SA03: IBM Audit SupportPac for WebSphere Service Registry and Repository
The IBM Audit SupportPac provides support for recording and reporting important event activity taking place against objects stored in WSRR. This includes the basic creation, deletion and update of all registry objects as well as the results of moving those objects through a governance lifecycle. For these operations the IBM Audit SupportPac will record the date and time at which the change was made, the WSRR instance and logged-in user that made the change and will record details of the object that was changed. Audit information will be recorded to a database enabling database queries to be used to generate reports.
The SupportPac consists of the following:
- Audit J2EE Application
- Service Registry Audit Notifier plug-in
- Audit Database and Tables
- Sample reports
Table of contents
The minimum software requirement for this SupportPac is WebSphere Service Registry and Repository version 6.1 Fix Pack 1.
The database server minimum requirements are as for WebSphere Service Registry and Repository version 6.1 Fix Pack 1.
The downloaded ServiceRegistryAudit file should be unzipped or untarred into the WSRR installation root directory <WSRRHOME>. There is
a specific tar file for z/OS which contains installation scripts in EBCDIC.
After unzip, the following script directories are created:
Database Server | Directory |
DB2 Distributed | <WSRRHOME>/Audit/scripts/sql/db2 |
DB2 for z/OS | <WSRRHOME>/Audit/scripts/sql/db2_ZOS |
Derby | <WSRRHOME>/Audit/scripts/sql/derby |
Oracle | <WSRRHOME>/Audit/scripts/sql/oracle |
The Audit database has to be created on one of the above database systems. Following are installation instructions for each database system.
These instructions are for a UNIX® server. You can replace the directory
paths to use them as a guide for a Windows® server. Windows-based systems
use backslashes (\) to delimit directories in a directory path.
Use the following values:
$DB_HOME | The DB2 installation directory |
$DB_NAME | Database name. Uppercase and less than 8 characters. |
$DB_PORT | DB2 database port |
$DB_USER | Audit database user ID. Must be lowercase. |
$DB_PASSWORD | The password for the Audit database user ID. |
$DB2INSTID | The DB2 database instance owner ID. |
$DB2INST | The DB2 instance name, often the same as the instance owner ID. |
$DB2TSDIR | The directory to store the DB2 tablespaces in. For example e:\db2 or /home/db2inst1/DB2TS |
$SQLPATH | Path to the SQL files, usually similar to: /opt/IBM/WSRR/Audit/scripts/sql/db2 |
- Create the database. If you want to use an existing database skip this step.
- Edit $SQLPATH/createdb.sql
- Replace all instances of __DB2TSDIR__ with the directory where the tablespaces are stored (the value of $DB2TSDIR).
- Replace all instances of __DBNAME__ with the value of $DB_NAME
- Replace all instances of __DBUSER__ with the value of $DB_USER
- Make sure your DB2 instance is configured for TCP/IP access, for example as $DB2INSTID, and replacing $DB2INST with your DB2 instance name, run:
db2set DB2COMM=tcpip
db2 update dbm cfg using SVCENAME db2c_$DB2INST
Ensure that the db2c_$DB2INST service is defined in /etc/services.
db2stop
db2start
- On Windows, run:
db2set DB2_CREATE_DB_ON_PATH=YES
db2stop
db2start
- As $DB2INSTID run:
db2 -tf $SQLPATH/createdb.sql
db2 connect reset
db2 terminate
- Create the database tables.
- As $DB2INSTID run:
db2 connect to $DB_NAME user $DB_USER using $DB_PASSWORD
db2 set current schema $DB_USER
db2 -tf $SQLPATH/createtables.sql
These instructions are for a UNIX® server. You can replace the directory
paths to use them as a guide for a Windows® server. Windows-based systems
use backslashes (\) to delimit directories in a directory path.
Use the following values:
$WAS_HOME | The WebSphere installation directory |
$DB_NAME | Database name. Uppercase and less than 8 characters. |
$DB_USER | Audit database user ID. Must be lowercase. |
$DB_PASSWORD | The password for the Audit database user ID. |
$SQLPATH | Path to the SQL files, usually similar to: /opt/IBM/WSRR/Audit/scripts/sql/derby |
- Create the database. If you want to use an existing database skip this step.
- Edit $SQLPATH/createdb.sql
- Replace all instances of __DBNAME__ with the value of $DB_NAME
- Replace all instances of __DBUSER__ with the value of $DB_USER
- Replace all instances of __DBPASSWORD__ with the value of $DB_PASSWORD
- From $WAS_HOME\derby\bin\embedded Run:
ij -p $WAS_HOME\derby\derby.properties createdb.sql
- Create the database tables.
