Like the CKDS and PKDS, ICSF manages a mirror copy of the TKDS
data set in protected, private virtual storage to optimize cryptographic
workload access to persistent PKCS #11 objects (keys, certificates,
and so on). Also like the CKDS and PKDS, the in-storage TKDS copy
must be accommodated with sufficient system central storage and auxiliary
paging space resources. Unfortunately, the variable length nature
of PKCS #11 objects makes resource estimating for the TKDS difficult.
The best way to estimate the virtual storage requirement for an existing,
stable TKDS (one that is not experiencing significant dynamic PKCS
#11 object creation or deletion activity) is to determine the actual
size of the used DATA portion of the TKDS and multiply this by 3.
The following formula is provided to help you calculate the required
system virtual storage backing resource for an active in-storage TKDS.
In this formula HI-A-RBA is the allocated relative byte address for
the data component of a TKDS VSAM data set. The IDCAMS LISTCAT command
output for a TKDS VSAM data set can be consulted to determine the
HI-A-RBA value for the data component. The
%Free Space used
in this formula represents the percentage of free space in the TKDS
VSAM data set. The IDCAMS EXAMINE DATATEST command output can be
consulted to determine the percentage of free space.
HI-A-RBA x ( ( 100 - %Free Space ) / 100 ) x 3
For
example, if the DATA HI-A-RBA has the value 1622016 with 56% free
space, then the virtual storage requirement estimate would be 1622016
x (44/100) x 6 = 4282122 bytes or 4182 Kilobytes.
In addition to the persistent PKCS #11 objects stored in the TKDS,
applications may also make use of temporary (session) objects. These
too occupy ICSF protected, private virtual storage and should be accounted
for. However, since these objects are not stored in the TKDS, it is
impossible to estimate their virtual storage requirements without
having some knowledge of the applications that are using PKCS #11.
Fortunately, most applications that use PKCS #11 use only a small
number of PKCS #11 session objects and their storage requirements
are already factored into the TKDS estimate above. However, some applications,
such as TCP/IP’s IPSec, use session objects exclusively, and
may use a large number of them. Estimating the virtual storage requirements
for these is beyond the scope of this document. Note that applications
using PKCS #11 session objects have an overall upper limit of 128
Megabytes per application address space for session objects.
Note: The
output from the formula above should be added to the outputs calculated
from the formulas in
ICSF system resource planning for the CKDS and
ICSF system resource planning for the PKDS. This will give you the required system
virtual storage backing resource for all of ICSF’s KDS data
sets. This value represents the required amount of virtual storage
for a given instance of ICSF. For a set of KDS data sets shared across
a sysplex environment, every active ICSF in the sysplex will have
an equivalent resource requirement.