ICSF PKCS #11 services may be utilized for clear key operations both with and without a TKDS. To use secure PKCS #11 keys, a TKDS is required. The first time you intend to use secure PKCS #11 services, you must load a P11-MK and initialize a new, empty TKDS or update your existing, clear key only TKDS. For information on creating an empty TKDS, see z/OS Cryptographic Services ICSF System Programmer's Guide. When you initialize/update the TKDS, ICSF creates a header record for the TKDS, installs the required P11-MK key pattern in the TKDS, and sets the master key. All secure PKCS #11 keys stored in the TKDS are enciphered under the P11-MK. (Note, the TKDS may contain both clear and secure keys, if desired.) After the master key has been set, you can generate or enter any keys you need to perform secure PKCS #11 cryptographic functions.
To begin, load the P11 new master key register using the TKE workstation. If you intend to have multiple instances of ICSF sharing the same active TKDS in a sysplex environment, you can define an EP11 domain group on the TKE workstation to load the same P11-MK in all domains used by all ICSF instances that will share the same active TKDS. After loading the new P11 master key, commit the new P11 master key using the TKE workstation.
After the P11 new master key register has been loaded and committed, the TKDS must be initialized. TKDS initialization is only required the first time the P11 new master key register is loaded. When sharing the TKDS in a sysplex environment, TKDS initialization should be performed on each ICSF instance sharing the TKDS. Optionally, after you initialize a TKDS on one ICSF instance, you can then share it with other ICSF instances that are configured with the same P11 master key value, by simply starting up or restarting the other ICSF instances.