ICSF provides
continuous cryptographic operations. Cryptographic keys stored in
a cryptographic key data set (CKDS or PKDS) can be reenciphered
under a new master key or updated by using either the key generator
utility program or the dynamic CKDS or PKDS update callable services. ICSF performs
these updates without disrupting applications in process. With PCF,
you need to stop cryptographic functions before changing the master
key or updating the CKDS or PKDS. You do not need to stop ICSF or
interrupt cryptographic applications before changing the master
keys, refreshing the CKDS or PKDS, or dynamically updating either
the CKDS or PKDS.
Note: The ability to change the
master keys or update the
CKDS or PKDS without interruption requires that
ICSF be running
in noncompatibility mode. That is, you must convert all existing PCF
applications to the new callable services. For a description of noncompatibility
mode, see
Running PCF applications under ICSF.
These features and actions enhance the security of cryptographic
functions:
- Performing cryptographic calculations and storing master keys
within tamper-resistant hardware
- Enforcing separation of DES and AES keys
- Controlling access to functions and keys through the use of RACF
- Generating system management facility (SMF) audit records