Key store policy

KGUP

ICSF has enhanced KGUP to enforce key store policy for duplicate key tokens in the CKDS. When the SAF XFACILIT resource CSF.CKDS.TOKEN.NODUPLICATES is enabled, KGUP will check for duplicate encrypted tokens in the CKDS for ADD and UPDATE control statements. When a duplicate token is found, the processing of that control statement is terminated.

This change may cause KGUP to fail if your ICSF administrator has enabled the CSF.CKDS.TOKEN.NODUPLICATES resource. If you are generating keys with random key values and the job fails because it is a duplicate key token, you should be able to rerun the job to generate a different key value. If you are adding keys with a specific key value and the job fails, you should contact your ICSF administrator to determine what action to take.

Key material archiving

ICSF has implemented a way to archive records in the key data sets. The record remains in the data set, but the key material in the record cannot be used. Any attempt to use the key material will fail unless the optional key archive use control (a SAF XFACILIT resource) is enabled which will allow the request to complete. An SMF record is logged in both cases. An optional joblog message is issued for the first successful reference if the key archive message control (KEYARCHMSG) is enabled. For additional details, see z/OS Cryptographic Services ICSF Administrator's Guide.

In order to use this function, the key data sets must be in the KDSR format, introduced in HCR77A1. Existing data sets can be converted to the KDSR format using the Coordinated KDS Administration callable service. For additional details, see z/OS Cryptographic Services ICSF Application Programmer's Guide.

Key material validity

ICSF has implemented a way to specify a period when the key material of a key data set record is active. The ICSF administrator can specify the start and end dates when the key material is active and ICSF will allow only the key material to be used by applications within those dates. For additional details, see z/OS Cryptographic Services ICSF Administrator's Guide.

In order to exploit this function, the key data sets must be in the KDSR format, introduced in HCR77A1. Existing data sets can be converted to the KDSR format using the Coordinated KDS Administration callable service. For additional details, see z/OS Cryptographic Services ICSF Application Programmer's Guide.