SA03: IBM Audit SupportPac for WebSphere Service Registry and Repository

The IBM Audit SupportPac provides support for recording and reporting important event activity taking place against objects stored in WSRR. This includes the basic creation, deletion and update of all registry objects as well as the results of moving those objects through a governance lifecycle. For these operations the IBM Audit SupportPac will record the date and time at which the change was made, the WSRR instance and logged-in user that made the change and will record details of the object that was changed. Audit information will be recorded to a database enabling database queries to be used to generate reports.

The SupportPac consists of the following:

Table of contents

Pre-requisite software

The minimum software requirement for this SupportPac is WebSphere Service Registry and Repository version 6.1 Fix Pack 1.

The database server minimum requirements are as for WebSphere Service Registry and Repository version 6.1 Fix Pack 1.

Installation instructions

The downloaded ServiceRegistryAudit file should be unzipped or untarred into the WSRR installation root directory <WSRRHOME>. There is a specific tar file for z/OS which contains installation scripts in EBCDIC.

Audit Database and Tables

After unzip, the following script directories are created:
Database ServerDirectory
DB2 Distributed<WSRRHOME>/Audit/scripts/sql/db2
DB2 for z/OS<WSRRHOME>/Audit/scripts/sql/db2_ZOS
Derby<WSRRHOME>/Audit/scripts/sql/derby
Oracle<WSRRHOME>/Audit/scripts/sql/oracle
The Audit database has to be created on one of the above database systems. Following are installation instructions for each database system.

DB2 Database

These instructions are for a UNIX® server. You can replace the directory paths to use them as a guide for a Windows® server. Windows-based systems use backslashes (\) to delimit directories in a directory path.

Use the following values:
$DB_HOMEThe DB2 installation directory
$DB_NAMEDatabase name. Uppercase and less than 8 characters.
$DB_PORTDB2 database port
$DB_USERAudit database user ID. Must be lowercase.
$DB_PASSWORDThe password for the Audit database user ID.
$DB2INSTIDThe DB2 database instance owner ID.
$DB2INSTThe DB2 instance name, often the same as the instance owner ID.
$DB2TSDIRThe directory to store the DB2 tablespaces in. For example e:\db2 or /home/db2inst1/DB2TS
$SQLPATHPath to the SQL files, usually similar to: /opt/IBM/WSRR/Audit/scripts/sql/db2
  1. Create the database. If you want to use an existing database skip this step.
    1. Edit $SQLPATH/createdb.sql
      1. Replace all instances of __DB2TSDIR__ with the directory where the tablespaces are stored (the value of $DB2TSDIR).
      2. Replace all instances of __DBNAME__ with the value of $DB_NAME
      3. Replace all instances of __DBUSER__ with the value of $DB_USER
    2. Make sure your DB2 instance is configured for TCP/IP access, for example as $DB2INSTID, and replacing $DB2INST with your DB2 instance name, run: 
      db2set DB2COMM=tcpip
db2 update dbm cfg using SVCENAME db2c_$DB2INST
      Ensure that the db2c_$DB2INST service is defined in /etc/services. 
      db2stop
db2start
    3. On Windows, run: 
      db2set DB2_CREATE_DB_ON_PATH=YES
db2stop
db2start
    4. As $DB2INSTID run: 
      db2 -tf $SQLPATH/createdb.sql
db2 connect reset 
db2 terminate
  2. Create the database tables.
    1. As $DB2INSTID run:
      db2 connect to $DB_NAME user $DB_USER using $DB_PASSWORD
      db2 set current schema $DB_USER
      db2 -tf $SQLPATH/createtables.sql

Derby Database

These instructions are for a UNIX® server. You can replace the directory paths to use them as a guide for a Windows® server. Windows-based systems use backslashes (\) to delimit directories in a directory path.

