Clear and secure PKCS #11 objects can be stored in the token data set (TKDS), a VSAM data set. Applications can use the PKCS #11 callable services to create, write, read, and delete PKCS #11 tokens and objects.
By default, an empty TKDS is initialized for clear PKCS #11 usage the first time it is used. No manual initialization step is required. To use secure PKCS #11 services, the TKDS must be explicitly initialized by the ICSF TKDS Master Key Management panel. This initialization step may be performed against an empty TKDS or one that contains existing clear objects. Initialization does not alter the existing clear key objects in any way. They are still usable for clear key operations as before.
Your installation should periodically change the PKCS #11 master key. To change the master key, first load a new P11-MK value using a TKE workstation. See Managing Enterprise PKCS #11 Master Keys for more details. Then, make the new master key active by performing a Coordinated TKDS Change MK from the ICSF TKDS Master Key Management panel.
You can program applications to use the PKCS #11 callable services to create PKCS #11 tokens and objects and to perform PKCS #11 cryptographic operations. See z/OS Cryptographic Services ICSF Writing PKCS #11 Applications for details.
If running in a sysplex, see Running in a Sysplex Environment.