ICSF has enhanced KGUP to enforce key store policy for duplicate key tokens in the CKDS. When the SAF XFACILIT resource CSF.CKDS.TOKEN.NODUPLICATES is enabled, KGUP will check for duplicate encrypted tokens in the CKDS for ADD and UPDATE control statements. When a duplicate token is found, the processing of that control statement is terminated.
This change may cause KGUP to fail if your ICSF administrator has enabled the CSF.CKDS.TOKEN.NODUPLICATES resource. If you are generating keys with random key values and the job fails because it is a duplicate key token, you should be able to rerun the job to generate a different key value. If you are adding keys with a specific key value and the job fails, you should contact your ICSF administrator to determine what action to take.
In order to use this function, the key data sets must be in the KDSR format, introduced in HCR77A1. Existing data sets can be converted to the KDSR format using the Coordinated KDS Administration callable service. For additional details, see z/OS Cryptographic Services ICSF Application Programmer's Guide.
In order to exploit this function, the key data sets must be in the KDSR format, introduced in HCR77A1. Existing data sets can be converted to the KDSR format using the Coordinated KDS Administration callable service. For additional details, see z/OS Cryptographic Services ICSF Application Programmer's Guide.