Use the following values:
$WAS_HOMEThe WebSphere installation directory
$DB_NAMEDatabase name. Uppercase and less than 8 characters.
$DB_USERAudit database user ID. Must be lowercase.
$DB_PASSWORDThe password for the Audit database user ID.
$SQLPATHPath to the SQL files, usually similar to: /opt/IBM/WSRR/Audit/scripts/sql/derby
  1. Create the database. If you want to use an existing database skip this step.
    1. Edit $SQLPATH/createdb.sql
      1. Replace all instances of __DBNAME__ with the value of $DB_NAME
      2. Replace all instances of __DBUSER__ with the value of $DB_USER
      3. Replace all instances of __DBPASSWORD__ with the value of $DB_PASSWORD
    2. From $WAS_HOME\derby\bin\embedded Run: 
      ij -p $WAS_HOME\derby\derby.properties createdb.sql
  2. Create the database tables.
    1. Edit $SQLPATH/createtables.sql
      1. Replace all instances of __DBNAME__ with the value of $DB_NAME
      2. Replace all instances of __DBUSER__ with the value of $DB_USER
      3. Replace all instances of __DBPASSWORD__ with the value of $DB_PASSWORD
    2. From $WAS_HOME\derby\bin\embedded Run: 
      ij -p $WAS_HOME\derby\derby.properties createtables.sql
  3. Configure the DB2UNIVERSAL_JDBC_DRIVER_PATH. You must now configure the DB2UNIVERSAL_JDBC_DRIVER_PATH WebSphere® variable in WebSphere Application Server.

    If using a remote database, install the DB2 client to the WebSphere Application Server first, and then set DB2UNIVERSAL_JDBC_DRIVER_PATH to the directory in the client which contains db2jcc.jar, db2jcc_license_cu.jar and db2jcc_license_cisuz.jar.

    If using a cluster, configure DB2UNIVERSAL_JDBC_DRIVER_PATH at the node level for every node the Audit Application is installed on, otherwise at node level scope.

    Set DB2UNIVERSAL_JDBC_DRIVER_PATH to the directory containing db2jcc.jar, db2jcc_license_cu.jar and db2jcc_license_cisuz.jar, for example C:/Program Files/IBM/SQLLIB/java. From the WebSphere Application Server Integrated Solutions Console:

    1. Expand Environment -> WebSphere Variables.
    2. Set the scope appropriately.
    3. Click DB2UNIVERSAL_JDBC_DRIVER_PATH or, if the variable does not exist at the selected scope, Click New and enter DB2UNIVERSAL_JDBC_DRIVER_PATH in the Name field.
    4. In the Value field, enter the path.
    5. Click OK.
    6. On the message Changes have been made to your local configuration click Save.

Oracle Database

These instructions are for a UNIX® server. You can replace the directory paths to use them as a guide for a Windows® server. Windows-based systems use backslashes (\) to delimit directories in a directory path.

Use the following values:
$ORACLEPATHThe Oracle installation directory
$DB_NAMEDatabase name. Uppercase and less than 8 characters.
$ORAPORTOracle database port
$DB_USERAudit database user ID. Must be lowercase.
$DB_PASSWORDThe password for the Audit database user ID.
$ORAUSERThe operating system ID owning the oracle installation (someone with permission to run sqlplus)
$DB2INSTThe DB2 instance name, often the same as the instance owner ID.
$SQLPATHPath to the SQL files, usually similar to: /opt/IBM/WSRR/Audit/scripts/sql/oracle
  1. Create the database. If you want to use an existing database skip this step.
    1. Edit $SQLPATH/dbca.rsp
      1. Replace all instances of __VARFILEPATH__ with the directory where variables.txt can be found ($SQLPATH).
      2. Replace all instances of __DBNAME__ with $DB_NAME
    2. As $ORAUSER run: 
      $ORACLEPATH/bin/dbca -silent -responseFile $SQLPATH/dbca.rsp
    3. Set the password for the SYSTEM and SYS database users to be $DB_PASSWORD, or some other appropriate value, if you are going to be creating a new database user.

      You can, optionally, use the following script to do this. Edit install/database/sql/oracle/dbaccess.sql

      1. Replace all instances of __DBNAME__ with $DB_NAME.
      2. Replace all instances of __DBPASSWORD__ with $DB_PASSWORD.
      3. As $ORAUSER run: 
        $ORACLEPATH/bin/sqlplus /nolog @$SQLPATH/dbaccess.sql
  2. Create a database user. If you want a user ID other than SYSTEM for $DB_USER, create that user ID now using the normal Oracle process. The user ID will have privileges similar to those detailed in the following (this might not be an exhaustive list):

    SELECT ANY DICTIONARY, UNLIMITED TABLESPACE, "AQ_ADMINISTRATOR_ROLE", "AQ_USER_ROLE", "CONNECT", "DELETE_CATALOG_ROLE", "EJBCLIENT", "EXECUTE_CATALOG_ROLE", "EXP_FULL_DATABASE", "GATHER_SYSTEM_STATISTICS", "MGMT_USER", CREATE TABLE, CREATE DATABASE LINK, CREATE SESSION, CREATE SEQUENCE, CREATE TABLESPACE, ALTER TABLESPACE, MANAGE TABLESPACE, SELECT ANY TABLE, INSERT ANY TABLE, UPDATE ANY TABLE, DELETE ANY TABLE, CREATE VIEW

  3. Create the database tables. As $ORAUSER run: 
    $ORACLEPATH/bin/sqlplus $DB_USER/$DB_PASSWORD@$DB_NAME @$SQLPATH/createtables.sql
  4. Configure the ORACLE_JDBC_DRIVER_PATH. You must now configure the ORACLE_JDBC_DRIVER_PATH WebSphere® variable in WebSphere Application Server.