- Edit $SQLPATH/createtables.sql
- Replace all instances of __DBNAME__ with the value of $DB_NAME
- Replace all instances of __DBUSER__ with the value of $DB_USER
- Replace all instances of __DBPASSWORD__ with the value of $DB_PASSWORD
- From $WAS_HOME\derby\bin\embedded Run:
ij -p $WAS_HOME\derby\derby.properties createtables.sql
- Configure the DB2UNIVERSAL_JDBC_DRIVER_PATH. You must now configure the
DB2UNIVERSAL_JDBC_DRIVER_PATH WebSphere® variable in WebSphere Application Server.
If
using a remote database, install the DB2 client to the WebSphere Application
Server first, and then set DB2UNIVERSAL_JDBC_DRIVER_PATH to the directory in the client which contains
db2jcc.jar, db2jcc_license_cu.jar and db2jcc_license_cisuz.jar.
If using a cluster, configure
DB2UNIVERSAL_JDBC_DRIVER_PATH at the node level for every node the Audit Application is installed on, otherwise at node level scope.
Set
DB2UNIVERSAL_JDBC_DRIVER_PATH to the directory containing db2jcc.jar, db2jcc_license_cu.jar and db2jcc_license_cisuz.jar,
for example C:/Program Files/IBM/SQLLIB/java. From the WebSphere Application Server Integrated Solutions Console:
- Expand Environment -> WebSphere Variables.
- Set the scope appropriately.
- Click DB2UNIVERSAL_JDBC_DRIVER_PATH or, if the variable does not exist at the selected scope, Click New and enter DB2UNIVERSAL_JDBC_DRIVER_PATH in the Name field.
- In the Value field, enter the path.
- Click OK.
- On the message Changes have been made to your local configuration click Save.
These instructions are for a UNIX® server. You can replace the directory
paths to use them as a guide for a Windows® server. Windows-based systems
use backslashes (\) to delimit directories in a directory path.
Use the following values:
$ORACLEPATH | The Oracle installation directory |
$DB_NAME | Database name. Uppercase and less than 8 characters. |
$ORAPORT | Oracle database port |
$DB_USER | Audit database user ID. Must be lowercase. |
$DB_PASSWORD | The password for the Audit database user ID. |
$ORAUSER | The operating system ID owning the oracle installation (someone with
permission to run sqlplus) |
$DB2INST | The DB2 instance name, often the same as the instance owner ID. |
$SQLPATH | Path to the SQL files, usually similar to: /opt/IBM/WSRR/Audit/scripts/sql/oracle |
- Create the database. If you want to use an existing database skip
this step.
- Edit $SQLPATH/dbca.rsp
- Replace all instances of __VARFILEPATH__ with the
directory where variables.txt can be found ($SQLPATH).
- Replace all instances of __DBNAME__ with $DB_NAME
- As $ORAUSER run:
$ORACLEPATH/bin/dbca -silent -responseFile $SQLPATH/dbca.rsp
- Set the password for the SYSTEM and SYS database users to be $DB_PASSWORD,
or some other appropriate value, if you are going to be creating a new database
user.
You can, optionally, use the following script to do this. Edit install/database/sql/oracle/dbaccess.sql
- Replace all instances of __DBNAME__ with $DB_NAME.
- Replace all instances of __DBPASSWORD__ with $DB_PASSWORD.
- As $ORAUSER run:
$ORACLEPATH/bin/sqlplus /nolog @$SQLPATH/dbaccess.sql
- Create a database user. If you want a user ID other than SYSTEM for
$DB_USER, create that user ID now using the normal Oracle process. The user
ID will have privileges similar to those detailed in the following (this might not be
an exhaustive list):
SELECT ANY DICTIONARY, UNLIMITED TABLESPACE,
"AQ_ADMINISTRATOR_ROLE", "AQ_USER_ROLE", "CONNECT", "DELETE_CATALOG_ROLE",
"EJBCLIENT", "EXECUTE_CATALOG_ROLE", "EXP_FULL_DATABASE", "GATHER_SYSTEM_STATISTICS",
"MGMT_USER", CREATE TABLE, CREATE DATABASE LINK, CREATE SESSION, CREATE SEQUENCE,
CREATE TABLESPACE, ALTER TABLESPACE, MANAGE TABLESPACE, SELECT ANY TABLE,
INSERT ANY TABLE, UPDATE ANY TABLE, DELETE ANY TABLE, CREATE VIEW
- Create the database tables. As $ORAUSER run:
$ORACLEPATH/bin/sqlplus $DB_USER/$DB_PASSWORD@$DB_NAME @$SQLPATH/createtables.sql
- Configure the ORACLE_JDBC_DRIVER_PATH. You must now configure the
ORACLE_JDBC_DRIVER_PATH WebSphere® variable in WebSphere Application Server.
If
using a remote database, install the Oracle client to the WebSphere Application
Server first, and then set ORACLE_JDBC_DRIVER_PATH to the directory in the client which contains
ojdbc14.jar.
