The Public Key Data Set (PKDS)

RSA and ECC public and private keys can be stored in a VSAM data set that is called the public key data set (PKDS). ICSF maintains the PKDS as an external data set. ICSF provides a sample PKDS allocation job (member CSFPKDS) in SYS1.SAMPLIB. ICSF maintains two copies of the PKDS: a disk copy and an in-storage copy.

You can store public key tokens or both external and internal private key tokens. Applications can use the dynamic PKDS update callable services to create, write, read, and delete PKDS records.
Note: For information on managing and sharing the PKDS in a sysplex environment, see z/OS Cryptographic Services ICSF Administrator's Guide.
Note:
  1. There are two formats of the PKDS: the PKDS record format (supported by all releases of ICSF), and KDSR record format which is common to all KDS types (supported by HCR77A1 and later releases). KDSR allows ICSF to track key usage if so configured.
  2. ECC support is available in ICSF HCR7780 and later releases. A PKDS with ECC key tokens can be shared with prior levels of ICSF. A reencipher of the PKDS with ECC tokens can only be done on systems that support ECC. If a prior level system attempts to reencipher a PKDS containing ECC tokens, it will fail with a bad token error (12/36112).
Parent topic: Introduction to z/OS ICSF