Skip to main content

Configure Audit Server from the CLI

To configure a connection to an audit server via the CLI, do the following:

  1. Make sure you have a root CA certificate for the audit server installed on the Makito X  Series (refer to Installing a Certificate).

    Note

    If you are using a self-signed certificate (SSC) on the Makito X Series, and client authentication is enabled on the audit server, the audit server's trusted clients list must include the encoder's or decoder's certificate fingerprint, which can be obtained by entering the following command on the encoder or decoder:

    $ certificate <cert_name> get

    Example:

    JS 
    $ certificate autocert get
Certificate Name : autocert 
Type        : id
Signature   : Self-signed
Subject     : encoder.myorg.com
Issuer      : encoder.myorg.com
Expiration  : Sep 25 19:14:50 2022 GMT
Fingerprint : md5:3a:f3:e5:02:13:45:a8:36:12:d5:85:de:0a:c6:0c:0a

  2. Define connection settings for the audit server by entering the following command using the CLI:
    $ audit set server=[fqdn|ipaddr|hostname[:port]][transport=udp|tls] [trusted=all|ca-signed|self-signed [fingerprint=<server-cert-fingerprint>]]

    Example:

    JS 
    $ audit set server=192.0.2.100 transport=TLS trusted=ca-signed
Audit parameters successfully set.

    The possible values for the configurable parameters are:

    Parameter

    Values

    Description

    Server

    fqdn[:port]
    ipaddr[:port]
    hostname[:port]

    Identity of the audit server, on a specified port, provided as:

    • Fully Qualified Domain Name
    • IP Address
    • Hostname

    If the port number is not specified, the default port corresponding to the specified transport will be used.

    transport

    udp
    tls

    The transport protocol to use when communicating with the audit server:
    User Datagram Protocol; default UDP port = 514
    Transport Layer Security; default TLS port = 6514

    trusted

    all
    ca-signed
    self-signed

    No server authentication required
    Audit server must present its root CA certificate
    Audit server may present a self-signed certificate (requires valid fingerprint)

    fingerprint

    fingerprint string

    If trusted=self-signed, the audit server's SHA-1 or MD5 certificate fingerprint must be imported on the encoder or decoder.


  3. If your policy requires that only connections to servers with CA-signed certificates are accepted, install the audit server's root CA certificate on the Makito X Series with the certificate command:
    $ certificate name import infile=certfile_ [type=id] [fmt=auto]

    Example:

    JS 
    $ certificate myca import infile=myca.pem type=ca
Certificate successfully imported from myca.pem to myca

    The possible values for the configurable parameters are:

    Parameter

    Values

    Description

    name

    The name of the certificate.

    infile

    The name of the file to import.
    NOTE: The administrator must have previously downloaded/uploaded the certificate file to his/her home directory (using SCP, for
    example).

    type

    id
    chain
    ca

    The type of certificate to either import or generate:

    • Identity certificate (for HTTPS service and audit)
    • Identity certificate CA chain
    • Certificate Authority Certificate (for peer certificate validation)

    NOTE: Only ID certificates can be generated. Chain and CA certificates can only be imported.

    fmt

    auto
    pem
    p7
    p12
    pfx
    der

    The format in which the certificate is encrypted:

    • Detects the certificate format based on file extension when importing.
    • Privacy Enhanced Mail Base64 encoded DER certificate
    • PKCS#7
    • PKCS#12
    • PKCS#12
    • Distinguished Encoding Rules


  4. Enable auditing on the Makito X Series by entering the following command:
    $ audit start

    Example:

    JS 
    $ audit start
Audit started.

    Note

    If the TLS handshake is aborted, the Makito X Series device retries every 50 seconds. If it cannot connect to the audit server for other reasons, it continues to make connection attempts, starting with a delay of 10 seconds, where each successive connection attempt n is incrementally delayed by (Tn = Tn-1 * 11/10) seconds. The device will stop attempting to connect when the delay exceeds 48 hours (it takes about 21 days to reach this delay value).

  5. Verify that auditing on the Makito X  Series has been enabled by entering the following command (this may take a minute or so):
    $ audit get all

    Example:

    JS 
    $ audit get all
Configuration:
   Audit server address : 192.0.2.100
   Transport            : TLS
   Trusted servers      : CA-signed
Statistics:
   State                : AUDITING

Note

If the connection to the audit server is lost, the Makito X Series detects this and automatically enters a reconnection mode. Starting with a delay of 10 seconds, each reconnection attempt n is incrementally delayed by (Tn = Tn-1 * 11/10) seconds. The device will stop attempting to reconnect when the delay exceeds 48 hours (it takes about 21 days to reach this delay value). On the 4th failed reconnection attempt, the loss of audit server connection is reported to administrators, via a management message. A successful connection is similarly reported. Refer to the associated User's Guide for more information on the messages CLI command and the Messages Web Interface page ("Managing Messages").


For more information see "Managing Audits" and the CLI Command Reference in the associated User's Guide.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close