Skip to main content

Configure Audit Server from the CLI

To configure a connection to an audit server via the CLI, do the following:

  1. Make sure you have a root CA certificate for the audit server installed on the Makito X  Series (refer to Installing a Certificate).

Note

If you are using a self-signed certificate (SSC) on the Makito X Series, and client authentication is enabled on the audit server, the audit server's trusted clients list must include the encoder's or decoder's certificate fingerprint, which can be obtained by entering the following command on the encoder or decoder:

$ certificate <cert_name> get

Example:

JS 
$ certificate autocert get
Certificate Name : autocert 
Type        : id
Signature   : Self-signed
Subject     : encoder.myorg.com
Issuer      : encoder.myorg.com
Expiration  : Sep 25 19:14:50 2022 GMT
Fingerprint : md5:3a:f3:e5:02:13:45:a8:36:12:d5:85:de:0a:c6:0c:0a

  1. Define connection settings for the audit server by entering the following command using the CLI:
    $ audit set server=[fqdn|ipaddr|hostname[:port]][transport=udp|tls] [trusted=all|ca-signed|self-signed [fingerprint=<server-cert-fingerprint>]]

    Example:

    JS 
    $ audit set server=192.0.2.100 transport=TLS trusted=ca-signed
Audit parameters successfully set.

    The possible values for the configurable parameters are:

Parameter

Values

Description

Server

fqdn[:port]
ipaddr[:port]
hostname[:port]

Identity of the audit server, on a specified port, provided as:

  • Fully Qualified Domain Name

  • IP Address

  • Hostname

If the port number is not specified, the default port corresponding to the specified transport will be used.

transport

udp
tls

The transport protocol to use when communicating with the audit server:
User Datagram Protocol; default UDP port = 514
Transport Layer Security; default TLS port = 6514

trusted

all
ca-signed
self-signed

No server authentication required
Audit server must present its root CA certificate
Audit server may present a self-signed certificate (requires valid fingerprint)

fingerprint

fingerprint string

If trusted=self-signed, the audit server's SHA-1 or MD5 certificate fingerprint must be imported on the encoder or decoder.

  1. If your policy requires that only connections to servers with CA-signed certificates are accepted, install the audit server's root CA certificate on the Makito X Series with the certificate command:
    $ certificate name import infile=certfile_ [type=id] [fmt=auto]

    Example:

    JS 
    $ certificate myca import infile=myca.pem type=ca
Certificate successfully imported from myca.pem to myca

    The possible values for the configurable parameters are:

Parameter

Values

Description

name

The name of the certificate.

infile

The name of the file to import.
Note: The administrator must have previously downloaded/uploaded the certificate file to his/her home directory (using SCP, for
example).

type

id
chain
ca

The type of certificate to either import or generate:

  • Identity certificate (for HTTPS service and audit)

  • Identity certificate CA chain

  • Certificate Authority Certificate (for peer certificate validation)

Note: Only ID certificates can be generated. Chain and CA certificates can only be imported.

fmt

auto
pem
p7
p12
pfx
der

The format in which the certificate is encrypted:

  • Detects the certificate format based on file extension when importing.

  • Privacy Enhanced Mail Base64 encoded DER certificate

  • PKCS#7

  • PKCS#12

  • PKCS#12

  • Distinguished Encoding Rules

  1. Enable auditing on the Makito X Series by entering the following command:
    $ audit start
    Example:

    JS 
    $ audit start
Audit started.

Note

If the TLS handshake is aborted, the Makito X Series device retries every 50 seconds. If it cannot connect to the audit server for other reasons, it continues to make connection attempts, starting with a delay of 10 seconds, where each successive connection attempt n is incrementally delayed by (Tn = Tn-1 * 11/10) seconds. The device will stop attempting to connect when the delay exceeds 48 hours (it takes about 21 days to reach this delay value).

  1. Verify that auditing on the Makito X  Series has been enabled by entering the following command (this may take a minute or so):
    $ audit get all
    Example:

    JS 
    $ audit get all
Configuration:
   Audit server address : 192.0.2.100
   Transport            : TLS
   Trusted servers      : CA-signed
Statistics:
   State                : AUDITING

Note

If the connection to the audit server is lost, the Makito X Series detects this and automatically enters a reconnection mode. Starting with a delay of 10 seconds, each reconnection attempt n is incrementally delayed by (Tn = Tn-1 * 11/10) seconds. The device will stop attempting to reconnect when the delay exceeds 48 hours (it takes about 21 days to reach this delay value). On the 4th failed reconnection attempt, the loss of audit server connection is reported to administrators, via a management message. A successful connection is similarly reported. Refer to the associated User's Guide for more information on the messages CLI command and the Messages Web Interface page ("Managing Messages").

For more information see "Managing Audits" and the CLI Command Reference in the associated User's Guide.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close