When you enable auditing, logging occurs in both the servant and control regions. When audit uses a certificate for signing and encryption that are stored in SAF keyrings, the certificate and the SAF keyring must be accessible by both the servant and the control region RACF® IDs.
RACDCERT ID(CRRACFID) LISTRING(keyring_name) RACDCERT ID(SRRACFID) LISTRING(keyring_name)
RACDCERT LIST (LABEL('certificate_label')) CERTAUTH
RACDCERT ID(CRRACFID) CONNECT (ID(CRRACFID) LABEL('certificate_label') RING(keyring_name) DEFAULT)
For auditing, a keystore object must be associated with a keyring in WebSphere® Application Server. If the keystore object and a keyring are not associated, then you can create this association in the administrative console or use the CreateKeyStore wsadmin command. For more information, read about the keystore settings or the KeyStoreCommands command group.
If the certificate is seen by both the servant region and the control region keystore objects, you can use the certificate for audit signing and encryption. You can look at the keystore object using the administrative console or using the listPersonalCertificates command. For more information, read about certificate management in SSL or the PersonalCertificateCommands command group.
If you can see the certificate in one keystore object, but cannot see it in another keystore object, you can import the missing certificate into the other keystore object. For example, you would need to import the certificate into the servant region keystore object if you can see it in the control region keystore object, but cannot see it in the servant region keystore object. You can import the certificate from the control region keystore object to the servant region keystore object using either the administrative console or the importCertificate command. For more information, read about importing a certificate or the PersonalCertificateCommands command group.
For more information about writable SAF keyrings, read about using, creating, and enabling writable SAF keyrings.
After the certificate is accessible by both the servant and control region RACF IDs of the SAF keyring, you can use the certificate for audit signing and encryption. If you are using writable SAF keyrings, use the read-only keystore object with the audit configuration. For more information about using certificates for audit signing and encryption, read about protecting your security audit data.