --header "X-OpenIDM-Username: openidm-admin"  --header "X-OpenIDM-Password: openidm-admin"  --request POST  "https://localhost:8443/openidm/audit/recon?handler=csv&_action=rotate"

It would fail

java -jar bundle/forgerock-audit-handler-csv-4.1.0.jar --archive audit/ --topic recon --keystore security/keystore.jceks --password changeit
SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
FAIL    tamper-evident-recon.csv-2016.01.04-13.02.31    Expecting to find an initial key into the keystore.

Jason has investigated the failure and indicated it's a bug in the verifier command, he will add a separate ticket for it.
More info should better be doced in user's guide, to manually config the feature, a base could be

                "formatting" : {
                    "quoteChar" : "*",
                    "delimiterChar" : "-",
                    "endOfLineSymbols" : "\n"
                "security" : {
                    "enabled" : true,
                    "filename" : "",
                    "password" : "",
                    "keyStoreHandlerName" : "openidm",
                    "signatureInterval" : "5 minutes"
                "enabled" : true,

Also the keystore commands should be run before starting OpenIDM with the manual configuration, otherwise, NPE in startup.

Comment by Craig McDonnell [ 05/Jan/16 ]

Hi [~tinghua_xu],
I believe there may be a few issues here:

1) non-default values for quoteChar, delimiterChar, and endOfLineSymbols aren't supported yet - see https://stash.forgerock.org/projects/COMMONS/repos/forgerock-audit/pull-requests/170/overview?commentId=42727
2) it looks like there may be an issue with manual rotation. The keystore should be rotated when rotation policies trigger rotation but perhaps keystores are not rotated when a manual rotation is triggered by calling the CREST action.
3) without config for the SLF4J logging, we're missing error details. Perhaps it would be good to include default config that sends error logging to stderr?

Comment by Tinghua.Xu [ 05/Jan/16 ]

Hi Craig McDonnell
Thanks for the update! What are the default values for quote char, delimiterChar and endOfLIneSymbols? I don't see them mentioned somewhere. On SLF4J logging errors, I have consulted the OpenIDM team, these errors/warnings are harmless.

Comment by Mike Jang [X] (Inactive) [ 05/Jan/16 ]

Possibly related, as shown in the note for this section, I've specifically stated:

"You will also need differing entries for the quote character, quoteChar and delimiter character, delimiterChar."

It's' a slight pain to have to make such entries from the Admin UI.

Comment by Craig McDonnell [ 05/Jan/16 ]

From org.forgerock.audit.handlers.csv.CsvAuditEventHandlerConfiguration.CsvFormatting:

        private char quoteChar = '"';

        private char delimiterChar = ',';

        private String endOfLineSymbols = System.getProperty("line.separator");

But, it should be possible to simply delete the following lines from your JSON config (and CAUD will set the defaults):

                "formatting" : {
                    "quoteChar" : "*",
                    "delimiterChar" : "-",
                    "endOfLineSymbols" : "\n"

That said, I think the current issue you're seeing is due to the use of the CREST action for rotation. Rather than using the CREST action, you should setup a rotation policy e.g.

        "fileRotation" : {
          "rotationEnabled" : true,
          "rotationInterval" : "10 seconds"
Comment by Tinghua.Xu [ 29/Apr/16 ]

retested in 4.5.0 build #7, followed the suggestions using default values for quoteChar("), delimitChar(,) and symbols between lines(\n". configured rotation policy.

after made changes to access audit file, ran the command and it detects the changes as follow:
java -jar bundle/forgerock-audit-handler-csv-6.1.0.jar --archive audit/ --topic access --keystore security/keystore.jceks --password changeit
SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
FAIL tamper-evident-access.csv-2016.04.29-11.44.37 The signature at row 5 is not correct.
FAIL tamper-evident-access.csv-2016.04.29-11.49.42 The HMac at row 3 is not correct.

Generated at Tue Sep 22 11:40:02 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.