What is the best trace to troubleshoot digital certificate / keyring problems?

External security Top Secret

The best trace to see what keyring and certificates are being read is an R_datalib trace.
It is best to include a Sectrace along with the R_datalib trace.
Below are the trace commands:
TSS ADD(acid) TRACE
TSS REFRESH(acid) JOBNAME(*)
TSS MODI(SECTRACE(ACT,WTL))
ST SET,ID=TSS,TYPE=OMVS,DEST=SYSLOG,FORMAT=DUMP,SFUNC=RDATALIB,END (issued on the console)  This will route all trace records to the MVS syslog....
    Recreate the problem.
TSS MODI(SECTRACE(OFF))
ST DEL,ID=TSS  (issued on the console)
TSS REM(acid) TRACE

The acid being traced should be the owner of the keyring.
Both traces will print together as one trace in plain text and is emailable.

Authorized applications invoke the R_datalib callable service (IRRSDL00 or IRRSDL64) to read keyrings, certificates, and extract private keys.  If there are no R_datalib calls then the keyring is not being read.