Maintaining continuous operations

ICSF provides continuous cryptographic operations. Cryptographic keys stored in a cryptographic key data set (CKDS or PKDS) can be reenciphered under a new master key or updated by using either the key generator utility program or the dynamic CKDS or PKDS update callable services. ICSF performs these updates without disrupting applications in process. With PCF, you need to stop cryptographic functions before changing the master key or updating the CKDS or PKDS. You do not need to stop ICSF or interrupt cryptographic applications before changing the master keys, refreshing the CKDS or PKDS, or dynamically updating either the CKDS or PKDS.

Note: The ability to change the master keys or update the CKDS or PKDS without interruption requires that ICSF be running in noncompatibility mode. That is, you must convert all existing PCF applications to the new callable services. For a description of noncompatibility mode, see Running PCF applications under ICSF.

These features and actions enhance the security of cryptographic functions:

Performing cryptographic calculations and storing master keys within tamper-resistant hardware
Enforcing separation of DES and AES keys
Controlling access to functions and keys through the use of RACF
Generating system management facility (SMF) audit records

ICSF supports a Geographically Dispersed Parallel Sysplex (GDPS) environment by allowing KDS updates on a production system or sysplex to be propagated to another production system or sysplex or to a backup or Disaster Recovery (DR) system or sysplex. For more information about configuring ICSF in a GDPS environment, see z/OS Cryptographic Services ICSF Administrator's Guide.