Cryptographic Key Data Set (CKDS)

ICSF stores AES, DES, and HMAC keys in a specialized data set called a cryptographic key data set (CKDS). ICSF maintains both a disk copy and an in-storage copy of the CKDS. This makes it possible to refresh the cryptographic keys without interrupting the application programs. ICSF provides a sample CKDS allocation job (members CSFCKDS, CSFCKD2, and CSFCKD3) in SYS1.SAMPLIB. For more information on running in a sysplex environment, see z/OS Cryptographic Services ICSF Administrator's Guide.

ICSF updates the CKDS at these times:

When you use KGUP to generate keys, to enter keys into the system or to load keys from a coprocessor, ICSF updates the disk copy, rather than the in-storage copy. ICSF does not require that you stop cryptographic functions before updating the CKDS, unlike PCF. After the update has been made, you can replace the in-storage copy of the CKDS with the disk copy using the ICSF panels.
When you change the master key, ICSF enables you to reencipher the disk copy of the CKDS. ICSF then automatically refreshes the in-storage copy of the CKDS with the re-enciphered keys.
When you convert a PCF CKDS to an ICSF CKDS, the PCF conversion program updates the disk copy of the ICSF CKDS.
When an application uses the dynamic CKDS update callable services, both the disk copy and in-storage copy of the CKDS are dynamically updated.
When a key is loaded using the Operational Key Load panel.
When you convert a CKDS to use KDSR record format, the conversion program updates the disk copy of the ICSF CKDS.

ICSF allows these operations without interrupting cryptographic functions that are used by application programs.

Figure 1. How the cryptographic key data set is maintained and used

Callable services use the in-storage copy of the CKDS. For example, in Figure 1 applications A, B, and C might make many calls for services that require the CKDS. Having the CKDS in storage avoids time-consuming I/O to a data set that is stored on DASD.

KGUP updates the disk copy rather than the in-storage copy. The ICSF administrator can then use the ICSF panel dialog or a batch job to refresh the in-storage CKDS with the updated disk copy of the CKDS on every system sharing the updated CKDS. Cryptographic functions do not have to stop while KGUP updates the CKDS.

The dynamic CKDS update callable services permit an application to perform dynamic update of both the disk copy and the in-storage copy of the CKDS.