Keys that are protected under the DES or AES
master key are stored in a VSAM data set that is called the cryptographic
key data set (CKDS). ICSF provides sample CKDS allocation jobs
(members CSFCKDS, CSFCKD2 and CSFCKD3) in SYS1.SAMPLIB. The
CKDS contains individual entries for each key that is added to it.
You can store all types of keys (except master keys and PKA keys)
in the CKDS. Each record in the data set contains the key value encrypted
under the master key and other information about the key. ICSF maintains
two copies of the CKDS: a disk copy and an in-storage copy.
Note: - There are three formats of the CKDS:
- A fixed length record format with LRECL=252 (supported by all
releases of ICSF). Sample is CSFCKDS.
- A variable length record format with LRECL=1024 (supported by
HCR7780 and later releases). Sample is CSFCKD2.
- A new variable length record format with LRECL=2048 (supported
by HCR77A1 and later releases). This is referred to as KDSR format.
Sample is CSFCKD3.
- Either variable length record format can be used to store all
existing symmetric keys and any new variable-length symmetric key
tokens.
The variable length record format is only required if variable-length
AES and HMAC keys are to be stored in the CKDS. The variable length
record format can be used to store all existing symmetric keys and
AES and HMAC keys in the variable-length token. KDSR is a variable
length record format and supports all the function of the original
variable length record format and also allows ICSF to track key usage
if so configured.
- Callable services use the in-storage copy of the CKDS to perform
CKDS functions. For information on managing and sharing the CKDS in
a sysplex environment, see z/OS Cryptographic Services ICSF Administrator's Guide.