Local CKDS refresh

When you initialize a CKDS for the first time, you can copy the disk copy of the CKDS to create other CKDSs for the system. You can use the dynamic CKDS update callable services to add or update the disk copy of the current in-storage CKDS. For information on using the dynamic CKDS callable services, refer to the z/OS Cryptographic Services ICSF Application Programmer's Guide.

Note:
  1. Prior to refreshing a CKDS, consider temporarily disallowing dynamic CKDS update services.
  2. You may refresh any CKDS with the REFRESH CKDS option. This includes CKDS that were initialized on systems with master keys. This is the only way to share a CKDS with a system that has cryptographic coprocessors. If you are sharing a CKDS with encrypted keys, the system with no coprocessors cannot manage the encrypted keys.
  3. If you are running either a stand alone system or a sysplex environment, where all ICSF instances are at FMID HCR7790 or later, you may be able to perform a coordinated CKDS refresh. The coordinated CKDS refresh operation simplifies CKDS administration by automating steps from the local CKDS refresh procedure and allowing the refresh to be initiated from a single ICSF instance. Coordinated CKDS refresh is carried out for all ICSF instances in the sysplex sharing the same active CKDS. If you are in a single system environment, coordinated CKDS refresh can still be used to automate the manual steps of a local CKDS refresh. Refer to Performing a coordinated refresh for more information.

You can refresh the in-storage CKDS with an updated or different disk copy of the CKDS by using these steps. You can refresh the CKDS at any time without disrupting cryptographic functions.

  1. Enter option 2, KDS MANAGEMENT, on the ICSF Primary Menu panelto access the Master Key Management Panel.
  2. When the CSFMKM10 — Key Data Set Management panel appears, select option 1, CKDS MK MANAGEMENT.
  3. When the CSFMKM20 — CKDS Management panel, select option 1 CKDS OPERATIONS.
  4. The ICSF CKDS Operations panel will appear. In the CKDS field, specify the name of the disk copy of the CKDS that you want ICSF to read into storage.
    Figure 1. ICSF Initialize a CKDS Panel
     CSFCKD10 ---------------- ICSF - CKDS Operations  ----------------
 COMMAND ===>


 Enter the number of the desired option.

   1  Initialize an empty CKDS (creates the header and system keys)
   2  REFRESH   -  Activate an updated CKDS

 Enter the name of the CKDS below.

   CKDS ===> 'FIRST.EMPTY.CKDS'
  5. Choose option 2, REFRESH, and press ENTER. ICSF places the disk copy of the specified CKDS into storage. A REFRESH does not disrupt any applications that are running on ICSF. A message that states that the CKDS was refreshed appears on the right of the top line on the panel.
  6. Press END to return to the Primary Menu panel.
Parent topic: Initializing the CKDS at first-time startup