ICSF instances may share the same active CKDS across multiple LPARs
on the same system, or across LPARs on different zSeries Processors.
All ICSF instances sharing the same active CKDS must have the same
DES and, if applicable, AES master key installed.
It is not required that all ICSF instances share their active CKDS
across a sysplex. It is also not required that all ICSF instances
in a sysplex be configured with the same active CKDS. Each system
may have its own Master Key or Keys and its own active CKDS. A sysplex
may have a combination of ICSF instances that share their active CKDS
and ICSF instances that do not share their active CKDS.
In a sysplex environment, a set of ICSF instances all sharing the
same active CKDS can be described as a CKDS sysplex cluster. Other
ICSF instances configured with different active CKDSs can join the
same sysplex group to create multiple CKDS sysplex clusters.
It is not required for each ICSF instances sharing the same active
CKDS to be configured with the same DOMAIN. Cryptographic Coprocessor
DOMAINs may be split up across LPARs all sharing the same active CKDS.
When sharing the CKDS, a few precautions should be observed:
- Dynamic CKDS services update the DASD copy of the active CKDS
and the in-storage copy on the system where it is run. The SYSPLEXCKDS
option in the ICSF installation options data set provides consistent
sysplex-wide update of the DASD copy of the active CKDS and the in-storage
copies of the active CKDS for all members of the sysplex sharing the
same active CKDS. If SYSPLEXCKDS(YES,FAIL(xxx)) is specified in the
installation options data set, sysplex messages will be issued to
sysplex members configured with the same active CKDS. The messages
will inform them of the CKDS update and request them to update their
in-storage CKDS copy. If SYSPLEXCKDS(NO,FAIL(xxx)) is specified in
the installation options data set, sysplex messages will not be sent
to sysplex members for CKDS updates. When configured this way, either
a coordinated refresh or a local refresh must be performed
to load the updates into ICSF's in-storage copy of the CKDS. To perform
a coordinated CKDS refresh, refer to Performing a coordinated refresh.
To perform a local CKDS refresh on each ICSF instance configured
with the affected CKDS, refer to Performing a Local CKDS Refresh or Using the ICSF Utility Program CSFEUTIL.
- If multiple sysplexes share a CKDS, or if a sysplex and other
non-sysplex systems share a CKDS, there is no provision for automatic
update of the in-storage copies of the CKDS on the systems that are
not in the same sysplex as the system initiating the CKDS update.
When configured this way, either a coordinated CKDS refresh or a local CKDS
refresh will be required on the systems that are sharing the same
active CKDS but are not in the same sysplex as the initiating system
in order to update the in-storage copy on each system. To perform
a coordinated CKDS refresh, see Performing a coordinated refresh.
To perform a local CKDS refresh on each ICSF instance configured with
the affected CKDS, see Performing a Local CKDS Refresh in Managing CCA Master Keys depending on your coprocessor type. Optionally,
you may use CSFEUTIL to perform a local CKDS refresh, see Using the ICSF Utility Program CSFEUTIL for more information.
- If KGUP is used to update the active CKDS, the update is only
made to the DASD copy of the CKDS. Either a coordinated CKDS refresh
or a local CKDS refresh must be performed to load the updates into
ICSF's in-storage copy of the CKDS. To perform a coordinated CKDS
refresh, see Performing a coordinated refresh. To perform a local
CKDS refresh on each ICSF instance configured with the affected CKDS,
see Performing a Local CKDS Refresh in Managing CCA Master Keys depending
on your coprocessor type. Optionally, you may use CSFEUTIL to perform
a local CKDS refresh, see Using the ICSF Utility Program CSFEUTIL for more information.
- Starting with release HCR7780, there are three formats
of the CKDS:
- Fixed-length record (supported by all releases of ICSF).
- Variable-length record (supported by HCR7780 and later releases).
- KDSR record (supported by HCR77A1 and later releases).
The variable-length record format can be shared only by systems
running ICSF HCR7780 or later. The KDSR record format can be shared
only by systems running ICSF HCR77A1 or later.