(ZOS) SAF keyring support for audit signing and encryption
When we enable auditing, logging occurs in both the servant and control regions. When audit uses a certificate for signing and encryption stored in SAF keyrings, the certificate and the SAF keyring must be accessible by both the servant and the control region RACF IDs.
Determining the accessibility of the certificate
We must determine whether a certificate is accessible by both the servant and control region RACF IDs by reviewing the keyring information in RACF. There are multiple methods for determining whether a certificate is accessible. Complete one of the following processes:
- Use the following RACDCERT LISTING commands to list the certificates associated with a particular RACF ID for a specific keyring and compare the listings:
RACDCERT ID(CRRACFID) LISTRING(keyring_name) RACDCERT ID(SRRACFID) LISTRING(keyring_name)
- CRRACFID is the control region RACF ID
- SRRACFID is the servant region RACF ID
- keyring_name is the specified key ring
- List information about a certificate in RACF. Use the following RACDCERT LIST command to obtain a list of the keyrings and the RACF IDs that have access to the certificate and determine whether both the servant and control region RACF IDs are listed:
RACDCERT LIST (LABEL('certificate_label')) CERTAUTH
If the certificate is accessible by one RACF ID and not the other RACF ID, we can use the following RACDCERT CONNECT command to connect the certificate with the other RACF ID:
RACDCERT ID(CRRACFID) CONNECT (ID(CRRACFID) LABEL('certificate_label') RING(keyring_name) DEFAULT)For auditing, a keystore object must be associated with a keyring in WebSphere Application Server. If the keystore object and a keyring are not associated, then we can create this association in the administrative console or use the CreateKeyStore wsadmin command. See the keystore settings or the KeyStoreCommands command group.
Access writable SAF keyrings
If we enable writable SAF keyrings and the keyring has a configuration object in WAS, we can use the administrative console or the wsadmin task to verify that the certificate is accessible by both the servant and control region RACF IDs. Typically, the following three keystore objects are associated with a writable SAF keyring:
- A read-only view for the keyring
- The servant region view of the keyring
- The control region view of the keyring
If the certificate is seen by both the servant region and the control region keystore objects, we can use the certificate for audit signing and encryption. We can look at the keystore object using the administrative console or using the listPersonalCertificates command. See certificate management in SSL or the PersonalCertificateCommands command group.
If we can see the certificate in one keystore object, but cannot see it in another keystore object, we can import the missing certificate into the other keystore object. For example, we would need to import the certificate into the servant region keystore object if we can see it in the control region keystore object, but cannot see it in the servant region keystore object. We can import the certificate from the control region keystore object to the servant region keystore object using either the administrative console or the importCertificate command. See importing a certificate or the PersonalCertificateCommands command group.
For more information about writable SAF keyrings, read about using, creating, and enabling writable SAF keyrings.
Use certificates in SAF keyrings for audit
After the certificate is accessible by both the servant and control region RACF IDs of the SAF keyring, we can use the certificate for audit signing and encryption. If we are using writable SAF keyrings, use the read-only keystore object with the audit configuration. For more information about using certificates for audit signing and encryption, read about protecting our security audit data.
Next topic: Key store settings
Related:
Certificate management in SSL Use writable SAF keyrings Encrypting our security audit records Signing our security audit records Create writable SAF keyrings Protecting our security audit data Audit encryption keystores and certificates collection Audit record signing configuration settings Audit record encryption configuration settings Import certificate from a key file or managed keystore KeyStoreCommands Writable SAF Keyring settings PersonalCertificateCommands