Beginning with the FMID HCR7780, ICSF support of the CKDS key store data set has been enhanced to facilitate a CKDS that may contain millions of symmetric keys. If an installation is intending to pursue a CKDS of such a large size, then IBM recommends migrating to HCR7780 (or later) first. Prior releases of ICSF were not designed to accommodate a CKDS with millions of keys, and could experience various symptoms of degradation or failure. Note that, in a sysplex environment sharing the CKDS across multiple active ICSF instances, that all such instances should be migrated to the HCR7780 or later release level before scoping the symmetric key material to that magnitude.
IBM also recommends that installations that deploy a CKDS with millions of symmetric keys not enable CKDS MAC authentication, or disable it if it’s already enabled. CKDS MAC authentication adds an additional coprocessor request for each VSAM data set read/write operation. There is a significant performance implication for CKDS MAC authentication that would be greatly magnified with such a large CKDS.