    If using a remote database, install the Oracle client to the WebSphere Application Server first, and then set ORACLE_JDBC_DRIVER_PATH to the directory in the client which contains ojdbc14.jar.

    If using a cluster, configure ORACLE_JDBC_DRIVER_PATH at the node level for every node the Audit Application is installed on, otherwise at node level scope.

    Set ORACLE_JDBC_DRIVER_PATH to the directory containing ojdbc14.jar, for example /home/oracle/product/10.2.0/Db_1/jdbc/lib

    From the WebSphere Application Server Integrated Solutions Console:
    1. Expand Environment -> WebSphere Variables.
    2. Set the scope appropriately.
    3. Click ORACLE_JDBC_DRIVER_PATH or, if the variable does not exist at the selected scope, Click New and enter ORACLE_JDBC_DRIVER_PATH in the Name field.
    4. In the Value field, enter the path.
    5. Click OK.
    6. On the message Changes have been made to your local configuration click Save.

  5. Configure the Oracle nls_timestamp_format. You must now configure the initialization parameter nls_timestamp_format in the database Initialization Parameter File. This is typically located: 
    $ORACLEPATH\database\init$DB_NAME.ora
    This should be set to: 
    nls_timestamp_format='YYYY-MM-DD HH24:MI:SS.FFF'
    Refer to your operating system specific Oracle documentation for the default location of the initialization parameter file.

DB2 on z/OS Database

Running a script to copy the DB2 SQL and JCL to PDSs

If the z/OS tar was untarred into the deployment directory of WSRR, the scripts will be in the subdirectory Admin/scripts/sql/db2_ZOS. Otherwise the scripts need to be copied onto the z/OS system to the deployment directory of WSRR, for example /u/wsrr/WebSphereServiceRegistry/Admin/scripts/sql/db2_ZOS

  1. Change directory to Admin/scripts/sql/db2_ZOS and run script copyddl.sh to copy the DB2 SQL and JCL to PDSs: 
    copyddl.sh -sqldsn <SQL_DSN> -jcldsn <JCL_DSN>

    Where:

    ParameterDescription
    <JCL_DSN> The fully qualified name of the PDS to contain JCL. It must be LRECL=80 RECFM=FB and will be created by the script if it does not exist.
    <SQL_DSN> The fully qualified name of the PDS to contain SQL. It must be LRECL=80 RECFM=FB and will be created by the script if it does not exist.

  2. Edit the two SQL members to conform with your site's DB2 naming standards. Change all occurrences of the following in each member of the SQL data set:
    Parameter Description
    <SQLID> The required DB2 SQLID, for example WSRRUSR. It is recommended that this should be a unique SQLID for WSRR.
    <AUDIT-DATABASE> The name for the Audit database, for example AUDITDB.
    <AUDIT-TABLESPACE> The name for the Audit tablespace in the Audit database, for example AUDITTS.

  3. Edit the two JCL members to conform with your site's DB2 standards. Change all occurrences of the following in each member of the JCL data set:
    Parameter Description
    <SDSNLOAD> The name of the target DB2 SDSNLOAD library.
    <RUNLIB> The name of the target DB2 RUNLIB library.
    <SSID> The name of the target DB2 Subsystem ID.
    <PLAN-NAME> The name of the target DSNTIAD DB2 plan name.

  4. Create the DB2 databases and tables using the modified SQL. Either:
Configure the DB2UNIVERSAL_JDBC_DRIVER_PATH
You must now configure the DB2UNIVERSAL_JDBC_DRIVER_PATH WebSphere® variable in WebSphere Application Server.

If using a remote database, install the DB2 client for z/OS to the WebSphere Application Server first, and then set DB2UNIVERSAL_JDBC_DRIVER_PATH to the directory in the client which contains db2jcc.jar, db2jcc_license_cu.jar and db2jcc_license_cisuz.jar.

If using a cluster, configure DB2UNIVERSAL_JDBC_DRIVER_PATH at the node level for every node the Audit Application is installed on, otherwise at node level scope.

