ICSF stores the PKCS #11 tokens and token objects in a specialized data set called the token data set (TKDS). ICSF maintains both a disk copy and an in-storage copy of the TKDS. This makes it possible to refresh the PKCS #11 tokens and objects without interrupting the application programs. ICSF provides a sample TKDS allocation job (members CSFTKDS, CSFTKD2) in SYS1.SAMPLIB.
A TKDS is no longer required in order to run PKCS #11 applications. If ICSF is started without a TKDS, however, only the omnipresent token will be available.
Callable services use the in-storage copy of the TKDS. Having the TKDS in storage avoids time-consuming I/O to a data set that is stored on DASD. The dynamic TKDS update callable services permit an application to perform dynamic update of both the disk copy and the in-storage copy of the TKDS.
ICSF supports sysplex-wide consistent updates to the TKDS through the use of Cross-System Coupling Facility (XCF) signalling services and global (that is, sysplex-wide) ENQs. This support maintains the consistency of the in-storage TKDS in a sysplex environment. If a TKDS record is modified by create, update, or delete operations, the DASD version of the TKDS is updated and the ICSF in-storage copy is updated to reflect the new contents of the record for all systems in the ICSF sysplex group.