Steps for initializing a CKDS

For information about initializing a CKDS in a sysplex environment, see Running in a Sysplex Environment.

There are two formats of the CKDS: a fixed-length record (supported by all releases of ICSF) and a new, variable-length record (supported by HCR7780 and later releases). You can use the following steps to initialize either format of CKDS.

To initialize the CKDS:
  1. Return to the ICSF Primary Menu panel by pressing END from the Master Key Entry panel.
  2. Select option 2, MASTER KEY MGMT, on the ICSF Primary Menu panel.

    The CSFMKM10 — Key Data Set Management panel appears.

    The CSFMKM30 — PKDS Management panel appears.

  3. Select option 1 for CKDS MK Management and the CSFMKM20 — CKDS Management panel will appear.
  4. Select option 1 for CKDS Operations and the CSFCKD10 - CKDS Operations panel will appear.
  5. Select option 1, INIT/REFRESH/UPDATE CKDS and the Initialize a CKDS panel appears. If AES master keys are supported, a different panel appears (Figure 2).
    Figure 1. ICSF Initialize a CKDS Panel
     CSFCKD10 ---------------- ICSF CKDS Operations  ----------------
     COMMAND ===>
    
    
     Enter the number of the desired option.
    
       1  Initialize an empty CKDS (creates the header and system keys)
       2  REFRESH   -  Activate an updated CKDS
    
     Enter the name of the CKDS below.
    
       CKDS ===> 'FIRST.EMPTY.CKDS'
     
    Figure 2. ICSF Initialize a CKDS Panel if AES master keys are supported
     CSFCKD20 ---------------- ICSF - Initialize a CKDS  ----------------
     COMMAND ===>
    
    
     Enter the number of the desired option.
    
       1  Initialize an empty CKDS 
       2  REFRESH   -  Activate an updated CKDS
       3  Update an existing CKDS  
       4  Update an existing CKDS and activate master keys
    
     Enter the name of the CKDS below.
    
       CKDS ===> 'FIRST.EMPTY.CKDS'
     
  6. In the CKDS field, enter the name of the empty VSAM data set that was created to use as the disk copy of the CKDS.

    The name you enter can be the same name that is specified in the CKDSN keyword option in the installation options data set. You can also initialize a data set that might serve as a backup. For information about creating a CKDS and specifying the CKDS name in the installation options data set, see z/OS Cryptographic Services ICSF System Programmer's Guide.

  7. Choose option 1, Initialize an empty CKDS, and press ENTER.

    To improve performance, answer N to Record authentication required.

    ICSF creates the header record in the disk copy of the CKDS. Next, ICSF sets the DES or AES master key, if any. ICSF then adds the required system key to the CKDS and refreshes the CKDS. When ICSF completes all these steps, the message INITIALIZATION COMPLETE appears. If you did not enter a master key into the new master key register previously, the message NMK REGISTER NOT FULL appears and the initialization process ends. You must enter a master key into the new master key register to initialize the CKDS.

    Note: If any part of the option 1 fails, you must delete the CKDS and start over. If the failure occurs when one of the master keys has been set and prior to the system key being created, you will need to reset the master key.

When you complete the entire process, a CKDS and zero or more master keys exist on your system. You can now generate keys using functions like the key generate callable service and the key generator utility program (KGUP) or convert PCF keys to ICSF keys using the conversion program. ICSF services use the keys to perform the cryptographic functions you request.