If using a cluster, configure
ORACLE_JDBC_DRIVER_PATH at the node level for every node the Audit Application is installed on, otherwise at node level scope.
Set
ORACLE_JDBC_DRIVER_PATH to the directory containing ojdbc14.jar,
for example /home/oracle/product/10.2.0/Db_1/jdbc/lib
From the WebSphere Application Server Integrated Solutions Console:
- Expand Environment -> WebSphere Variables.
- Set the scope appropriately.
- Click ORACLE_JDBC_DRIVER_PATH or, if the variable does not exist at the selected scope, Click New and enter ORACLE_JDBC_DRIVER_PATH in the Name field.
- In the Value field, enter the path.
- Click OK.
- On the message Changes have been made to your local configuration click Save.
-
Configure the Oracle nls_timestamp_format. You must now configure
the initialization parameter nls_timestamp_format in the database Initialization Parameter File. This is
typically located:
$ORACLEPATH\database\init$DB_NAME.ora
This should be set to:
nls_timestamp_format='YYYY-MM-DD HH24:MI:SS.FFF'
Refer to your operating system specific Oracle documentation for the default location of the initialization
parameter file.
Running a script to copy the DB2 SQL and JCL to PDSs
If the z/OS tar was untarred into the deployment directory of WSRR, the scripts will be in the
subdirectory Admin/scripts/sql/db2_ZOS. Otherwise the scripts need to be copied onto the z/OS system to the deployment directory of WSRR,
for example /u/wsrr/WebSphereServiceRegistry/Admin/scripts/sql/db2_ZOS
- Change directory to Admin/scripts/sql/db2_ZOS and run
script copyddl.sh to copy the DB2 SQL and JCL to PDSs:
copyddl.sh -sqldsn <SQL_DSN> -jcldsn <JCL_DSN>
Where:
Parameter | Description |
<JCL_DSN> |
The fully qualified name of the PDS to contain JCL.
It must be LRECL=80 RECFM=FB and will be created by the script if it does
not exist. |
<SQL_DSN> |
The fully qualified name of the PDS to contain SQL.
It must be LRECL=80 RECFM=FB and will be created by the script if it does
not exist. |
- Edit the two SQL members to conform with your site's DB2 naming
standards. Change all occurrences of the following in each member of the SQL
data set:
Parameter |
Description |
<SQLID> |
The required DB2 SQLID, for example WSRRUSR. It is
recommended that this should be a unique SQLID for WSRR. |
<AUDIT-DATABASE> |
The name for the Audit database, for example AUDITDB. |
<AUDIT-TABLESPACE> |
The name for the Audit tablespace in the Audit database,
for example AUDITTS. |
- Edit the two JCL members to conform with your site's DB2 standards.
Change all occurrences of the following in each member of the JCL data set:
Parameter |
Description |
<SDSNLOAD> |
The name of the target DB2 SDSNLOAD library. |
<RUNLIB> |
The name of the target DB2 RUNLIB library. |
<SSID> |
The name of the target DB2 Subsystem ID. |
<PLAN-NAME> |
The name of the target DSNTIAD DB2 plan name. |
- Create the DB2 databases and tables using the modified SQL. Either:
- Submit the modified jobs in the JCL library, or
- Use the SQL in SPUFI or other DB2 tool.
Configure the DB2UNIVERSAL_JDBC_DRIVER_PATH
You must now configure the
DB2UNIVERSAL_JDBC_DRIVER_PATH WebSphere® variable in WebSphere Application Server.
If
using a remote database, install the DB2 client for z/OS to the WebSphere Application
Server first, and then set DB2UNIVERSAL_JDBC_DRIVER_PATH to the directory in the client which contains
db2jcc.jar, db2jcc_license_cu.jar and db2jcc_license_cisuz.jar.
If using a cluster, configure
DB2UNIVERSAL_JDBC_DRIVER_PATH at the node level for every node the Audit Application is installed on, otherwise at node level scope.
Set
DB2UNIVERSAL_JDBC_DRIVER_PATH to the directory containing db2jcc.jar, , db2jcc_license_cu.jar and db2jcc_license_cisuz.jar,
for example C:/Program Files/IBM/SQLLIB/java. From the WebSphere Application Server Integrated Solutions Console:
- Expand Environment -> WebSphere Variables.
- Set the scope appropriately.
- Click DB2UNIVERSAL_JDBC_DRIVER_PATH or, if the variable does not exist at the selected scope, Click New and enter DB2UNIVERSAL_JDBC_DRIVER_PATH in the Name field.
- In the Value field, enter the path.
- Click OK.
- On the message Changes have been made to your local configuration click Save.
A DataSource and JDBC Provider have to be created in the WebSphere Application Server where the Audit J2EE Application is to be installed. In the case of a cluster,
this is in the Deployment Manager.
