The Configuration Logging feature allows you to keep track of administrative changes made to your server farm environment. By generating the reports that this feature makes available, you can determine what changes were made to your server farm, when they were made, and which administrators made them. This is especially useful when multiple administrators are modifying the configuration of your server farm. It also facilitates the identification and, if necessary, reversion of administrative changes that may be causing problems for the server farm.

When this feature is enabled for a licensed server farm, administrative changes initiated from the following components lead to the creation of log entries in a central Configuration Logging database:

• Citrix AppCenter
• some command-line utilities
• tools custom built with SDKs

Before you enable the Configuration Logging feature:

• Determine the level of security and control you need over the configuration logs. This determines if you need to set up additional database user accounts and if you want to make XenApp administrators enter credentials before clearing logs.
• Determine how strictly you want to log tasks; for example, if you want to log administrative tasks and if you want to allow administrators to make changes to a farm if the task cannot be logged (for example, if the database is disconnected).
• Determine if you want to allow administrators to be able to clear configuration logs and if you want them to have to supply credentials for this purpose. This requires the permission to Edit Configuration Logging settings.

Important: To securely store the credentials used for accessing the Configuration Logging database, you can enable the IMA encryption feature when you deploy your server farm. After this is enabled, however, you cannot disable it without losing the data it encrypted. Citrix recommends that you configure IMA encryption before the Configuration Logging feature is configured and used.

To enable the Configuration Logging feature:

• Set up the Configuration Logging database
• Define the Configuration Logging database access permissions
• Configure the Configuration Logging database connection
• Set the Configuration Logging properties
• Delegate administrative permissions, as needed

The Configuration Logging feature, after it is properly enabled, runs in the background as administrative changes trigger entries in the Configuration Logging database. The only activities that are initiated by the user are generating reports, clearing the Configuration Logging database, and displaying the Configuration Logging properties.

To generate a configuration logging report, use the PowerShell command Get-CtxConfigurationLogReport. For more information, see help for Get-CtxConfigurationLogReport or Windows PowerShell with Common Commands.

To configure the connection to the Configuration Logging database

After the Configuration Logging database is set up by your database administrator and the appropriate database credentials are provided to XenApp, use the Configuration Logging Database wizard to configure the connection to the database.

1. From the AppCenter, select a farm.
2. From the Action menu, select Farm properties.
3. Click Configuration Logging.
4. Click Configure Database. The wizard opens.
5. Select the connection type (SQL Server or Oracle). For SQL Server, use the drop-down list to select a SQL Server; for Oracle, select a net service name (from the Oracle tnsnames.ora client file). You can also type the entry.
6. (SQL Server only). Select an authentication mode: Windows integrated security (recommended) or SQL Server authentication.
7. Enter a valid user name and password for the database. Credentials are always required (even if you are using Windows Integrated Authentication with SQL Server). The credentials are stored using the IMA encryption feature. Each server that creates log entries uses the credentials to connect to the Configuration Logging database.
8. (SQL Server only). Select or type the name of the database.
9. Configure connection options and connection pooling options. You can use the default values for these settings. (For SQL Server, the possible exception is Use encryption. For security reasons, the default value is Yes; however, if the database server to which you are connecting does not support encryption, the connection will fail. Click Test Database Connection on the summary page to check for encryption support.)
10. Click Test Database Connection. A display indicates whether or not the connection established successfully.

After you configure the connection to the Configuration Logging database, you cannot set the database back to None. To stop logging, clear the Log administrative tasks to Configuration Logging database check box in the Configuration Logging dialog box.

To set Configuration Logging properties

Before you set Configuration Logging properties, configure the database and the connection to the database. Otherwise, the Configuration Logging property fields are not active.

Full Citrix administrators can edit the Configuration Logging settings and clear the log, or they can authorize other administrators to perform these tasks by assigning them the delegated administration Edit Configuration Logging Settings permission. Without this permission, ordinary administrators cannot perform these functions.

1. From the AppCenter, select a farm.
2. From the Action menu, select Farm properties.
3. Click Configuration Logging.
4. To enable Configuration Logging, select the Log administrative tasks to Configuration Logging database check box. If you want administrators to be able to make changes to the server farm when log entries cannot be saved to the Configuration Logging database, select the Allow changes to the farm when logging database is disconnected check box.
5. To prompt administrators to enter their credentials before clearing the log, select the Require administrators to enter database credentials before clearing the log check box.

Encrypting Configuration Logging Data

Independent Management Architecture (IMA) is the underlying architecture used in XenApp for configuring, monitoring, and operating all XenApp functions. The IMA data store stores all XenApp configurations.

IMA encryption protects administrative data used by Configuration Logging. This information is stored in the IMA data store. For IT environments with heightened security requirements, using IMA encryption provides a higher degree of security for Configuration Logging. One example would include environments that require strict separation of duties or where the Citrix Administrator should not have direct access to the Configuration Logging database.

IMA encryption is a farm-wide setting that applies to all servers in the farm after encryption is enabled. Consequently, to use IMA encryption, you must enable it on all servers in the farm. IMA encryption has the following components:

Component

Description

CTXKEYTOOL

Also known as the IMA encryption utility, CTXKEYTOOL is a command-line utility you use to manage IMA encryption and generate key files. CTXKEYTOOL is in the Support folder of the XenApp media.

Key file

The key file contains the encryption key used to encrypt sensitive IMA data. You create the key file using CTXKEYTOOL. To preserve the integrity of the encryption, Citrix recommends that you keep the key file in a secure location and that you do not freely distribute it.

Key

The same valid IMA encryption key must be loaded on all servers in the farm if IMA encryption is enabled. After copying the key file to a server, you load the key by using CTXKEYTOOL.

Configuring IMA encryption includes the following tasks:

• On the first server in a farm (that is, the server on which you create the farm during XenApp configuration), generate a key file, load the key, and enable it
• Make the key file accessible to other servers in the farm or put it on a shared network location
• Load the key onto other servers in the farm (that is, the servers that join the farm during configuration)

Citrix recommends that if you are enabling IMA encryption in environments that have multiple farms, you give the key for each farm a different name.

Storing CTXKEYTOOL Locally

1. Copy the CTXKEYTOOL.exe file from the Support folder of XenApp media to your local computer.
2. Create a folder named Resource at the same level in your directory structure as the CTXKEYTOOL file.
3. Copy the entire Support\Resource\en folder to the new Resource folder.

You can store the CTXKEYTOOL.exe file and the Resource\en folder anywhere on your computer, provided you maintain the same relative directory structure used on the media.