For information about initializing a CKDS in a sysplex environment, see Running in a Sysplex Environment.
There are two formats of the CKDS: a fixed-length record (supported by all releases of ICSF) and a new, variable-length record (supported by HCR7780 and later releases). You can use the following steps to initialize either format of CKDS.
The CSFMKM10 — Key Data Set Management panel appears.
The CSFMKM30 — PKDS Management panel appears.
CSFCKD10 ---------------- ICSF CKDS Operations ----------------
COMMAND ===>
Enter the number of the desired option.
1 Initialize an empty CKDS (creates the header and system keys)
2 REFRESH - Activate an updated CKDS
Enter the name of the CKDS below.
CKDS ===> 'FIRST.EMPTY.CKDS'
CSFCKD20 ---------------- ICSF - Initialize a CKDS ----------------
COMMAND ===>
Enter the number of the desired option.
1 Initialize an empty CKDS
2 REFRESH - Activate an updated CKDS
3 Update an existing CKDS
4 Update an existing CKDS and activate master keys
Enter the name of the CKDS below.
CKDS ===> 'FIRST.EMPTY.CKDS'
The name you enter can be the same name that is specified in the CKDSN keyword option in the installation options data set. You can also initialize a data set that might serve as a backup. For information about creating a CKDS and specifying the CKDS name in the installation options data set, see z/OS Cryptographic Services ICSF System Programmer's Guide.
To improve performance, answer N to Record authentication required.
ICSF creates the header record in the disk copy of the CKDS. Next, ICSF sets the DES or AES master key, if any. ICSF then adds the required system key to the CKDS and refreshes the CKDS. When ICSF completes all these steps, the message INITIALIZATION COMPLETE appears. If you did not enter a master key into the new master key register previously, the message NMK REGISTER NOT FULL appears and the initialization process ends. You must enter a master key into the new master key register to initialize the CKDS.
When you complete the entire process, a CKDS and zero or more master keys exist on your system. You can now generate keys using functions like the key generate callable service and the key generator utility program (KGUP) or convert PCF keys to ICSF keys using the conversion program. ICSF services use the keys to perform the cryptographic functions you request.