When you initialize a CKDS for the first time, you can copy the disk copy of the CKDS to create other CKDSs for the system. You can use KGUP to add and update any of the disk copies on your system. You can use the dynamic CKDS update callable services to add or update the disk copy of the current in-storage CKDS. For information about using KGUP, see Managing Cryptographic Keys Using the Key Generator Utility Program. For information on using the dynamic CKDS callable services, refer to the z/OS Cryptographic Services ICSF Application Programmer's Guide.
You can refresh the in-storage CKDS with an updated or different disk copy of the CKDS by using these steps. You can refresh the CKDS at any time without disrupting cryptographic functions.
CSFCKD10 ---------------- ICSF CKDS Operations ----------------
COMMAND ===>
Enter the number of the desired option.
1 Initialize an empty CKDS (creates the header and system keys)
2 REFRESH - Activate an updated CKDS
Enter the name of the CKDS below.
CKDS ===> 'PIN1.CKDS'
ICSF places the disk copy of the specified CKDS into storage. During a REFRESH, ICSF does not load into storage any partial keys that may exist when you enter keys manually. A REFRESH does not disrupt any applications that are running on ICSF. A message that states that the CKDS was refreshed appears on the right of the top line on the panel.
If you have CKDS record authentication enabled, ICSF performs a MAC verification on each record in the CKDS. When ICSF reads the CKDS into storage, it performs a MAC verification on each record in the CKDS. If a record fails the MAC verification, ICSF sends a message that gives the key label and type to the z/OS system security console. You can then use either KGUP or the dynamic CKDS update services to delete the record from the CKDS. Any other attempts to access a record that has failed MAC verification results in a return code and reason code that indicate that the MAC is not valid.