Steps to create the PKDS

The PKDS must be allocated and the PKDS data set name must be specified on the PKDSN parameter of the options data set when you first start ICSF.

The PKDS must be a key-sequenced data set with variable length records. Allocate the PKDS on a permanently resident volume.

1. Determine the amount of primary space you need to allocate for the PKDS.

   This should reflect the total number of entries you expect the data set to contain originally. The PKDS will contain both public and private PKA keys. Each record has a maximum size of 3.5 KB. The average record length for a private key is 1.4 KB, and for a public key is 0.5 KB. Allocate space for a minimum of two private keys, one for digital signatures, and another for encipherment. In addition, allocate enough space for the number of public keys you expect to store in the PKDS. The number of public keys varies from system to system. Generally, only those keys that are received from other users or systems are stored in the PKDS. The public keys are used to send messages to the owners of the public keys. In addition, installations may add metadata to any record. If you are planning to add metadata, account for the size of the metadata in the length of records.

2. Determine the amount of secondary space to allocate for the PKDS.

   This should reflect the total number of entries you expect to add to the data set. For detailed information about calculating space for a VSAM data set, see z/OS DFSMS Access Method Services Commands.

   To access keys, VSAM uses the key label as the VSAM key. This means that VSAM adds keys to the data set in collating sequence. That is, if two keys named A and B are in the data set, A appears earlier in the data set than B. As a result, adding keys to the data set can cause multiple VSAM control interval splits and control area splits. For example, a split might occur if the data set contains keys A, B, and E and you add C. In this case, C must be placed between B and E.

   The amount of secondary space you allocate must take into account the number of control interval and control area splits that might occur. If the PKDS uses a significant amount of secondary space, you can copy it into another disk copy that you created with more primary space. You can do this by using the Access Method Services (AMS) REPRO command or the AMS EXPORT/IMPORT commands.

   The BUFFERSPACE parameter on the AMS DEFINE CLUSTER command (required by Step 3) lets VSAM optimize space for control area and control interval splits. For a detailed explanation of keyed-direct update processing and what happens when control area and control interval splits occur, see z/OS DFSMS Access Method Services Commands.

3. Create an empty VSAM data set to use as the PKDS. Use the AMS DEFINE CLUSTER command to define the data set and to allocate its space. ICSF provides a sample job to define the PKDS in member CSFPKDS of SYS1.SAMPLIB.
   Note: To improve security and reliability of the data that is stored on the PKDS:

   • Use the ERASE and WRITECHECK parameters on the AMS DEFINE CLUSTER command. ERASE overwrites data records with binary zeros when the PKDS cluster is deleted. WRITECHECK provides hardware verification of all data that is written to the data set.
   • Create a Security Server (RACF) data set profile for the PKDS. Ensure that no one has access to the PKDS data set by protecting the PKDS data set name resource in the DATASET class. If a data set profile is used, as opposed to using the PROTECTALL(FAIL) option for example, the profile should have a UACC of NONE.
   • The CISZ(8192) coded in this sample in the DATA section is a hardcoded requirement.
4. Allocate a disk copy of the PKDS by defining a VSAM cluster as in this SYS1.SAMPLIB CSFPKDS member sample:

   //CSFPKDS JOB <JOB CARD PARAMETERS>
   //********************************************************************          
   //*  Licensed Materials - Property of IBM                            *          
   //*  5650-ZOS                                                        *          
   //*  Copyright IBM CORP. 2002, 2015                                  *          
   //*                                                                  *          
   //* This JCL defines a VSAM PKDS                                     *          
   //*                                                                  *          
   //*  CAUTION: This is neither a JCL procedure nor a complete JOB.    *          
   //*  Before using this JOB step, you will have to make the following *          
   //*  modifications:                                                  *          
   //*                                                                  *          
   //*  1) Add the job parameters to meet your system requirements.     *          
   //*  2) Be sure to change CSF to the appropriate HLQ if you choose   *          
   //*     not to use the default.                                      *          
   //*  3) Change XXXXXX to the volid where you want your PKDS to       *          
   //*     reside. The PKDS needs to be on a permanently resident       *          
   //*     volume.                                                      *          
   //*                                                                  *          
   //* NOTE: This JCL is specific for creating a PKDS. There are        *          
   //*       samples for each of the other key data sets and formats.   *          
   //*                                                                  *          
   //********************************************************************          
   //DEFINE  EXEC PGM=IDCAMS,REGION=64M                                             
   //SYSPRINT DD SYSOUT=*                                                          
   //SYSIN DD *                                                                    
     DEFINE CLUSTER (NAME(CSF.CSFPKDS)          -                                  
                     VOLUMES(XXXXXX)            -                                  
                     RECORDS(100 50)            -                                  
                     RECORDSIZE(800,3800)       -                                  
                     KEYS(72 0)                 -                                  
                     FREESPACE(0,0)             -                                  
                     SHAREOPTIONS(2,3))         -                                  
               DATA (NAME(CSF.CSFPKDS.DATA)     -                                  
                     BUFFERSPACE(100000)        -                                  
                     ERASE                      -                                  
                     CISZ(8192)                 -                                  
                     WRITECHECK)                -                                  
              INDEX (NAME(CSF.CSFPKDS.INDEX))                                      
   /*                                                                              

   You can change and use the Job Control Language according to the needs of your installation. Please note that the JCL to define the PKDS differs from the JCL that defines the CKDS (RECORDSIZE and CISZ parameters). For more information about allocating a VSAM data set, see z/OS DFSMS Access Method Services Commands.