CKDS management in a sysplex

ICSF instances may share the same active CKDS across multiple LPARs on the same system, or across LPARs on different zSeries Processors. All ICSF instances sharing the same active CKDS must have the same DES and, if applicable, AES master key installed.

It is not required that all ICSF instances share their active CKDS across a sysplex. It is also not required that all ICSF instances in a sysplex be configured with the same active CKDS. Each system may have its own Master Key or Keys and its own active CKDS. A sysplex may have a combination of ICSF instances that share their active CKDS and ICSF instances that do not share their active CKDS.

In a sysplex environment, a set of ICSF instances all sharing the same active CKDS can be described as a CKDS sysplex cluster. Other ICSF instances configured with different active CKDSs can join the same sysplex group to create multiple CKDS sysplex clusters.

It is not required for each ICSF instances sharing the same active CKDS to be configured with the same DOMAIN. Cryptographic Coprocessor DOMAINs may be split up across LPARs all sharing the same active CKDS.

When sharing the CKDS, a few precautions should be observed:

Dynamic CKDS services update the DASD copy of the active CKDS and the in-storage copy on the system where it is run. The SYSPLEXCKDS option in the ICSF installation options data set provides consistent sysplex-wide update of the DASD copy of the active CKDS and the in-storage copies of the active CKDS for all members of the sysplex sharing the same active CKDS. If SYSPLEXCKDS(YES,FAIL(xxx)) is specified in the installation options data set, sysplex messages will be issued to sysplex members configured with the same active CKDS. The messages will inform them of the CKDS update and request them to update their in-storage CKDS copy. If SYSPLEXCKDS(NO,FAIL(xxx)) is specified in the installation options data set, sysplex messages will not be sent to sysplex members for CKDS updates. When configured this way, either a coordinated refresh or a local refresh must be performed to load the updates into ICSF's in-storage copy of the CKDS. To perform a coordinated CKDS refresh, refer to Performing a coordinated refresh. To perform a local CKDS refresh on each ICSF instance configured with the affected CKDS, refer to Performing a Local CKDS Refresh or Using the ICSF Utility Program CSFEUTIL.
If multiple sysplexes share a CKDS, or if a sysplex and other non-sysplex systems share a CKDS, there is no provision for automatic update of the in-storage copies of the CKDS on the systems that are not in the same sysplex as the system initiating the CKDS update. When configured this way, either a coordinated CKDS refresh or a local CKDS refresh will be required on the systems that are sharing the same active CKDS but are not in the same sysplex as the initiating system in order to update the in-storage copy on each system. To perform a coordinated CKDS refresh, see Performing a coordinated refresh. To perform a local CKDS refresh on each ICSF instance configured with the affected CKDS, see Performing a Local CKDS Refresh in Managing CCA Master Keys depending on your coprocessor type. Optionally, you may use CSFEUTIL to perform a local CKDS refresh, see Using the ICSF Utility Program CSFEUTIL for more information.
If KGUP is used to update the active CKDS, the update is only made to the DASD copy of the CKDS. Either a coordinated CKDS refresh or a local CKDS refresh must be performed to load the updates into ICSF's in-storage copy of the CKDS. To perform a coordinated CKDS refresh, see Performing a coordinated refresh. To perform a local CKDS refresh on each ICSF instance configured with the affected CKDS, see Performing a Local CKDS Refresh in Managing CCA Master Keys depending on your coprocessor type. Optionally, you may use CSFEUTIL to perform a local CKDS refresh, see Using the ICSF Utility Program CSFEUTIL for more information.
Starting with release HCR7780, there are three formats of the CKDS:
- Fixed-length record (supported by all releases of ICSF).
- Variable-length record (supported by HCR7780 and later releases).
- KDSR record (supported by HCR77A1 and later releases).
The variable-length record format can be shared only by systems running ICSF HCR7780 or later. The KDSR record format can be shared only by systems running ICSF HCR77A1 or later.