Set DB2UNIVERSAL_JDBC_DRIVER_PATH to the directory containing db2jcc.jar, , db2jcc_license_cu.jar and db2jcc_license_cisuz.jar, for example C:/Program Files/IBM/SQLLIB/java. From the WebSphere Application Server Integrated Solutions Console:

  1. Expand Environment -> WebSphere Variables.
  2. Set the scope appropriately.
  3. Click DB2UNIVERSAL_JDBC_DRIVER_PATH or, if the variable does not exist at the selected scope, Click New and enter DB2UNIVERSAL_JDBC_DRIVER_PATH in the Name field.
  4. In the Value field, enter the path.
  5. Click OK.
  6. On the message Changes have been made to your local configuration click Save.

WebSphere Data Source and JDBC Provider

A DataSource and JDBC Provider have to be created in the WebSphere Application Server where the Audit J2EE Application is to be installed. In the case of a cluster, this is in the Deployment Manager.

Following are the settings for the JDBC Provider for your particular Database System.
Database SystemDatabase typeProvider typeImplementation type
DB2 DistributedDB2DB2 Universal JDBC Driver ProviderXA data source
DerbyDerbyDerby JDBC ProviderXA data source
OracleOracleOracle JDBC ProviderXA data source
DB2 z/OSDB2DB2 Universal JDBC Driver ProviderXA data source

NameValue
$JDBC_PROVIDER_NAMEWSRR Audit JDBC Provider
$J2C_ALIAS_NAMEWSRR Audit Alias
$DATASOURCE_NAMEWSRR Audit DataSource
$JNDI_NAMEjdbc/WSRRAUDIT

To create the JDBC Provider:

  1. From the WebSphere Application Server Integrated Solutions Console, expand Resources->JDBC->JDBC Providers.
  2. If in a cluster, set the scope to cluster level, if not, set to the node level.
  3. Click the New button.
  4. For the fields Database type, Provider type and Implementation type enter the values described above.
  5. Enter a descriptive name such as $JDBC_PROVIDER_NAME.
  6. Click Next.
To create the authentication alias to use to connect to the Database Server:
  1. From the WebSphere Application Server Integrated Solutions Console, expand Security->Secure administration, applications, and infrastructure.
  2. Expand Java Authentication and Authorization Service.
  3. Click J2C authentication data.
  4. Click New.
  5. Enter a descriptive name for the Alias field, such as $J2C_ALIAS_NAME.
  6. Enter $DB_USER in the User ID field and $DB_PASSWORD in the Password field. For DB2 on z/OS enter the database user and password.
  7. Click OK.
To create the Data Source:
  1. From the WebSphere Application Server Integrated Solutions Console, expand Resources->JDBC->JDBC Providers.
  2. Click the JDBC Provider created in the previous step $JDBC_PROVIDER_NAME.
  3. Under Additional Properties click Data sources.
  4. Click New.
  5. In the Data source name field enter $DATASOURCE_NAME.
  6. In the JNDI name field, enter $JNDI_NAME.
  7. In the Component-managed authentication alias and XA recovery authentication alias field select $J2C_ALIAS_NAME.
  8. Click Next.
The panel which follows is dependent on the type of Database system.

DB2

  1. In the Database name field, enter $DB_NAME. For DB2 on z/OS enter the Database Location, which can be acquired from DB2 on z/OS.
  2. Leave Driver Type as 4.
  3. In the Server name field, enter the hostname of the Database Server host.
  4. In the Port number enter the TCP/IP port number where the Database server resides.
  5. Uncheck the Use this data source in container managed persistence (CMP) checkbox.
  6. Click Next.

Derby

  1. In the Database name field, enter $DB_NAME.
  2. Uncheck the Use this data source in container managed persistence (CMP) checkbox.
  3. Click Next.

Oracle

$ORASERVEROracle server hostname, for example localhost
  1. In the URL field, enter: 
    jdbc:oracle:thin:@$ORASERVER:$ORAPORT:$DB_NAME
    for example: 
    jdbc:oracle:thin:@localhost:1521:WSRRAUDI
  2. In the Data store helper class name field select Oracle10g data store helper.
  3. Uncheck the Use this data source in container managed persistence (CMP) checkbox.
  4. Click Next.

