payShield 9000 auditlog

Feb 25, 2011 at 9:16 PM

Hello,

Anyone knows how auditlog get created ? and how to retrieve it ?

I think Q2 host command is to create auditlog but I am not sure.  And if it does, then how do you retrieve it ? or how do you get the messages out of the auditlog ?

Thanks very much,

Editor
Mar 1, 2011 at 2:42 PM

Hi!

 

Audit logs creating themselves, and shows the activities done on HSM.

Q2 command is used to retrieve audit logs.

The best way to gen messages from audit log is to connect to console and use command AUDITLOG (it can be done in Online mode).

Mar 1, 2011 at 2:48 PM

Yes, and I did that.  But what I am trying to do is writing a C# and retrieve the messages from the auditlog and put it in a file.

So basically, I want to capture the messages from the AUDITLOG command.  I am not sure how to do that.

Do you have a sample VB or C# code to do that ?

Thanks for your help.

Editor
Mar 1, 2011 at 3:12 PM

sorry, i am not programmer.

The only thing i can help you is in response describe (because the host request to send is just Q2).

Coordinator
Mar 1, 2011 at 3:23 PM
Edited Mar 1, 2011 at 3:23 PM

Didn't the reply in the other thread solve the problem of connecting to the HSM/Simulator to send/receive commands and replies? If not, please say so and we'll create a sample C# project for you. Or does the problem have to do with the exact contents of the Q2 command?

Mar 1, 2011 at 3:29 PM

No it didn't.  The replies from Q3 is not what I wanted.  Maybe I didn't do it correctly I am not sure, but if you have a sample C# that would be awesome.

Thanks for your help again.

 

Coordinator
Mar 1, 2011 at 7:44 PM

1. Start a C# console application project.

2. Add a reference to ThalesCore.dll.

3. Paste the following code in Program.cs:

 

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Net.Sockets;
using ThalesSim.Core.TCP;

namespace ConsoleApplication1
{
    class Program
    {
        static WorkerClient thales;
        static string response;

        static void Main(string[] args)
        {
            Console.Write("Thales IP (enter for 127.0.0.1): ");
            string thalesIP = Console.ReadLine();
            if ("" == thalesIP)
                thalesIP = "127.0.0.1";

            Console.Write("Thales port (enter for 9998): ");
            string thalesPort = Console.ReadLine();
            if ("" == thalesPort)
                thalesPort = "9998";

            Console.Write("Thales command, excluding header (enter for HSM status command): ");
            string thalesCommand = Console.ReadLine();
            if ("" == thalesCommand)
                thalesCommand = "0000NO00";
            else
                thalesCommand = "0000" + thalesCommand;

            try
            {
                thales = new WorkerClient(new TcpClient(thalesIP, Convert.ToInt32(thalesPort)));
                thales.MessageArrived += new WorkerClient.MessageArrivedEventHandler(thales_MessageArrived);
                thales.InitOps();

                response = "";
                thales.send(thalesCommand);
                while (("" == response) && (thales.IsConnected))
                {
                    System.Threading.Thread.Sleep(5);
                }

                thales.TermClient();
                thales = null;

                Console.Write("Response: [" + response + "]");
            }
            catch (Exception ex)
            {
                Console.Write("Exception: " + ex.ToString());
            }

            Console.ReadLine();
        }

        static void thales_MessageArrived(WorkerClient sender, ref byte[] b, int len)
        {
            response = System.Text.ASCIIEncoding.GetEncoding(System.Globalization.CultureInfo.CurrentCulture.TextInfo.ANSICodePage).GetString(b, 0, len);
        }
    }
}

4. Run the program.

This will work with a header length of 4. The defaults correspond to the default settings of the simulator running in the local machine, so starting the simulator and pressing enter three times should produce the following:

Thales IP (enter for 127.0.0.1):
Thales port (enter for 9998):
Thales command, excluding header (enter for HSM status command):
Response: [0000NP003150007-E00000001]

Please let me know if this helps.

 

Mar 1, 2011 at 10:12 PM

Thank you very very much for you help.

The respond that I get is

Response: [0000Q30000000002185916041110435340003030148205A5DC870735EB65EEEE06498
DFBEEBAC32D9BAA1932]

Which is not what I really wanted.  What I want is the result of the auditlog command when enter in the console.

I want to capture this messages.  Is it impossible to capture the messages below ?

Counter   Time      Date         Command/Event
----------------------------------------------------------
00000000  18:58:32  04/Nov/2010  Console command CH
00000001  18:58:54  04/Nov/2010  Console command LK
00000002  18:59:16  04/Nov/2010  Console command CS
00000003  18:59:46  04/Nov/2010  HSM authorisation was cancelled for LMK id 0
00000004  18:59:46  04/Nov/2010  HSM authorisation was cancelled for LMK id 1
00000005  18:59:46  04/Nov/2010  HSM authorisation was cancelled for LMK id 2
00000006  18:59:46  04/Nov/2010  HSM authorisation was cancelled for LMK id 3

 

 

Coordinator
Mar 1, 2011 at 11:58 PM

I'm not familiar with Q2 results, perhaps Manshtein could provide more assistance. However, perhaps you should check out the audit record format in the host command reference manual, I think you're getting some meaningful information back.

0000Q30000000002185916041110435340003030148205A5DC870735EB65EEEE06498DFBEEBAC32D9BAA1932 could be broken down.

0000Q300: Command response indicating success.

00000002: Counter is 2 (corresponding to the third line in your message dump).

185916: Time 18:59:16

041110: Date 04/11/10

4353: This is hex, in decimal it's 67 83 which, if you translate to ASCII, is "CS" which is the command entered.

4000: This is 0100000000000000 in binary. First two significant bits "01" indicate a console command. Next bit "0" indicates that the audit record is not archived. Next bit "0" indicates that the audit record was not retrieved. Rest of the bits are set to zero.

3030: This is hex, in decimal it's 48 48 which, translated to ASCII, is "00" which indicates the result of the CS command (success).

148205A5DC870735: The MAC over the previous fields.

EB65EEEE06498DFBEEBAC32D9BAA1932: The MAC key used to get the previous MAC.

Mar 2, 2011 at 2:33 PM

Damm Nick, You are the best!  Now I know how to read these things, I will write a program to translate into a readable format.

My only question now is how come Q3 response back only 1 line instead of multiple lines like the Auditlog console command.

Coordinator
Mar 2, 2011 at 4:11 PM
hsmnguyend wrote:

Damm Nick, You are the best!

I keep telling my girlfriend that.

hsmnguyend wrote:

My only question now is how come Q3 response back only 1 line instead of multiple lines like the Auditlog console command.

You got me there! Perhaps you should call the host command repeatedly?

Mar 3, 2011 at 2:56 AM

Yes I have to call the host command repeatedly but the problem is how many times do I need to call ?  If I can find out

number of rows in the auditlog file then I can do a while loop.  Do you know if there is a way we can find out number of rows

in the auditlog file ?

 

 

Coordinator
Mar 3, 2011 at 9:49 AM

I don't know that, I'm sorry. Perhaps the manual does provide an answer...or once you reach the end you get a specific Q3 error code?