Audit Service

This page is a tutorial on how how to set up Blockdaemon's external audit server, and how to configure the MPC nodes in a TSM to post audit logs to the audit service.

Log in to Blockdaemon's docker registry

Start by login into Blockdaemon's private docker registry using the credentials you were provided:

docker login

Create Audit Server configuration

The TSMs will communicate with the Audit Server on port 3000, the logs can be queried on port 8000 and the Audit server will communicate with a MongoDB instance (or Amazon DocumentDB) on port 27017.

Start by generating a private/public keypair for the Audit Server:

$ openssl ecparam -name P-256 -genkey -param_enc named_curve -outform DER -out audit_private.key
$ openssl ec -inform DER -in audit_private.key -pubout -outform DER -out audit_public.key

Next, generate a new set of private/public keys for each of the TSMs used just for logging:

$ openssl ecparam -name P-256 -genkey -param_enc named_curve -outform DER -out audit_private0.key
$ openssl ec -inform DER -in audit_private0.key -pubout -outform DER -out audit_public0.key
$ openssl ecparam -name P-256 -genkey -param_enc named_curve -outform DER -out audit_private1.key
$ openssl ec -inform DER -in audit_private1.key -pubout -outform DER -out audit_public1.key
$ openssl ecparam -name P-256 -genkey -param_enc named_curve -outform DER -out audit_private2.key
$ openssl ec -inform DER -in audit_private2.key -pubout -outform DER -out audit_public2.key

Get the Audit Server private key in base64:

$ openssl base64 -A -in audit_private.key; echo

Then get the all the nodes' base64 encoded public keys:

$ openssl base64 -A -in audit_public0.key; echo
$ openssl base64 -A -in audit_public1.key; echo
$ openssl base64 -A -in audit_public2.key; echo

And lastly, a random password for accessing the Audit Server:

LC_ALL=C tr -cd "[:alnum:]" < /dev/urandom | fold -w24 | head -n1

Finally, fill all of the above into the template below and save it to a file called config.toml

Host = "<mongodb hostname>"
Username = "<mongodb username>"
Password = "<mongodb password>"

Port = 3000
PrivateKey = "<audit server private key base64>"

Port = 8000
CertificateFile = ""      #HTTPS disabled
CertificateKeyFile = "" # HTTP disabled

Password = "<random password>"
PublicKeys = [
  "<tsm0 audit public key as base64>",
  "<tsm1 audit public key as base64>",
  "<tsm2 audit public key as base64>"

Host configuration

The Host field can be used for setting any configuration option, which the mongo-go-driver will accept. For instance ssl can be added, by specifying

  Host = "hostname:27017/?ssl=true&tlsCAFile=ca-bundle.pem"
  Username = "<mongodb username>"
  Password = "<mongodb password>"

When running via Docker, you can mount the folder containing the .pem file, and point to the absolute file path in Host, remember to URI encode the path.

Further inspiration can be found here:

Update TSM Configuration

We need to add an [Audit] section to the TSM configurations we already have.

For each to the three TSMs we need to first get the Audit Server public key as base64:

$ openssl base64 -A -in audit_public.key; echo

the TSM audit private key as base64:

$ openssl base64 -A -in audit_private0.key; echo

and a random signing seed:

$ openssl rand -base64 32

That is all plugged in to the template bellow, and inserted in to the TSM configuration file that we made earlier.

ReceiverURL = "https://<audit server hostname>:<audit server logging port>/log"
ReceiverPublicKey = "<audit server public key>"
ClientPrivateKey = "<TSM audit private key>"
LogEntrySigningKeySeed = "<random signing seed>"
MaxBatchSize = 50
MinWaitTime = "5s"
MaxWaitTime = "2m"

Start the Audit Server

Add the following to the docker-compose file we made earlier, insert mongodb username and password, and restart:

    image: mongo
    command: --noscripting
    restart: always
      - /srv/audit-server/db/:/data/db
      MONGO_INITDB_ROOT_USERNAME: <mongo username>
      MONGO_INITDB_ROOT_PASSWORD: <mongo password>
      - 8000:8000/tcp
      - 3000:3000/tcp
    restart: always
      - ./config.toml:/config/config.toml


To query the server basic authentication is required. The username is the name of the TSM in the configuration file.

A query is on the form


Where FILTER is replaced by a MongoDB search filter, and OPTIONS is replaced by MongoDB find options (see Remember to URL encode values.
Retrieve two log entries with a session id, showing the sessionID, timestamp, and keyID:

https://HOST:QUERY_PORT/logs?filter={"sessionID": {"$neq": null}}&options={"limit": 2, "projection": {"_id": 0, "sessionID": 1, "timestamp": 1, "keyID": 1 }}

Retrieve all logs without a session id, showing the userID, and the operation:

https://HOST:QUERY_PORT/logs?filter={"sessionID": {"$eq": null}}&options={"projection": {"_id": 0, "userID": 1, "operation": 1}}