Following are the settings for the JDBC Provider for your particular Database System.
Database System | Database type | Provider type | Implementation type |
DB2 Distributed | DB2 | DB2 Universal JDBC Driver Provider | XA data source |
Derby | Derby | Derby JDBC Provider | XA data source |
Oracle | Oracle | Oracle JDBC Provider | XA data source |
DB2 z/OS | DB2 | DB2 Universal JDBC Driver Provider | XA data source |
Name | Value |
$JDBC_PROVIDER_NAME | WSRR Audit JDBC Provider |
$J2C_ALIAS_NAME | WSRR Audit Alias |
$DATASOURCE_NAME | WSRR Audit DataSource |
$JNDI_NAME | jdbc/WSRRAUDIT |
To create the JDBC Provider:
- From the WebSphere Application Server Integrated Solutions Console, expand Resources->JDBC->JDBC Providers.
- If in a cluster, set the scope to cluster level, if not, set to the node level.
- Click the New button.
- For
the fields Database type, Provider type and Implementation type enter the values described above.
- Enter a descriptive
name such as $JDBC_PROVIDER_NAME.
- Click Next.
- For Derby the Summary is shown, click Finish.
- For DB2 and Oracle, leave the field "directory location for JARs" with the default value, then click Next and then click Finish.
To create the authentication alias to use to connect to the Database Server:
- From the WebSphere Application Server Integrated Solutions Console, expand Security->Secure administration, applications, and infrastructure.
- Expand Java Authentication and Authorization Service.
- Click J2C authentication data.
- Click New.
- Enter a descriptive name for the Alias field, such as $J2C_ALIAS_NAME.
- Enter $DB_USER in the User ID field and $DB_PASSWORD in the Password field. For DB2 on z/OS enter the database user and password.
- Click OK.
To create the Data Source:
- From the WebSphere Application Server Integrated Solutions Console, expand Resources->JDBC->JDBC Providers.
- Click the JDBC Provider created in the
previous step $JDBC_PROVIDER_NAME.
- Under Additional Properties click Data sources.
- Click New.
- In the Data source name field enter $DATASOURCE_NAME.
- In the JNDI name field, enter $JNDI_NAME.
- In the Component-managed authentication alias and XA recovery authentication alias field select $J2C_ALIAS_NAME.
- Click Next.
The panel which follows is dependent on the type of Database system.
- In the Database name field, enter $DB_NAME. For DB2 on z/OS enter the Database Location, which can be acquired from DB2 on z/OS.
- Leave Driver Type as 4.
- In the Server name field, enter the hostname of the Database Server host.
- In the Port number enter the TCP/IP port number where the Database server resides.
- Uncheck the Use this data source in container managed persistence (CMP) checkbox.
- Click Next.
- In the Database name field, enter $DB_NAME.
- Uncheck the Use this data source in container managed persistence (CMP) checkbox.
- Click Next.
$ORASERVER | Oracle server hostname, for example localhost |
- In the URL field, enter:
jdbc:oracle:thin:@$ORASERVER:$ORAPORT:$DB_NAME
for example:
jdbc:oracle:thin:@localhost:1521:WSRRAUDI
- In the Data store helper class name field select Oracle10g data store helper.
- Uncheck the Use this data source in container managed persistence (CMP) checkbox.
- Click Next.
- Click Finish.
- On the message Changes have been made to your local configuration click Save.
For DB2 on z/OS the Data Source must be modified to set the default schema.
- From the WebSphere Application Server Integrated Solutions Console, expand Resources->JDBC->JDBC Providers.
- Click the JDBC Provider created in the previous step $JDBC_PROVIDER_NAME.
- Under Additional Properties click Data sources.
- Click the Data Source created in the previous step $DATASOURCE_NAME.
- Click Custom properties.
- Find the custom property currentSchema. Click currentSchema to edit its value.
- On the General Properties screen, set the value to <SQLID>.
- Click OK.
- On the message Changes have been made to your local configuration click Save.
- Restart the WebSphere Application Server. This binds the Data Source defined into JNDI.
To verify the Data source:
- From the WebSphere Application Server Integrated Solutions Console, expand Resources->JDBC->JDBC Providers.
- Click the JDBC Provider created in the previous step $JDBC_PROVIDER_NAME.
- Under Additional Properties click Data sources.
- Select the checkbox next to the Data source $DATASOURCE_NAME.
- Click the Test connection button.
The resulting messages should indicate the connection test was successful.
After unzip, the Audit J2EE application can be installed using the following steps:
- Deploy the <WSRRHOME>/Audit/ServiceRegistryAudit.ear J2EE application to the same WebSphere Application Server that is running WebSphere Service Registry and Repository. Use the WebSphere Application Server Integrated Solutions Console to do this. For a cluster,
deploy on the Deployment Manager and ensure the application will be deployed across the cluster.
