Entering keys into the PKDS

All ECC and RSA public and private keys and trusted blocks may be stored in the PKA key data set (PKDS).

There are several methods you can use to enter keys into the PKDS:

Callable services
You can use the PKA Key Generate callable service to update a skeleton token in the PKDS with a generated private key token.
Dynamic PKDS update callable services
You can program applications to use the PKDS key record create service to create new entries in the PKDS and the PKDS key record write service to enter key tokens into the PKDS.
Trusted Key Entry (TKE) workstation
RSA and ECC private keys can be imported from the TKE workstation and stored in the PKDS. For more information, see z/OS Cryptographic Services ICSF TKE Workstation User's Guide.
Enterprise Key Management Foundation (EKMF)
The Enterprise Key Management Foundation (EKMF) provides online key management to ICSF as well as to IBM cryptographic products on other platforms. EKMF offers centralized key management for CCA symmetric and asymmetric keys and for certificates. EKMF automates the key management process and exchanges and replaces keys and certificates on demand. Also, to assure continuous operation, EKMF maintains backup copies of all critical keys.

For additional information, contact the Crypto Competence Center at ccc@dk.ibm.com or at: https://www-304.ibm.com/jct05001c/dk/security/cccc/.
ICSF PKDS Key Management panels
RSA keys in the PKDS can be managed using the PKDS key management panel utilities.
- You can generate an RSA key which is stored in the PKDS.
- You can delete any key from the PKDS.
- You can create an X.509 certificate to export an RSA public key in the PKDS.
- You can import an RSA public key from an X.509 certificate and store it in the PKDS. For more information, see Using the Utility Panels to Manage Keys in the PKDS.