How to enable Audit Log in SignServer-ce docker container?

[jfrlb]

Hello,
we are investigating docker based deployment for production use and thus would like to enable audit logging.
We realized the ENV variable LOG_AUDIT_TO_DB, but that does not seem to have any impact, is that correct?

We also tried editing cesescore.properties but it looks like changes in this file are not read, as allow.external-dynamic.configuration seems to be off in the container image?

The default cesescore.properties seems to look like this:

\# Allow override of CESeCore config files from /etc/cesecore/conf/
\# FIXME: DSS-2377
\# allow.external-dynamic.configuration=true

Are we missing something?

Thank you very much for any hints and suggestions in advance!
Jan

[netmackan]

Hello Jan,

I can not answer directly for the LOG_AUDIT_TO_DB ENV, maybe somebody else knows more of its function in the container packaging and can jump in?

Regarding the allow.external-dynamic.configuration is not supported in any packaging of SignServer actually. For SignServer it normally would not be needed as any change in conf/*.properties would be included after a call to bin/ant deploy-ear. However, the current container packaging uses a pre-build signserver.ear file and do not call bin/ant deploy-ear so the cesecore.properties file is built-into one of the JAR files under signserver.ear and could be a bit tricky to find in the container.

We are discussing if we should change the container packaging to configure the signserver.ear during startup so that all properties are read from conf/signserver_deploy.properties and conf/cesecore.properties etc., as the current way also removes some other features.

The other solution of adding support for external configuration is tracked in DSS-1107 (Note the link might not be accessible currently due to system upgrade but I am including it here for reference for when it comes back).

[netmackan]

A similar issue is also discussed in #12

[jfrlb]

Hello,
is there any news on this matter? Using the latest SignServer-ce docker image we are still facing the same issue.

Thanks
Jan

[netmackan]

This is actually being worked on at the moment. First step of making it possible to configure the container using signserver_deploy.properties (and cesecore.properties etc.) has been shown to work but has not yet been merged to main. Next step is to try to configure the logging manually and possibly the last step to implement the mentioned environment variable.

[jfrlb]

Does the situation change with the latest signserver-6.3 release already?

[netmackan]

Yes, the keyfactor/signserver-ce (6.3.0 / sha256:bbf89c1de6de142a8922631c8e1e397e1f076c7c3a63bdedb3d557bda5ceb9ff) container now support "-e LOG_AUDIT_TO_DB=true". But note that there was one more update made to the image today for this to work so if you pulled it earlier you need to pull the updated image for this to work.