- Start the ServiceRegistryAudit application. Use the WebSphere Application Server Integrated Solutions Console to do this.
The Service Registry Audit Notifier plugin can be installed using the following steps:
- Load the <WSRRHOME>/Audit/ServiceRegistryAuditProperties.properties file into the WebSphere Service Registry and Repository as a user configuration with the configuration item name ServiceRegistryAuditProperties. From the Configuration perspective in the WebSphere Service Registry & Repository user interface:
- Expand Active Configuration Profile -> Plug-ins.
- Click on User Configurations in the navigation tree.
- On the User Configurations view, click Load User Configuration.
- In the Preparing to Load the Configuration item page, click the Browse button.
- In the File Upload dialog, select the file <WSRRHOME>/Audit/ServiceRegistryAuditProperties.properties.
- In the Preparing to Load the Configuration item page, enter ServiceRegistryAuditProperties in the field Provide the User configuration item name. Note: the name must be as specified.
- Click OK. The ServiceRegistryAuditProperties configuration item is listed in the User Configurations view.
- Load the <WSRRHOME>/Audit/ServiceRegistryAuditPlugin.jar file into the WebSphere Service Registry and Repository as a Plug-in JAR. From the Configuration perspective in the WebSphere Service Registry & Repository user interface:
- Expand Active Configuration Profile -> Plug-ins.
- Click on JARs in the navigation tree.
- On the Plug-in JARs view, click Load JAR Plug-in.
- In the Preparing to Load the Configuration item page, click the Browse button.
- In the File Upload dialog, select the file <WSRRHOME>/Audit/ServiceRegistryAuditPlugin.jar.
- In the Preparing to Load the Configuration item page, enter ServiceRegistryAuditPlugin in the field Provide the User configuration item name.
- Click OK. The ServiceRegistryAuditPlugin configuration item is listed in the User Configurations view.
- Modify the Notification properties configuration in the WebSphere Service Registry and Repository. From the Configuration perspective in the WebSphere Service Registry & Repository user interface:
- Expand Active Configuration Profile -> Plug-ins.
- Click on Notification Properties in the navigation tree.
- On the Notification Properties view, click the entry Notification properties plug-in (NotificationProperties).
- Add the following to the end of the notifiers and governanceNotifiers lines:
com.ibm.sr.audit.SRAuditNotifier
For example the resultant lines will be:
notifiers=com.ibm.sr.api.ServiceRegistryNotifierJMS,com.ibm.sr.audit.SRAuditNotifier
governanceNotifiers=com.ibm.sr.api.ServiceRegistryNotifierJMS,com.ibm.sr.audit.SRAuditNotifier
- Click OK. The Notification properties plug-in (NotificationProperties) configuration item is updated.
The IBM Audit SupportPac for WebSphere Service Registry and Repository will log the following information for changes to entities within Service Registry. Such
entities are only registry content, not configuration items.
- the registry user who made the change
- the registry on which the change was made (the websphere cell/node/server)
- the date and time on which they were made
- the type of change from: create, update, delete, govern, remove governance, transition, state change.
- whether successful or not
- the exception message if unsuccessful
- detail of the event:
- for transition the URI of the transition which was done
- for govern the initial transition
- for change state the new state
The following details of the object affected will be logged: bsrUri, name, namespace, version, description, type.
The object which is logged is:
- create: new object
- update: old object
- delete: old object
- govern: old object
- remove governance: old object
- transition: old object
- state changed: old object
For details of the database schema see Schema.
The IBM Audit SupportPac for WebSphere Service Registry and Repository is supplied with sample reports which can be deployed into the Tivoli Common Reporting
product, available from the SupportPac website.
Extract the Tivoli Common Reporting archive into a temporary directory. Run the launchpad and follow the instructions.
As described in the Tivoli Common Reporting readme file, JDBC drivers used for report data sources must be placed at the following location:
<tcr_install_location>\tcr\lib\birt-runtime-2_2_1\ReportEngine\plugins\org.eclipse.birt.report.data.oda.jdbc_2.2.1.r22x_v20070904\drivers
Following is the JDBC drivers required for each database system and their typical location:
Database System | Driver files | Typical location |
DB2 | db2jcc.jar db2jcc_license_cu.jar | $DB_HOME/java |
Derby | derbyclient.jar | $WAS_HOME/derby/lib |
Oracle | ojdbc14.jar | $ORACLEPATH/jdbc/lib |
DB2 on z/OS | db2jcc.jar db2jcc_license_cu.jar db2jcc_license_cisuz.jar | $DB_HOME/java |
The Tivoli Common Reporting server must be restarted once the required drivers have been copied.
The sample audit reports are located in the <WSRRHOME>/Audit/ReportSamples.zip file. To deploy them into Tivoli Common Reporting:
- Log onto the Tivoli Common Reporting console
- From the navigation tree, expand Tivoli Common Reporting -> Work with Reports.