All databases

  1. Click Finish.
  2. On the message Changes have been made to your local configuration click Save.

DB2 on z/OS specific properties

For DB2 on z/OS the Data Source must be modified to set the default schema.
  1. From the WebSphere Application Server Integrated Solutions Console, expand Resources->JDBC->JDBC Providers.
  2. Click the JDBC Provider created in the previous step $JDBC_PROVIDER_NAME.
  3. Under Additional Properties click Data sources.
  4. Click the Data Source created in the previous step $DATASOURCE_NAME.
  5. Click Custom properties.
  6. Find the custom property currentSchema. Click currentSchema to edit its value.
  7. On the General Properties screen, set the value to <SQLID>.
  8. Click OK.
  9. On the message Changes have been made to your local configuration click Save.

All databases

  1. Restart the WebSphere Application Server. This binds the Data Source defined into JNDI.

Test the datasource

To verify the Data source:
  1. From the WebSphere Application Server Integrated Solutions Console, expand Resources->JDBC->JDBC Providers.
  2. Click the JDBC Provider created in the previous step $JDBC_PROVIDER_NAME.
  3. Under Additional Properties click Data sources.
  4. Select the checkbox next to the Data source $DATASOURCE_NAME.
  5. Click the Test connection button.
The resulting messages should indicate the connection test was successful.

Audit J2EE Application

After unzip, the Audit J2EE application can be installed using the following steps:

Service Registry Audit Notifier plugin

The Service Registry Audit Notifier plugin can be installed using the following steps:

Auditing Overview

The IBM Audit SupportPac for WebSphere Service Registry and Repository will log the following information for changes to entities within Service Registry. Such entities are only registry content, not configuration items.
  1. the registry user who made the change
  2. the registry on which the change was made (the websphere cell/node/server)
  3. the date and time on which they were made
  4. the type of change from: create, update, delete, govern, remove governance, transition, state change.
  5. whether successful or not
  6. the exception message if unsuccessful
  7. detail of the event:
    1. for transition the URI of the transition which was done
    2. for govern the initial transition
    3. for change state the new state
The following details of the object affected will be logged: bsrUri, name, namespace, version, description, type. The object which is logged is:
  1. create: new object
  2. update: old object
  3. delete: old object
  4. govern: old object
  5. remove governance: old object
  6. transition: old object
  7. state changed: old object
For details of the database schema see Schema.

Using Tivoli Common Reporting

The IBM Audit SupportPac for WebSphere Service Registry and Repository is supplied with sample reports which can be deployed into the Tivoli Common Reporting product, available from the SupportPac website.

Installing

Extract the Tivoli Common Reporting archive into a temporary directory. Run the launchpad and follow the instructions.

Configuring

As described in the Tivoli Common Reporting readme file, JDBC drivers used for report data sources must be placed at the following location: 
<tcr_install_location>\tcr\lib\birt-runtime-2_2_1\ReportEngine\plugins\org.eclipse.birt.report.data.oda.jdbc_2.2.1.r22x_v20070904\drivers
Following is the JDBC drivers required for each database system and their typical location:
Database SystemDriver filesTypical location
DB2db2jcc.jar
db2jcc_license_cu.jar		$DB_HOME/java
Derbyderbyclient.jar$WAS_HOME/derby/lib
Oracleojdbc14.jar$ORACLEPATH/jdbc/lib
DB2 on z/OSdb2jcc.jar
db2jcc_license_cu.jar
db2jcc_license_cisuz.jar		$DB_HOME/java
The Tivoli Common Reporting server must be restarted once the required drivers have been copied.

Deploying the sample reports

The sample audit reports are located in the <WSRRHOME>/Audit/ReportSamples.zip file. To deploy them into Tivoli Common Reporting:
  1. Log onto the Tivoli Common Reporting console
  2. From the navigation tree, expand Tivoli Common Reporting -> Work with Reports.
  3. From the Navigation in the right hand pane, select the Report Sets node.
  4. Right click and select Import Report Package from the pop up menu.
  5. From the Import Report Package dialog, click the Browse button.
  6. From the resulting File Upload dialog, navigate to <WSRRHOME>/Audit directory and select the ReportSamples.zip file.
  7. Click the Import button.

A WebSphereServiceRegistryandRepository node will appear in the navigation tree. Expand WebSphereServiceRegistryandRepository and click on AuditReports. A list of the sample reports will be shown. These are as follows:

Report nameDescription
audit_allAll audited events, in a table
audit_bsruriAll audited events for an entity with the provided BsrUri, in a table.
audit_useridAll audited events for the user with the provided user id, in a table. Pie chart showing numbers by type of event. Bar chart showing numbers by type of object.
audit_whatAll audited events between two provided dates and times, in a table. Pie chart showing number of successful and unsuccessful actions. Bar chart showing numbers by user ID.

