The cryptographic key data set (CKDS) stores operational DES, AES, and HMAC keys of all types. It contains an entry for each key.
- A fixed length record format supported by all releases of ICSF.
- A variable length record format supported by HCR7780 and later releases.
- A common variable length record format supported by HCR77A1 and later releases. This format is referred to as KDSR format.
If you have no coprocessor, you can initialize the CKDS for use with clear AES and DES data keys. This CKDS cannot be used on a system with cryptographic coprocessors.
Before you generate keys that you store in the CKDS, you must define a DES or AES master key to your system. You define a master key by entering its value and setting it so it is active on the system. When you enter the master key, you must make it active on the system by setting it when you initialize the CKDS. For information about entering and setting the master key and initializing CKDS, see Managing CCA Master Keys.
DES keys that are stored in the CKDS are encrypted under the appropriate variants of the DES master key, except for clear key value data-encrypting keys. AES keys that are stored in the CKDS are encrypted under the AES master key. HMAC keys are encrypted under the AES master key. Encrypted keys in the CKDS cannot be overwritten with a key encrypted under a different master key. (DES replaces DES, AES replaces AES, HMAC replaces HMAC). For clear keys, the same is true: DES can overwrite DES, AES can overwrite AES, and HMAC can overwrite HMAC.
Once you define a master key, you generate keys and store them in the CKDS. You use KGUP to generate keys and change key values and other information for a key entry in the CKDS. For more information about running KGUP, see Managing Cryptographic Keys Using the Key Generator Utility Program. You can also program applications to use callable services to generate keys and change key information in the CKDS. For more information about how to use callable services to update key entries in the CKDS, see z/OS Cryptographic Services ICSF Application Programmer's Guide.
You can load key parts for all operational keys on the coprocessors using the TKE workstation. To load the accumulated key into the CKDS, you must use the ICSF Operational Key Load panel or KGUP. For more information, refer to the z/OS Cryptographic Services ICSF TKE Workstation User's Guide.
When you initialize ICSF, the system obtains space in storage for the CKDS. For more information about initializing space for the CKDS, see z/OS Cryptographic Services ICSF System Programmer's Guide.
Besides the in-storage CKDS, there is a copy of the CKDS on disk. Your installation may have many CKDS disk copies, backup copies, and different disk copies. For example, an installation may have a separate CKDS with different keys for each shift. When a certain shift is working, you can load the CKDS for that shift into storage. Then only the keys in the CKDS loaded for that shift can be accessed for ICSF functions. However, only one disk copy is read into storage at a time.
You use KGUP to make changes to any disk copy of the CKDS. When you use KGUP to generate and maintain keys, or enter keys directly, you change only the disk copy of a CKDS. Therefore, you can change keys in the disk copy of the data set without disturbing ICSF functions that are using the keys in the in-storage copy of the data set. To make the changes to the disk copy of the CKDS active, you need to replace the in-storage CKDS using the refresh utility. When you use the dynamic CKDS update callable services to change entries in the CKDS, you change both the in-storage copy of the CKDS and the disk copy. This allows for the immediate use of the new keys without an intervening refresh of the entire CKDS. Figure 1 shows the ICSF callable services use keys in the in-storage copy of the CKDS.
You just specify the name of the disk copy of the CKDS when you run KGUP. You can also read any disk copy of the CKDS into storage by specifying the name of the disk copy of the CKDS on a Refresh In-Storage CKDS panel. You can also run a utility program to read a disk copy of the CKDS into storage. However, the disk copy must be enciphered under the correct master key. All the copies of your disk copies of the CKDS should be enciphered under the same master key.
Your installation should periodically change the symmetric master keys: DES and AES. To change a master key, you enter a new master key value and make that value active. The keys in a CKDS must then be enciphered under the new master keys. Therefore, to make the new master keys active, the CKDS must be reenciphered from under the current master keys to under the new master keys.
There are two ways to change the symmetric master keys. The preferred way to perform a master key change is by using the Coordinated CKDS Change MK function. This function is described in Performing a coordinated change master key.
Optionally, the symmetric master keys can be changed on a single system. To perform a local symmetric change master key, first you reencipher the disk copy of the CKDS under the new master keys. Then you activate the new master keys using the change master key option. This option automatically replaces the old in-storage CKDS with the disk copy that is reenciphered under the new master keys. If you have multiple CKDS disk copies, reencipher all of them under the new master keys before changing the master key.
The local symmetric change master key change process can be accomplished by using either the options on the ICSF CKDS Master Key Management panels or by using the utility program, CSFEUTIL.
If running in a sysplex, see Running in a Sysplex Environment.