Key material validity dates

Administrators can set start and end validity dates for a key data set record using the KDS Metadata Write service. The end date cannot be set to a date in the past.

If the key validity dates are set for a record, any service attempting to reference the key material checks that the current date and time (coordinated universal time (UTC)) falls within the validity dates. The record becomes active at 00:00 UTC on the start date and becomes inactive at 00:00 UTC on the day after the end date. The system clock is used for this test. If the system clock is set to local time, the time will be 00:00 local time. A key is referenced when it is used to perform a cryptographic operation or read, such that the retrieved token may have been used in a cryptographic operation.

If an application attempts to use an inactive record, a SMF type 82 record is generated and the service request fails.

The key material validity dates are checked before the record archived flag.