Changing the Data Source settings on a report

The Database connection information is stored in each report. Before a report can be run the database connection information must be changed. The following procedure must be performed for each report.
  1. Select a report.
  2. Right click and select Data Sources... from the pop up menu.
  3. In the Report Data Sources dialog, select the source with name Audit Data Source.
  4. Click the Edit button.
  5. In the Edit Data Source dialog, enter the database user, password and details for your specific database system, as follows:
Database SystemJDBC DriverJDBC URL
DB2com.ibm.db2.jcc.DB2Driverjdbc:db2://<Database Server hostname>:$DB_PORT/$DB_NAME
eg. jdbc:db2://localhost:50000/WSRRAUDI
Derbyorg.apache.derby.jdbc.ClientDriverjdbc:derby://localhost:1527/$DB_NAME
eg. jdbc:derby://localhost:1527/WSRRAUDIT
Note: See Derby Network Server later.
Oracleoracle.jdbc.OracleDriverjdbc:oracle:thin:@<Database Server hostname>:$ORAPORT:$DB_NAME
eg. jdbc:oracle:thin:@localhost:1521:WSRRAUDI
DB2 on z/OScom.ibm.db2.jcc.DB2Driverjdbc:db2://<Database Server hostname>:$DB_PORT/<Database Location>:currentSchema=$SQLID;
eg. jdbc:db2://winmvsfc:48100/DSN810FP:currentSchema=GWSRR20;
Note: The terminating semicolon is required.
  1. Click Save.

Derby Network Server

For a Derby database, there is a restriction that no more than one Java Virtual Machine can access the database at once. The Derby audit database is embedded in the WebSphere Application Server in which WebSphere Service Registry and Repository runs. Because this Derby runs in a different JVM than Tivoli Common Reporting, the Derby audit database must be accessed using the Derby Network Client. Therefore the WebSphere Application Server in which WebSphere Service Registry and Repository runs must run the Derby Network Server. To achieve this a JVM property should be added so when the WebSphere Application Server first uses a Derby database, the Derby Network Server is started in the JVM of the WebSphere Application Server.

  1. From the WebSphere Application Server Integrated Solutions Console, expand Server -> Application Server-><Application Server Name> ->Java Process Management -> Process Definition -> Java Virtual Machine
  2. In the classpath window add 
    ${DERBY_JDBC_DRIVER_PATH}/derbynet.jar
  3. In the Generic VM Arguments add 
    -Dderby.drda.startNetworkServer=true
  4. Click OK
  5. On the message Changes have been made to your local configuration click Save.
  6. Restart the WebSphere Application Server
These settings will start the Derby Network Server on the default port (usually 1527) when a Derby database is first used.

If TCR runs on a different host than the WebSphere Application Server, the derby properties file should be changed to allow all hosts to connect to the Derby Network Server:

  1. Open derby.properties, typically located in $WAS_HOME/derby/derby.properties
  2. Uncomment the line 
    #derby.drda.host=0.0.0.0
    It should read: 
    derby.drda.host=0.0.0.0
  3. Restart the WebSphere Application Server
The value of derby.drda.portNumber specifies the port the Derby Network Server listens on.

To ensure the network server is running, perform the following:

  1. From the WebSphere Application Server Integrated Solutions Console, expand Resources->JDBC->JDBC Providers.
  2. Click the Derby JDBC Provider created previously $JDBC_PROVIDER_NAME.
  3. Under Additional Properties click Data sources.
  4. Select the checkbox next to the Data source $DATASOURCE_NAME.
  5. Click the Test connection button.
This will create a test connection and start the Derby Network Server.

Running a report

To run a report from the reports list, select a report then click either HTML or PDF to choose the format of the output.

Using the command line report tool

A simple command line reporting tool is provided in ServiceRegistryAudit.ear as a J2EE Application Client. This runs the provided SQL query fragment against the Audit database and returns the results in a Comma Separated Value (CSV) file. Only the conditional part of an SQL query, the "WHERE clause", is supported.

