Steps for enabling and disabling Dynamic CKDS/PKDS access controls

The dynamic KDS access controls are used to disable services that update key data sets. These controls allow the ICSF administrator to prevent the key data sets from being updated while using utilities that change the key data set. It is recommended that the CKDS and PKDS dynamic services be disabled during the local master key change. This is not necessary when using the coordinated change master key procedure.

When the dynamic CKDS access control is disabled, the callable services that update the DASD copy of the CKDS fails. The affected services are CSNBGIM, CSNBKPI, CSNBKPI2, CSNBKRC, CSNBKRC2, CSNBKRD, CSNBKRW, CSNBKRW2, and CSNBRKA.

When the dynamic PKDS access control is disabled, the callable services that update the DASD copy of the PKDS fails. The affected services are CSNDKRC, CSNDKRD, CSNDKRW, CSNDPKG, CSNDPKI, and CSNDRKD.

  1. From the ICSF Primary Menu, select option 4, ADMINCNTL.
    Figure 1. Selecting ADMINCNTL on the ICSF primary menu panel
    HCR77C0 ------------- Integrated Cryptographic Service Facility ---------

OPTION ===>

Enter the number of the desired option.

   1  COPROCESSOR MGMT    -  Management of Cryptographic Coprocessors
   2  KDS MANAGEMENT      -  Master key set or change, KDS processing
   3  OPSTAT              -  Installation options
   4  ADMINCNTL           -  Administrative Control Functions
   5  UTILITY             -  ICSF Utilities
   6  PPINIT              -  Pass Phrase Master Key/KDS Initialization
   7  TKE                 -  TKE PKA Direct Key Load
   8  KGUP                -  Key Generator Utility processes
   9  UDX MGMT            -  Management of User Defined Extensions
  2. The Administrative Control Functions panel appears.
    Figure 2. Selecting ADMINCNTL on the ICSF primary menu panel
     CSFACF00 ------------- ICSF Administrative Control Functions
 COMMAND ===>
          Active CKDS: CSF.CKDS
          Active PKDS: CSF.PKDS
          Active TKDS: CSF.TKDS

To change the status of a control, enter the appropriate character
(E - ENABLE, D - DISABLE) and press ENTER.

         Function                                 STATUS
         --------                                 ------
 .  Dynamic CKDS Access                           ENABLED  
 .  Dynamic PKDS Access                           ENABLED
    Enter the appropriate character and press ENTER.
    • To enable the dynamic CKDS update services control, enter an ‘E’ before the Dynamic CKDS Access function.
    • To disable the dynamic CKDS update services control, enter a ‘D’ before the Dynamic CKDS Access function.
    • To enable the dynamic PKDS update services control, enter an ‘E’ before the Dynamic PKDS Access function.
    • To disable the dynamic PKDS update services control, enter a ‘D’ before the Dynamic PKDS Access function.