CKDS

There are three formats of the CKDS:

A fixed length record format with LRECL=252 (supported by all releases of ICSF). Sample is CSFCKDS.
A variable length record format with LRECL=1024 (supported by HCR7780 and later releases). Sample is CSFCKD2.
A variable length record format with LRECL=2048 (supported by HCR77A1 and later releases). This is referred to as KDSR format. Sample is CSFCKD3.

The variable length record format is only required if variable-length key tokens are to be stored in the CKDS. All fixed-length and variable-length symmetric key tokens can be stored in the variable-length record format CKDS. See Migrating to the variable length CKDS for more information.

In addition to supporting all symmetric key tokens, the KDSR format CKDS provides support for metadata for each record including tracking usage of the records. See Migrating to the KDSR format key data set for more information.

When sharing a CKDS with CCF systems and non-CCF systems, the CKDS must be created on a CCF system and must not be in KDSR format.

When new key types are added to the CKDS, these following consideration applies when sharing the CKDS:

When clear DES or AES keys are added to the CKDS, RACF-protect all clear DES and AES keys by label name on all systems sharing the CKDS.

If you have no coprocessor, you can initialize the CKDS for use with clear AES and DES data keys. This CKDS cannot be used on a system with cryptographic coprocessors.

Release HCR7780 introduced the enhanced key wrapping method for DES key tokens. ICSF releases before HCR7780 do not support enhanced key wrapping and require a toleration APAR.

A CKDS with tokens wrapped with the enhanced method can only be reenciphered on a system running release HCR7780 or later.

Note: The CKDS exits (single-record, read-write and retrieval) are not enabled for either variable-length record format of the CKDS. See Installation exits for more information.