You can use either KGUP, the dynamic CKDS update services, or Enterprise Key Management Foundation (EKMF) to generate and enter keys into the CKDS or to maintain keys already existing in the CKDS. The keys are stored in records. A record exists for each key that is stored in the CKDS.
A record in the CKDS is called a key entry and has a label associated with it. When you call some ICSF callable services, you specify a key label as a parameter to identify the key for the callable service to use.
Use KGUP to change the key value of an entry, rename entry labels, and delete entries in the CKDS. For more information about how to use KGUP to update key entries in the CKDS, see Managing Cryptographic Keys Using the Key Generator Utility Program.
Use the dynamic CKDS update services in applications to create entries, change the key value of an entry, and delete entries in the CKDS.
You can use SAF to control which applications can use specific keys and services. For more information, see System authorization facility (SAF) controls.
One or more resource profiles in the XFACILIT class define your Key Store Policy. A Key Store Policy consists of a number of controls that collectively determine how encrypted key tokens defined in the CKDS can be accessed and used.