NetIQ Documentation: Identity Manager 3.6.1 Integration Guide for Identity Audit

6.2 The Identity Audit AudCGen Utility

IMPORTANT:There are many versions of the AudCGen utility. This section documents the version of AudCGen that is available with Identity Audit 2.0.2 FP2. If you are using a different version of AudCGen, refer to the help file for that version.

The AudCGen utility must be used to create and sign Identity Audit certificates. The following table describes the AudCGen command parameters:

Table 6-1 AudCGen Command Parameters

Parameter	Description
app	Generates a certificate key pair for instrumented applications. It creates the /app_cert.pem and /app_pkey.pem files.
–appcert:filename	The output path and filename for the logging application’s certificate. The default filename is app_cert.pem. The default path is platform-specific and can be changed by using the –base parameter.
–apppkey:filename	The output path and filename for the logging application’s private key. The default filename is app_pkey.pem. The default path is platform-specific and can be changed by using the –base parameter.
–base	The base path used when reading from or writing to files. The default path is platform-specific.
–bits:RSA_key_size	The number of encryption bits used during certificate creation. Values of 384-4096 are accepted. The default value is 1024.
–cacert:filename	The path and filename to the public certificate used by the Identity Audit Secure Logging Server. The Secure Logging Server’s certificate key pair must be provided when generating a certificate key pair for a logging application. The default filename is ca_cert.pem. The default path is platform-specific and can be changed by using the –base parameter.
–capkey:filename	The path and filename to the private key used by the Identity Audit Secure Logging Server. The Secure Logging Server certificate key pair must be provided when generating a certificate key pair for a logging application. The default filename is ca_pkey.pem. The default path is platform-specific and can be changed by using the –base parameter.
csr:filename	Generates a Certificate Signing Request (CSR) for the Identity Audit Secure Logging Server that can be signed by a third-party CA. It also generates the certificate private key. The default CSR filename is ca_csr.pem. The default private key filename is ca_pkey.pem. The default path is platform-specific and can be changed by using the –base parameter.
–csrfile:filename	The filename of the CSR for the Identity Audit Secure Logging Server. The default CSR filename is ca_csr.pem.
–csrpkey:filename	The filename of the private key used with the signed CSR for the Identity Audit Secure Logging Server. The default private key filename is ca_pkey.pem
–f	Force overwrite. AudCGen overwrites any existing certificates or private keys of the same name (for example, app_cert.pem or appp_key.pem) in the output directory. This parameter is optional. If you do not use the -f parameter and there is an existing file, AudCGen aborts creation of the certificate.
–h\|?	Provides the AudCGen help screen.
–name:application_identifier	IMPORTANT:This parameter is required when creating certificates for logging applications like Identity Manager. The logging application’s application identifier. The application identifier is the application name that appears in the first line of the application's corresponding .lsc file. NOTE:This value matches the Application Identifier stored in Identity Manager’s Application object. For example, the first line of the .lsc file for Identity Manager is #^Identity Manager^0003^DirXML^EN The application identifier is the name after the third carat in this line. The application identifier for Identity Manager is DirXML.
–sn:number	This parameter creates a serial number for the generated certificate. This can be useful in maintaining and tracking your system’s certificates. This parameter is optional.
ss	Generates a self-signed root certificate key pair for the Identity Audit Secure Logging Server. This option uses the internal Identity Audit CA. NOTE:Do not use this option if you want to use a certificate signed by a third-party CA.
–valid:number	Specifies the number of days for which the generated public certificate will be valid (in days). The default value is 10 years.
–verbose	Displays the contents of the certificates.
verify	Verifies the certificate signing chain between the root certificate used by the Secure Logging Server and Identity Manager certificates. NOTE:This option performs only partial verification when verifying third-party certificates. For additional information, see Validating Certificates.