+

Search Tips   |   Advanced Search

(ZOS) SAF keyring support for audit signing and encryption

When we enable auditing, logging occurs in both the servant and control regions. When audit uses a certificate for signing and encryption stored in SAF keyrings, the certificate and the SAF keyring must be accessible by both the servant and the control region RACF IDs.


Determining the accessibility of the certificate

We must determine whether a certificate is accessible by both the servant and control region RACF IDs by reviewing the keyring information in RACF. There are multiple methods for determining whether a certificate is accessible. Complete one of the following processes:

If the certificate is accessible by one RACF ID and not the other RACF ID, we can use the following RACDCERT CONNECT command to connect the certificate with the other RACF ID: 

RACDCERT ID(CRRACFID) CONNECT (ID(CRRACFID) LABEL('certificate_label') RING(keyring_name) DEFAULT)

For auditing, a keystore object must be associated with a keyring in WebSphere Application Server. If the keystore object and a keyring are not associated, then we can create this association in the administrative console or use the CreateKeyStore wsadmin command. See the keystore settings or the KeyStoreCommands command group.


Access writable SAF keyrings

If we enable writable SAF keyrings and the keyring has a configuration object in WAS, we can use the administrative console or the wsadmin task to verify that the certificate is accessible by both the servant and control region RACF IDs. Typically, the following three keystore objects are associated with a writable SAF keyring:

If the certificate is seen by both the servant region and the control region keystore objects, we can use the certificate for audit signing and encryption. We can look at the keystore object using the administrative console or using the listPersonalCertificates command. See certificate management in SSL or the PersonalCertificateCommands command group.

If we can see the certificate in one keystore object, but cannot see it in another keystore object, we can import the missing certificate into the other keystore object. For example, we would need to import the certificate into the servant region keystore object if we can see it in the control region keystore object, but cannot see it in the servant region keystore object. We can import the certificate from the control region keystore object to the servant region keystore object using either the administrative console or the importCertificate command. See importing a certificate or the PersonalCertificateCommands command group.

For more information about writable SAF keyrings, read about using, creating, and enabling writable SAF keyrings.


Use certificates in SAF keyrings for audit

After the certificate is accessible by both the servant and control region RACF IDs of the SAF keyring, we can use the certificate for audit signing and encryption. If we are using writable SAF keyrings, use the read-only keystore object with the audit configuration. For more information about using certificates for audit signing and encryption, read about protecting our security audit data.

Next topic: Key store settings


Related:

  • Certificate management in SSL
  • Use writable SAF keyrings
  • Encrypting our security audit records
  • Signing our security audit records
  • Create writable SAF keyrings
  • Protecting our security audit data
  • Audit encryption keystores and certificates collection
  • Audit record signing configuration settings
  • Audit record encryption configuration settings
  • Import certificate from a key file or managed keystore
  • KeyStoreCommands
  • Writable SAF Keyring settings
  • PersonalCertificateCommands