Sign Kong Gateway audit logs with an RSA key
Generate an RSA key pair and set the path to the key as the value of the audit_log_signing_key parameter in kong.conf.
Prerequisites
Kong Gateway running
This tutorial requires Kong Gateway Enterprise. If you don’t have Kong Gateway set up yet, you can use the quickstart script with an enterprise license to get an instance of Kong Gateway running almost instantly.
-
Export your license to an environment variable:
export KONG_LICENSE_DATA='LICENSE-CONTENTS-GO-HERE'Copied! -
Run the quickstart script:
curl -Ls https://get.konghq.com/quickstart | bash -s -- -e KONG_LICENSE_DATACopied!Once Kong Gateway is ready, you will see the following message:
Kong Gateway Ready
Audit logging
This tutorial requires audit logging. To enable it, add the following line to kong.conf:
audit_log = onOnce this is done, restart the Kong Gateway container:
docker restart kong-quickstart-gatewayGenerate a key pair
Use OpenSSL to generate a private key to sign logs and a public key to verify signatures:
openssl genrsa -out private.pem 2048
openssl rsa -in private.pem -outform PEM -pubout -out public.pemAdd the private key to your container
Use the following command to add the private key to the Kong Gateway Docker container:
docker cp private.pem kong-quickstart-gateway:/usr/local/kongEnable audit log signing
Add the following line to kong.conf to sign audit logs using the private key we created:
audit_log_signing_key = /usr/local/kong/private.pemOnce this is done, restart the Kong Gateway container to apply the change:
docker restart kong-quickstart-gatewayValidate
To validate, start by sending any request to generate to generate an audit log entry. For example:
curl "http://localhost:8001/status" \
--no-progress-meter --fail-with-body Then request the audit logs and check that the entry contains a signature:
curl "http://localhost:8001/audit/requests" \
--no-progress-meter --fail-with-body Cleanup
Destroy the Kong Gateway container
curl -Ls https://get.konghq.com/quickstart | bash -s -- -d