Verifying a secure log using openssl – HP Secure Key Manager User Manual

Page 91

Advertising
background image

3.

Double-click on the file. Outlook Express will open and display a help screen with a security
header that reads: “Digitally signed - signing digital ID is not trusted.”

4.

Click Continue. A security warning will appear.

5.

Click View Digital ID. The Signing Digital ID Properties dialog will appear.

6.

Click the Details tab and scroll down to the Thumbprint field.

7.

Download the Log Signing Certificate used to sign the log file from the SKM.

8.

Double-click on the Log Signing Certificate. The Certificate dialog will appear.

9.

Select the Details tab.

10.

Scroll down to the Thumbprint field.

11.

Compare the thumbprints of the Signing Digital ID Properties dialog and the Log Signing Certificate
dialog. If the text strings are identical, the integrity of the log file is secure.

Verifying a secure log using OpenSSL

Prior to verifying a secure log, you must have installed OpenSSL on the machine that will verify the
log file. You can use the procedure in both Windows and UNIX/Linux environments. If OpenSSL has
not been installed on your Windows machine, you can find a Windows distribution here:

http://www.slproweb.com/products/Win32OpenSSL.html

To verify a secure log:

1.

Log in to the Management Console as an administrator.

2.

Navigate to the Log Configuration page (Device > Log Configuration) and click the Log Levels &
Signing tab.

3.

Click View Log Signing Cert.

4.

Click Download Log Signing Cert and save the Log Signer certificate to your local machine.

5.

Navigate to the Audit Log page (Device > Logs & Statistics > Log Viewer > <select the log page>
) and click Download Entire Log. Save the log file in the same directory as the log signer cert.
(You can save both the log file and the certificate anywhere you like; for the sake of simplicity,
these procedures assume that the two files are in the same directory.)

6.

From the command prompt, enter the following command:

openssl smime -verify -in <signed log file> -nointern -certfile <log

cert file> -text -noverify

.

After issuing the command, the text from the log file is displayed. If the text of the log file has not
been modified, the system displays “Verification successful” below the log text, as shown here:

2006-07-06 09:15:02 [admin]: Logged in from 192.168.1.170 via web

2006-07-06 11:17:30 [admin]: Logged in from 192.168.1.170 via web

2006-07-06 11:24:26 [admin]: Downloaded Cert logsigner

2006-07-06 12:30:17 [admin]: User admin login has expired.

Verification successful

You can test this process by modifying the text in the log file and running the command again.
When you issue the command, the system again displays the text of the log file, but this time, it
displays “Verification failure” after the text of the log file.

Secure Key Manager

91

Advertising
Popular Brands
Popular manuals