Sign Kong Gateway audit logs with an RSA key
Generate an RSA key pair and set the path to the key as the value of the audit_log_signing_key parameter in kong.conf.
Prerequisites
Kong Gateway running
This tutorial requires Kong Gateway Enterprise. If you don’t have Kong Gateway set up yet, you can use the quickstart script with an enterprise license to get an instance of Kong Gateway running almost instantly.
-
Export your license to an environment variable:
export KONG_LICENSE_DATA='LICENSE-CONTENTS-GO-HERE' -
Run the quickstart script:
curl -Ls https://get.konghq.com/quickstart | bash -s -- -e KONG_LICENSE_DATAOnce Kong Gateway is ready, you will see the following message:
Kong Gateway Ready
Audit logging
This tutorial requires audit logging. To enable it, add the following line to kong.conf:
audit_log = on
Once this is done, restart the Kong Gateway container:
docker restart kong-quickstart-gateway
Generate a key pair
Use OpenSSL to generate a private key to sign logs and a public key to verify signatures:
openssl genrsa -out private.pem 2048
openssl rsa -in private.pem -outform PEM -pubout -out public.pem
Add the private key to your container
Use the following command to add the private key to the Kong Gateway Docker container:
docker cp private.pem kong-quickstart-gateway:/usr/local/kong
Enable audit log signing
Add the following line to kong.conf to sign audit logs using the private key we created:
audit_log_signing_key = /usr/local/kong/private.pem
Once this is done, restart the Kong Gateway container to apply the change:
docker restart kong-quickstart-gateway
Validate
To validate, start by sending any request to generate to generate an audit log entry. For example:
curl "http://localhost:8001/status"
Then request the audit logs and check that the entry contains a signature:
curl "http://localhost:8001/audit/requests"
Cleanup
Destroy the Kong Gateway container
curl -Ls https://get.konghq.com/quickstart | bash -s -- -d