--- patch/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java	2017-06-06 04:56:02.188426066 +0200
+++ pki/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java	2017-06-06 01:50:56.698341052 +0200
@@ -17,6 +17,8 @@
 // --- END COPYRIGHT BLOCK ---
 package com.netscape.kra;
 
+import java.math.BigInteger;
+
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.dbs.keydb.KeyId;
@@ -41,6 +43,7 @@ public class SecurityDataRecoveryService
 
     private IKeyRecoveryAuthority kra = null;
     private SecurityDataProcessor processor = null;
+    private ILogger signedAuditLogger = CMS.getSignedAuditLogger();
 
     public SecurityDataRecoveryService(IKeyRecoveryAuthority kra) {
         this.kra = kra;
@@ -65,8 +68,66 @@ public class SecurityDataRecoveryService
             throws EBaseException {
 
         CMS.debug("SecurityDataRecoveryService.serviceRequest()");
-        processor.recover(request);
-        kra.getRequestQueue().updateRequest(request);
+
+        // parameters for auditing
+        String auditSubjectID = request.getExtDataInString(IRequest.ATTR_REQUEST_OWNER);
+        BigInteger serialNumber = request.getExtDataInBigInteger("serialNumber");
+        KeyId keyId = serialNumber != null ? new KeyId(serialNumber): null;
+        RequestId requestID = request.getRequestId();
+        String approvers = request.getExtDataInString(IRequest.ATTR_APPROVE_AGENTS);
+
+        try {
+            processor.recover(request);
+            kra.getRequestQueue().updateRequest(request);
+            auditRecoveryRequestProcessed(
+                    auditSubjectID,
+                    ILogger.SUCCESS,
+                    requestID,
+                    keyId,
+                    null,
+                    approvers);
+        } catch (EBaseException e) {
+            auditRecoveryRequestProcessed(
+                    auditSubjectID,
+                    ILogger.FAILURE,
+                    requestID,
+                    keyId,
+                    e.getMessage(),
+                    approvers);
+            throw e;
+        }
         return false;  //TODO: return true?
     }
+
+    private void audit(AuditEvent event) {
+
+        String template = event.getMessage();
+        Object[] params = event.getParameters();
+
+        String message = CMS.getLogMessage(template, params);
+
+        audit(message);
+    }
+
+    private void audit(String msg) {
+        if (signedAuditLogger == null)
+            return;
+
+        signedAuditLogger.log(ILogger.EV_SIGNED_AUDIT,
+                null,
+                ILogger.S_SIGNED_AUDIT,
+                ILogger.LL_SECURITY,
+                msg);
+    }
+
+    private void auditRecoveryRequestProcessed(String subjectID, String status, RequestId requestID,
+            KeyId keyID, String reason, String recoveryAgents) {
+        audit(new SecurityDataRecoveryProcessedEvent(
+                subjectID,
+                status,
+                requestID,
+                keyID,
+                reason,
+                recoveryAgents));
+    }
 }