- From the Navigation in the right hand pane, select the Report Sets node.
- Right click and select Import Report Package from the pop up menu.
- From the Import Report Package dialog, click the Browse button.
- From the resulting File Upload dialog, navigate to <WSRRHOME>/Audit directory
and select the ReportSamples.zip file.
- Click the Import button.
A WebSphereServiceRegistryandRepository node will appear in the navigation tree. Expand WebSphereServiceRegistryandRepository and click on
AuditReports. A list of the sample reports will be shown. These are as follows:
Report name | Description |
audit_all | All audited events, in a table |
audit_bsruri | All audited events for an entity with the provided BsrUri, in a table. |
audit_userid | All audited events for the user with the provided user id, in a table. Pie chart showing numbers by type of event. Bar chart showing numbers by type of object. |
audit_what | All audited events between two provided dates and times, in a table. Pie chart showing number of successful and unsuccessful actions. Bar chart showing numbers by user ID. |
The Database connection information is stored in each report. Before a report can be run the database connection information must be changed. The
following procedure must be performed for each report.
- Select a report.
- Right click and select Data Sources... from the pop up menu.
- In the Report Data Sources dialog, select the source with name Audit Data Source.
- Click the Edit button.
- In the Edit Data Source dialog, enter the database user, password and details for your specific database system, as follows:
Database System | JDBC Driver | JDBC URL |
DB2 | com.ibm.db2.jcc.DB2Driver | jdbc:db2://<Database Server hostname>:$DB_PORT/$DB_NAME eg. jdbc:db2://localhost:50000/WSRRAUDI |
Derby | org.apache.derby.jdbc.ClientDriver | jdbc:derby://localhost:1527/$DB_NAME eg. jdbc:derby://localhost:1527/WSRRAUDIT Note: See Derby Network Server later. |
Oracle | oracle.jdbc.OracleDriver | jdbc:oracle:thin:@<Database Server hostname>:$ORAPORT:$DB_NAME eg. jdbc:oracle:thin:@localhost:1521:WSRRAUDI |
DB2 on z/OS | com.ibm.db2.jcc.DB2Driver | jdbc:db2://<Database Server hostname>:$DB_PORT/<Database Location>:currentSchema=$SQLID; eg. jdbc:db2://winmvsfc:48100/DSN810FP:currentSchema=GWSRR20; Note: The terminating semicolon is required. |
- Click Save.
For a Derby database, there is a restriction that no more than one Java Virtual Machine can access the database at once. The Derby audit database is embedded in the
WebSphere Application Server in which WebSphere Service Registry and Repository runs. Because this Derby runs in a different JVM than Tivoli Common Reporting,
the Derby audit database must be accessed using the Derby Network Client. Therefore the WebSphere Application Server in which WebSphere Service Registry and Repository runs
must run the Derby Network Server. To achieve this a JVM property should be added so when the WebSphere Application Server first uses a Derby database, the Derby Network
Server is started in the JVM of the WebSphere Application Server.
- From the WebSphere Application Server Integrated Solutions Console, expand Server -> Application Server-><Application Server Name> ->Java Process Management -> Process Definition -> Java Virtual Machine
- In the classpath window add
${DERBY_JDBC_DRIVER_PATH}/derbynet.jar
- In the Generic VM Arguments add
-Dderby.drda.startNetworkServer=true
- Click OK
- On the message Changes have been made to your local configuration click Save.
- Restart the WebSphere Application Server
These settings will start the Derby Network Server on the default port (usually 1527) when a Derby database is first used.
If TCR runs on a different host than the WebSphere Application Server, the derby properties file should be changed to allow all hosts to connect
to the Derby Network Server:
- Open derby.properties, typically located in $WAS_HOME/derby/derby.properties
- Uncomment the line
#derby.drda.host=0.0.0.0
It should read: derby.drda.host=0.0.0.0
- Restart the WebSphere Application Server
The value of derby.drda.portNumber specifies the port the Derby Network Server listens on.
To ensure the network
server is running, perform the following:
- From the WebSphere Application Server Integrated Solutions Console, expand Resources->JDBC->JDBC Providers.
- Click the Derby JDBC Provider created previously $JDBC_PROVIDER_NAME.
- Under Additional Properties click Data sources.
- Select the checkbox next to the Data source $DATASOURCE_NAME.
- Click the Test connection button.
This will create a test connection and start the Derby Network Server.
To run a report from the reports list, select a report then click either HTML or PDF to choose the format of the output.
A simple command line reporting tool is provided in ServiceRegistryAudit.ear as a J2EE Application Client. This runs the provided SQL query fragment against
the Audit database and returns the results in a Comma Separated Value (CSV) file. Only the conditional part of an SQL query, the "WHERE clause", is supported.