To run the command line reporting tool, use the WebSphere Application Server launchClient script. The arguments for the reporting client are: 

launchClient ServiceRegistryAudit.ear <Report Query> <CSV File Name>
  1. Report Query. The SQL for the WHERE clause of the query.
  2. CSV File Name. The name of the file where the CSV results will be saved.
For a Report Query which contains spaces, enclose with double quotes. For example: 
launchClient ServiceRegistryAudit.ear "AUDITEVENT.REGISTRYUSER='admin'" output.csv

Sample Report Queries

Report typeReport QueryNotesExample
All audited events1=1Gets all audited events
All events for a particular entityOBJECT.BSRURI = 'BsrUri'The BsrUri parameter should be the BsrUri of the entity for which all audited events are requiredOBJECT.BSRURI = '319db131-69e7-4716.a39f.f614daf69f13'
All events for a particular userAUDITEVENT.REGISTRYUSER = 'User ID'The User ID parameter should be the user ID of the registry user for which all audited events are requiredAUDITEVENT.REGISTRYUSER = 'UNAUTHENTICATED'
All events between two particular datesAUDITEVENT.TIMESTAMP BETWEEN 'start date' AND 'end date'The start date and end date parameters should in the format yyyy-mm-dd-hh.mm.ss.mmmmmm (mmmmmm is nanoseconds)AUDITEVENT.TIMESTAMP BETWEEN '2008-01-20-00.00.00.000000' AND '2008-01-25-00.00.00.000000'
The above can be combined using the AND keyword, for example: 
AUDITEVENT.REGISTRYUSER = 'UNAUTHENTICATED' AND OBJECT.BSRURI = '319db131-69e7-4716.a39f.f614daf69f13'

Archiving and purging audit data

The IBM Audit SupportPac for WebSphere Service Registry and Repository continues to log to the configured database until the Notifier plug-in is removed from the list of active plug-ins. The database which is used to log audit information can be changed by altering the properties of the Data Source from the WebSphere Application Server Integrated Solutions Console, saving the changes, then restarting the ServiceRegistryAudit application.

Database schema

The Audit database contains two tables. These are AUDITEVENT and OBJECT.

Audit Event table

Column NameTypeNotes
UUIDCHAR(36)Unique ID of the record
TIMESTAMPTIMESTAMPTime of the event
REGISTRYIDVARCHAR(1020)Identifier of the registry which generated the event
REGISTRYUSERVARCHAR(1020)ID of the registry user which caused the event
EVENTTYPEVARCHAR(16)Type of event
SUCCESSVARCHAR(5)Whether the event was successful, either "true" or "false"
EXCEPTIONMSGVARCHAR(1020)The message from the exception, if the event was unsuccessful
DETAILVARCHAR(1020)Detail of the event, see Auditing Overview
CORRELATIONIDVARCHAR(36)Unique ID for events which are correlated. For example the govern event and the initial transition on an entity are related and will have the same correlation id
Values for Event Type are:

Object table

Column NameTypeNotes
OBJECTUUIDCHAR(36)Unique ID of the object record
BSRURIVARCHAR(56)BsrUri of the entity
NAMEVARCHAR(1020)Name of the entity
NAMESPACEVARCHAR(1020)Namespace of the entity
VERSIONVARCHAR(1020)Version of the entity
DESCRIPTIONVARCHAR(1020)Description of the entity
SDOTYPEVARCHAR(256)SDO Type of the entity
UUIDCHAR(36)Unique ID of the Audit Event record which describes when this object changed (foreign key to AUDITEVENT.UUID).

Troubleshooting

Following are some messages which may occur. Generally these will be output into the WebSphere Service Registry and Repository WebSphere Application Server log.

Audit SupportPac messages

If an error occurs during Audit plug-in initialization, once the cause has been corrected, Replace the Audit plug-in JAR configuration item with ServiceRegistryAuditPlugin.jar. This will cause WebSphere Service Registry and Repository to re-initialize the plug-in.

If an error occurs during Audit Bean initialization, once the cause has been corrected, restart the ServiceRegistryAudit J2EE Application from the WebSphere Application Server Integrated Solutions Console.

Unable to find configuration

Explanation:The Audit plug-in cannot find any configuration during initialization.
User Action:Ensure that the Audit plug-in configuration item named ServiceRegistryAuditProperties is loaded into the WebSphere Service Registry and Repository. Ensure the configuration item name is ServiceRegistryAuditProperties.

Unable to find JNDI name of Bean in configuration

Explanation:The Audit plug-in cannot find the configuration entry databaseLogger.ejbHome during initialization.
User Action:Ensure that the Audit plug-in configuration item named ServiceRegistryAuditProperties has an entry for databaseLogger.ejbHome.

Unable to get the Initial Context using defaults

Explanation:The Audit plug-in or the Audit Bean cannot get the JNDI InitialContext during initialization.
User Action:Contact your WebSphere Application Server Systems Administrator.

