Running in a Sysplex Environment

ICSF is supported in a SYSPLEX environment. The CKDS, PKDS, and TKDS can be shared across systems in a sysplex.

To share a CKDS, PKDS, or TKDS between all systems in the sysplex, specify the data set name on the CKDSN, PKDSN, or TKDSN keyword option and specify either SYSPLEXCKDS(YES), SYSPLEXPKDS(YES), or SYSPLEXTKDS(YES) in your ICSF installation options data set. Failure to specify SYSPLEXCKDS(YES), SYSPLEXPKDS(YES), or SYSPLEXTKDS(YES) when you are sharing a CKDS, PKDS, or TKDS can result in damage to the CKDS, PKDS, or TKDS. For a description of the keywords, see 'Parameters in the installation options data set' in z/OS Cryptographic Services ICSF System Programmer's Guide.

To use a different CKDS, PKDS, or TKDS for a subset of systems in the sysplex, you must choose unique CKDS, PKDS, or TKDS names for each CKDS, PKDS, or TKDS. When running with multiple catalogs within a sysplex, the CKDS, PKDS, and TKDS can be shared only if they are on the same volume. If you have separate CKDS, PKDS, or TKDS for subsets of systems in the sysplex (each subset with its own catalog), you must give the CKDS, PKDS, or TKDS a unique data set name within the sysplex. If you have multiple CKDSs, PKDSs, or TKDSs cataloged in separate catalogs, but with the same data set name, ICSF processing of that KDS can result in loss or damage to the key material in the CKDSs, PKDSs, or TKDSs.

This topic discusses sharing and managing key data sets and managing master keys in a sysplex.