To run the command line reporting tool,
use the WebSphere Application Server launchClient script. The arguments for the reporting client are:
launchClient ServiceRegistryAudit.ear <Report Query> <CSV File Name>
- Report Query. The SQL for the WHERE clause of the query.
- CSV File Name. The name of the file where the CSV results will be saved.
For a Report Query which contains spaces, enclose with double quotes. For example:
launchClient ServiceRegistryAudit.ear "AUDITEVENT.REGISTRYUSER='admin'" output.csv
Report type | Report Query | Notes | Example |
All audited events | 1=1 | Gets all audited events |
All events for a particular entity | OBJECT.BSRURI = 'BsrUri' | The BsrUri parameter should be the BsrUri of the entity for which all audited events are required | OBJECT.BSRURI = '319db131-69e7-4716.a39f.f614daf69f13' |
All events for a particular user | AUDITEVENT.REGISTRYUSER = 'User ID' | The User ID parameter should be the user ID of the registry user for which all audited events are required | AUDITEVENT.REGISTRYUSER = 'UNAUTHENTICATED' |
All events between two particular dates | AUDITEVENT.TIMESTAMP BETWEEN 'start date' AND 'end date' | The start date and end date parameters should in the format yyyy-mm-dd-hh.mm.ss.mmmmmm (mmmmmm is nanoseconds) | AUDITEVENT.TIMESTAMP BETWEEN '2008-01-20-00.00.00.000000' AND '2008-01-25-00.00.00.000000' |
The above can be combined using the AND keyword, for example:
AUDITEVENT.REGISTRYUSER = 'UNAUTHENTICATED' AND OBJECT.BSRURI = '319db131-69e7-4716.a39f.f614daf69f13'
The IBM Audit SupportPac for WebSphere Service Registry and Repository continues to log to the configured database until the Notifier plug-in is removed
from the list of active plug-ins. The database which is used to log audit information can be changed by altering the properties of the Data Source from
the WebSphere Application Server Integrated Solutions Console, saving the changes, then restarting the ServiceRegistryAudit application.
The Audit database contains two tables. These are AUDITEVENT and OBJECT.
Column Name | Type | Notes |
UUID | CHAR(36) | Unique ID of the record |
TIMESTAMP | TIMESTAMP | Time of the event |
REGISTRYID | VARCHAR(1020) | Identifier of the registry which generated the event |
REGISTRYUSER | VARCHAR(1020) | ID of the registry user which caused the event |
EVENTTYPE | VARCHAR(16) | Type of event |
SUCCESS | VARCHAR(5) | Whether the event was successful, either "true" or "false" |
EXCEPTIONMSG | VARCHAR(1020) | The message from the exception, if the event was unsuccessful |
DETAIL | VARCHAR(1020) | Detail of the event, see Auditing Overview |
CORRELATIONID | VARCHAR(36) | Unique ID for events which are correlated. For example the govern event and the initial transition on an entity are related and will have the same correlation id |
Values for Event Type are:
- Create
- Delete
- Update
- Govern
- RemoveGovernance
- Transition
- StateChange
Column Name | Type | Notes |
OBJECTUUID | CHAR(36) | Unique ID of the object record |
BSRURI | VARCHAR(56) | BsrUri of the entity |
NAME | VARCHAR(1020) | Name of the entity |
NAMESPACE | VARCHAR(1020) | Namespace of the entity |
VERSION | VARCHAR(1020) | Version of the entity |
DESCRIPTION | VARCHAR(1020) | Description of the entity |
SDOTYPE | VARCHAR(256) | SDO Type of the entity |
UUID | CHAR(36) | Unique ID of the Audit Event record which describes when this object changed (foreign key to AUDITEVENT.UUID). |
Following are some messages which may occur. Generally these will be output into the WebSphere Service Registry and Repository WebSphere Application Server log.
Audit SupportPac messages
If an error occurs during Audit plug-in initialization, once the cause has been corrected, Replace the Audit plug-in JAR configuration item with ServiceRegistryAuditPlugin.jar.
This will cause WebSphere Service Registry and Repository to re-initialize the plug-in.
If an error occurs during Audit Bean initialization, once the cause has been corrected, restart the ServiceRegistryAudit J2EE Application from the
WebSphere Application Server Integrated Solutions Console.
Unable to find configuration
Explanation:The Audit plug-in cannot find any configuration during initialization.
User Action:Ensure that the Audit plug-in configuration item named ServiceRegistryAuditProperties is loaded into the WebSphere Service Registry and Repository.
Ensure the configuration item name is ServiceRegistryAuditProperties.
Unable to find JNDI name of Bean in configuration
Explanation:The Audit plug-in cannot find the configuration entry databaseLogger.ejbHome during initialization.
User Action:Ensure that the Audit plug-in configuration item named ServiceRegistryAuditProperties has an entry for databaseLogger.ejbHome.