Unable to look up the Bean JNDI name of Bean

Explanation:The Audit plug-in cannot look up the Audit Application Bean using the specified JNDI name during initialization.
User Action:Ensure that the Audit J2EE Application is deployed to the WebSphere Application Server and is started. Ensure that the Session Bean ServiceRegistryAudit is bound to the specified JNDI name.

The jndi object was not the Audit bean: Type of object in JNDI

Explanation:The Audit plug-in found an object at the JNDI name for the Audit Application Bean during initialization, but it was not the Audit Application Bean.
User Action:Ensure that the Audit J2EE Application is deployed to the WebSphere Application Server and is started. Ensure that the Session Bean ServiceRegistryAudit is bound to the specified JNDI name.

Error occured adding the audit record to the database Exception message

Explanation:The Audit Bean was unable to add a record to the audit database.
User Action:Check the exception message for further details. Check for a corresponding log message from the Audit Bean with further details.

Error not initialized

Explanation:The Audit plug-in had previously encountered an error connecting to the Audit Bean during initialization. An attempt was made to write an audit record to the database, but the Audit plug-in cannot proceed because it is not initialized.
The Audit Bean had previously encountered an error connecting to the audit database Data Source. An attempt was made to write an audit record to the database, but the Audit Bean cannot proceed because it is not initialized.
User Action:Check the exception message for further details. Check for a corresponding log message from the Audit Bean with further details. Once the error has been corrected, reload the Audit plug-in to cause it to reinitialize, or restart the ServiceRegistryAudit application.

Unable to look up the Data Source jdbc/auditDatabase

Explanation:The Audit Bean was unable to find the audit database Data Source using the specified JNDI name.
User Action:Ensure that the Session Bean ServiceRegistryAudit resource reference jdbc/auditDatabase is mapped to the audit database Data Source.

The jndi object was not a Data Source: Type of object in JNDI

Explanation:The Audit Bean found an object at the JNDI name for the Data Source during initialization, but it was not a Data Source.
User Action:Ensure that the Session Bean ServiceRegistryAudit resource reference jdbc/auditDatabase is mapped to the audit database Data Source.

Error connecting to the database

Explanation:The Audit Bean encountered an error connecting to the audit database.
User Action:Check the preceeding log messages for the exception cause for the connection error for further details. Perform a test connection on the audit database Data Source from the WebSphere Application Server Integrated Solutions Console.

Error creating the jdbc statement

Explanation:The Audit Bean encountered an error creating a jdbc statement.
User Action:Check the preceeding log messages for the exception cause for the connection error for further details.

Other messages

These messages may be output by WebSphere components.

ReportDesign (id = 1): + Cannot open the connection for the driver: org.eclipse.birt.report.data.oda.jdbc Failed to get connection. SQL error #1: java.net.ConnectException : Error opening socket to server server name on port 1527 with message : Connection refused: connect

Explanation:The Tivoli Common Reporting server cannot connect to the audit database. The port 1527 indicates this is a Derby database. Either the Derby Network Server is not running on this port, or is not allowing connections.
User Action:Check the derby.log file located in $WAS_HOME/derby/derby.log. Ensure the following line has been logged: 
Server is ready to accept connections on port 1527.
This means the Derby Network Server is listening on the correct port.

If the TCR host is different to the WebSphere Application Server which runs the Derby Network Server and audit database, check the derby.properties file located in $WAS_HOME/derby/derby.properties, ensure the following line is uncommented: 

derby.drda.host=0.0.0.0
If the Derby Network Server cannot listen on port 1527 check the host network services for a service which may be using that port. Change the value in derby.properties to a different port and change the Data Source settings in TCR to use the new port number.

ReportDesign (id = 1): + Cannot open the connection for the driver: org.eclipse.birt.report.data.oda.jdbc Failed to get connection. SQL error #1: DERBY SQL error: SQLCODE: -1, SQLSTATE: XJ040, SQLERRMC: Failed to start database $DB_NAME, see the next exception for details.::SQLSTATE: XSDB6Another instance of Derby may have already booted the database /opt/IBM/WebSphere/AppServer/derby/$DB_NAME

Explanation:The Tivoli Common Reporting server cannot connect to the audit database. There is already another Java Virtual Machine using the Derby audit database, so the Derby Network Server fails when it attempts to open the database.
User Action:Ensure that only the WebSphere Application Server upon which the Derby Audit database runs is running the Derby Network Server. Ensure that the startNetworkServer program is not running. This is typically located in $WAS_HOME/derby/bin/networkServer.