The CKDS key record create callable service checks the syntax of the label provided in the key_label parameter to ensure that it follows the KGUP rules. To bypass label syntax checking, use a preprocessing exit to turn on the bypass parse bit in the Exit Parameter Control Block (EXPB). For more information about preprocessing exits and the EXPB, refer to the z/OS Cryptographic Services ICSF System Programmer’s Guide.

You must use either the CKDS key record create callable service or KGUP to create an initial record in the CKDS prior to using the CKDS key record write service to update the record with a valid key token. Your applications perform better if you use KGUP to create the initial records and REFRESH the entire in-storage copy of the CKDS, rather than using CKDS key record create to create the initial NULL key entries. This is particularly true if you are creating a large number of key records. CKDS key record create adds a record to a portion of the CKDS that is searched sequentially during key retrieval. Using KGUP followed by a REFRESH puts the null key records in the portion of the CKDS that is ordered in key-label/type sequence. A binary search of the key-label/type sequenced part of the CKDS is more efficient than searching the sequentially ordered section.

This table lists the required cryptographic hardware for each server type and describes restrictions for this callable service.

Table 245. CKDS record create required hardware

Server	Required cryptographic hardware	Restrictions
IBM zSeries 900	None.
IBM zSeries 990 IBM zSeries 890	None.
IBM System z9 EC IBM System z9 BC	None.