Performing a Local CKDS Refresh

When you initialize a CKDS for the first time, you can copy the disk copy of the CKDS to create other CKDSs for the system. You can use KGUP to add and update any of the disk copies on your system. You can use the dynamic CKDS update callable services to add or update the disk copy of the current in-storage CKDS. For information about using KGUP, see Managing Cryptographic Keys Using the Key Generator Utility Program. For information on using the dynamic CKDS callable services, refer to the z/OS Cryptographic Services ICSF Application Programmer's Guide.

Note: If you are running either a stand alone system or a sysplex environment, where all ICSF instances are at FMID HCR7790 or later, you may be able to perform a coordinated CKDS refresh. The coordinated CKDS refresh operation simplifies CKDS administration by automating steps from the local CKDS refresh procedure and allowing the refresh to be initiated from a single ICSF instance. Coordinated CKDS refresh is carried out for all ICSF instances in the sysplex sharing the same active CKDS. If you are in a single system environment, coordinated CKDS refresh can still be used to automate the manual steps of a local CKDS refresh. Refer to Performing a coordinated refresh for more information.

You can refresh the in-storage CKDS with an updated or different disk copy of the CKDS by using these steps. You can refresh the CKDS at any time without disrupting cryptographic functions.

Note: Prior to refreshing a CKDS, consider temporarily disallowing dynamic CKDS update services. For more information, refer to Steps for disallowing dynamic CKDS updates during CKDS administration updates.
  1. Enter option 2, MASTER KEY, on the ICSF Primary Menu panel to access the Master Key Management Panel.
  2. Enter option 1, for CKDS Master Key Management.
  3. Enter option 1, INIT/REFRESH/UPDATE CKDS to access the Initialize a CKDS panel, which is shown in Figure 1.
    Figure 1. Selecting the Refresh Option on the ICSF Initialize a CKDS Panel
     CSFCKD10 ---------------- ICSF CKDS Operations  ----------------
     COMMAND ===>
    
    
     Enter the number of the desired option.
    
       1  Initialize an empty CKDS (creates the header and system keys)
       2  REFRESH   -  Activate an updated CKDS
    
     Enter the name of the CKDS below.
    
       CKDS ===> 'PIN1.CKDS'
     
  4. In the CKDS field, specify the name of the disk copy of the CKDS that you want ICSF to read into storage.
  5. Choose option 2, REFRESH, and press ENTER.

    ICSF places the disk copy of the specified CKDS into storage. During a REFRESH, ICSF does not load into storage any partial keys that may exist when you enter keys manually. A REFRESH does not disrupt any applications that are running on ICSF. A message that states that the CKDS was refreshed appears on the right of the top line on the panel.

    If you have CKDS record authentication enabled, ICSF performs a MAC verification on each record in the CKDS. When ICSF reads the CKDS into storage, it performs a MAC verification on each record in the CKDS. If a record fails the MAC verification, ICSF sends a message that gives the key label and type to the z/OS system security console. You can then use either KGUP or the dynamic CKDS update services to delete the record from the CKDS. Any other attempts to access a record that has failed MAC verification results in a return code and reason code that indicate that the MAC is not valid.

  6. Press END to return to the Primary Menu panel.
Note: You can use either a KGUP panel or a utility program, instead of the CKDS panel, to perform a local CKDS refresh. For information about these other methods, see Performing a Local CKDS Refresh with KGUP.