Setting up and maintaining the PKA key data set (PKDS)

Public Key Algorithm (ECC and RSA) public and private keys and trusted blocks can be stored in the PKA key data set (PKDS), a VSAM data set. Applications can use the dynamic PKDS callable services to create, write, read, and delete PKDS records.

There are two formats of the PKDS:

A variable length record format supported by all releases of ICSF.
A common variable length record format supported by HCR77A1 and later releases. This format is referred to as KDSR format.

The PKDS may be initialized at ICSF setup. There are internal and external tokens in the PKDS. External tokens may be used irrespective of the asymmetric master keys. Internal tokens, however, can only be used if they are encrypted under the appropriate asymmetric master key.

Besides the in-storage PKDS, there is a copy of the PKDS on disk. Your installation may have many PKDS disk copies, backup copies, and different disk copies. For example, an installation may have a separate PKDS with different keys for each shift. When a certain shift is working, you can load the PKDS for that shift into storage. Then only the keys in the PKDS loaded for that shift can be accessed for ICSF functions. Only one disk copy is read into storage at a time.

Your installation should periodically change the asymmetric master keys. To change the master keys, you enter a new master key value and make that value active.

There are two ways to change the asymmetric master keys. The preferred way to change the master keys is by using the Coordinated PKDS Change MK function. For more information on this function. see Performing a coordinated change master key.

Optionally, the asymmetric master keys can be changed on a single system. To perform a local asymmetric master key change, the PKDS must be reenciphered under the new master keys. You can reencipher a PKDS under a new master key using the options on the ICSF PKDS Master Key Management panel or by using a utility program, CSFPUTIL. If you have multiple PKDS disk copies, reencipher all of them under the new master key after loading the new master key value.

You can program applications to use the PKDS callable services to create entries, change entries, and delete entries in the PKDS. For more information about how to use callable services to update key entries in the PKDS, see z/OS Cryptographic Services ICSF Application Programmer's Guide.

PKDS key management panels support:

Generating an RSA key pair PKDS record.
Deleting an existing PKDS record.
Exporting an existing public key to an X.509 certificate stored in an MVS physically sequential data set.
Importing a public key from an X.509 certificate stored in an MVS physically sequential data set.

If running in a sysplex, see Running in a Sysplex Environment.