ICSF may have an optional record level authentication code that is part of each record in the CKDS. The record level authentication code is used to identify when a record in the CKDS is modified by a program other than ICSF. The record level authentication is enabled when the CKDS is initialized and cannot be changed after the CKDS is initialized. If the CKDS is properly protected using RACF profiles, then unauthorized modification of the CKDS can be prevented.
KGUP detects when ICSF and the CKDS are enabled for record level authentication and performs the necessary processing. When record level authentication is not enabled, KGUP does not perform record level authentication processing.