The Token Data Set (TKDS)

PKCS #11 tokens and objects are stored in a VSAM data set called the token data set (TKDS). ICSF provides sample TKDS allocation jobs (members CSFTKDS and CSFTKD2) in SYS1.SAMPLIB. The TKDS contains individual entries for each token and object that is added to it. ICSF maintains two copies of the TKDS: a disk copy and an in-storage copy. Only token objects are stored in the TKDS. Session objects (which are not persistent) are stored in memory only.

The TKDS must be a key-sequenced data set with spanned variable length records and must be allocated on a permanently resident volume. For information on managing and sharing the TKDS in a sysplex environment, see z/OS Cryptographic Services ICSF Administrator's Guide.

The TKDS is optional for installations that don’t use PKCS #11 services or those that use only clear session (non-persistent) PKCS #11 keys.
Note: There are two formats of the TKDS: the TKDS record format (supported by all releases of ICSF), and KDSR record format which is common to all KDS types (supported by HCR77A1 and later releases). KDSR allows ICSF to track key usage if so configured.
Parent topic: Introduction to z/OS ICSF