Unable to get the Initial Context using defaults
Explanation:The Audit plug-in or the Audit Bean cannot get the JNDI InitialContext during initialization.
User Action:Contact your WebSphere Application Server Systems Administrator.
Unable to look up the Bean JNDI name of Bean
Explanation:The Audit plug-in cannot look up the Audit Application Bean using the specified JNDI name during initialization.
User Action:Ensure that the Audit J2EE Application is deployed to the WebSphere Application Server and is started. Ensure that
the Session Bean ServiceRegistryAudit is bound to the specified JNDI name.
The jndi object was not the Audit bean: Type of object in JNDI
Explanation:The Audit plug-in found an object at the JNDI name for the Audit Application Bean during initialization, but it was not the Audit Application Bean.
User Action:Ensure that the Audit J2EE Application is deployed to the WebSphere Application Server and is started. Ensure that
the Session Bean ServiceRegistryAudit is bound to the specified JNDI name.
Error occured adding the audit record to the database Exception message
Explanation:The Audit Bean was unable to add a record to the audit database.
User Action:Check the exception message for further details. Check for a corresponding log message from the Audit Bean with
further details.
Error not initialized
Explanation:The Audit plug-in had previously encountered an error connecting to the Audit Bean during initialization. An attempt was made to write
an audit record to the database, but the Audit plug-in cannot proceed because it is not initialized.
The Audit Bean had previously encountered an error connecting to the audit database Data Source. An attempt was made to write
an audit record to the database, but the Audit Bean cannot proceed because it is not initialized.
User Action:Check the exception message for further details. Check for a corresponding log message from the Audit Bean with
further details. Once the error has been corrected, reload the Audit plug-in to cause it to reinitialize, or restart the ServiceRegistryAudit
application.
Unable to look up the Data Source jdbc/auditDatabase
Explanation:The Audit Bean was unable to find the audit database Data Source using the specified JNDI name.
User Action:Ensure that the Session Bean ServiceRegistryAudit resource reference jdbc/auditDatabase
is mapped to the audit database Data Source.
The jndi object was not a Data Source: Type of object in JNDI
Explanation:The Audit Bean found an object at the JNDI name for the Data Source during initialization, but it was not a Data Source.
User Action:Ensure that the Session Bean ServiceRegistryAudit resource reference jdbc/auditDatabase
is mapped to the audit database Data Source.
Error connecting to the database
Explanation:The Audit Bean encountered an error connecting to the audit database.
User Action:Check the preceeding log messages for the exception cause for the connection error for further details. Perform a
test connection on the audit database Data Source from the WebSphere Application Server Integrated Solutions Console.
Error creating the jdbc statement
Explanation:The Audit Bean encountered an error creating a jdbc statement.
User Action:Check the preceeding log messages for the exception cause for the connection error for further details.
Other messages
These messages may be output by WebSphere components.
ReportDesign (id = 1):
+ Cannot open the connection for the driver: org.eclipse.birt.report.data.oda.jdbc
Failed to get connection.
SQL error #1: java.net.ConnectException : Error opening socket to server server name on port 1527 with message : Connection refused: connect
Explanation:The Tivoli Common Reporting server cannot connect to the audit database. The port 1527 indicates this is a Derby database. Either the Derby
Network Server is not running on this port, or is not allowing connections.
User Action:Check the derby.log file located in $WAS_HOME/derby/derby.log. Ensure the following line has been logged:
Server is ready to accept connections on port 1527.
This means the Derby Network Server is listening on the correct port.
If the TCR host is different to the WebSphere Application Server which runs the Derby Network Server and audit database, check the derby.properties file located in
$WAS_HOME/derby/derby.properties, ensure the following line is uncommented:
derby.drda.host=0.0.0.0
If the Derby Network Server cannot listen on port 1527 check the host network services for a service which may be using that port. Change the value in
derby.properties to a different port and change the Data Source settings in TCR to use the new port number.
ReportDesign (id = 1):
+ Cannot open the connection for the driver: org.eclipse.birt.report.data.oda.jdbc
Failed to get connection.
SQL error #1: DERBY SQL error: SQLCODE: -1, SQLSTATE: XJ040, SQLERRMC:
Failed to start database $DB_NAME, see the next exception for details.::SQLSTATE: XSDB6Another
instance of Derby may have already booted the database /opt/IBM/WebSphere/AppServer/derby/$DB_NAME
Explanation:The Tivoli Common Reporting server cannot connect to the audit database. There is already another Java Virtual Machine using
the Derby audit database, so the Derby Network Server fails when it attempts to open the database.
User Action:Ensure that only the WebSphere Application Server upon which the Derby Audit database runs is running the Derby
Network Server. Ensure that the startNetworkServer program is not running. This is typically located in $WAS_HOME/derby/bin/networkServer.