There are three formats of the CKDS: a fixed length record format (supported by all releases of ICSF), a variable length record format (supported by HCR7780 and later releases), and KDSR record format which is common to all KDS types (supported by HCR77A1 and later releases). The variable length record format is only required if AES or HMAC variable-length key tokens are to be stored in the CKDS. The variable length record format can be used to store all existing symmetric keys and the AES and HMAC variable-length key tokens. KDSR is a variable length record format and supports all the function of the original variable length record format and also allows ICSF to track key usage if so configured.
| Offset (Dec) | Number of Bytes | Field Name | Description |
|---|---|---|---|
| 0 | 72 | Constant | The field is set to binary zeros and is not used for the header record. |
| 72 | 8 | Creation date | The date the CKDS was initialized in the format yyyymmdd. |
| 80 | 8 | Creation time | The initial time the CKDS was created in the format hhmmssth. |
| 88 | 8 | Last update date | The most recent date the CKDS was updated, in the format yyyymmdd. |
| 96 | 8 | Last update time | The most recent time the CKDS was updated, in the format hhmmssth. |
| 104 | 2 | Sequence number | Initially zero in binary. Incremented each time the data set is processed, unless HDRDATE(NO) is specified in the ICSF options dataset. |
| 106 | 2 | CKDS header flag bytes | Flag bytes.
Note: After the bits are set on, the given values
remain constant in ICSF.
|
| 108 | 8 | DES master key verification pattern | The system DES master key verification pattern. |
| 116 | 8 | Reserved | |
| 124 | 8 | AES master key verification pattern. | The AES master key verification pattern. |
| 132 | 4 | Record length | Length of the record in bytes. X'00000000' for fixed length record format. X'000000FC' for either variable length record format or KDSR record format. |
| 136 | 1 | Record version | Version number of the CKDS in binary. Set to X'00' for fixed length record format or variable length record format. Set to X'02' or greater for KDSR record format. |
| 137 | 59 | Reserved | |
| 196 | 52 | Installation data | Installation data associated with the CKDS record, as supplied by an installation exit. |
| 248 | 4 | Authentication code | The code generated by the authentication process that ensures that the CKDS record has not been modified since the last update. The authentication code is placed in the CKDS header record when the CKDS is initialized. ICSF verifies the CKDS header record authentication code whenever a CKDS is reenciphered, refreshed, or converted from PCF to ICSF format.This field is not used when the record level authentication flag is set in the CKDS header flag bytes field of the CKDS header record. |
| Offset (Dec) | Number of Bytes | Field Name | Description |
|---|---|---|---|
| 0 | 64 | Key label | The key label specified by the KGUP control statement or Clear Key Input panel when the record was created. When using KGUP and the callable services, you can specify the label to identify the record. The key label is the first field of the key index. |
| 64 | 8 | Key type | The type of key the record contains. The master key variant for the key type enciphers the key. A KGUP control statement or Clear Key Input panel specifies the key type when the record is created. The key type is the second field of the key index. |
| 72 | 8 | Creation date | The initial date the CKDS record was created in the format yyyymmdd. |
| 80 | 8 | Creation time | The initial time the CKDS record was created in the format hhmmssth. |
| 88 | 8 | Last update date | The most recent date the CKDS record was updated in the format yyyymmdd. |
| 96 | 8 | Last update time | The most recent time the CKDS record was updated in the format hhmmssth. |
| 104 | 64 | Key token | The internal key token. A key token contains the key value. Refer to DES internal key token for the format of the internal key token. |
| 168 | 2 | CKDS flag bytes | Flag bytes.
Note: When bit 0 is off, the key within the key token
field (offset 104) is an entire key.
|
| 170 | 26 | Reserved | Reserved. |
| 196 | 52 | Installation data | Installation data associated with the CKDS record as supplied by an installation exit. |
| 248 | 4 | Authentication code | The code generated by the authentication process that ensures the CKDS record has not been modified since the last update. The authentication code is placed in the CKDS record when the record is created. When you refresh, reencipher, or convert a CKDS, ICSF verifies each CKDS record as ICSF performs the action. This field is not used when the record level authentication flag is set in the CKDS header flag bytes field of the CKDS header record. |
The following table presents the format of each variable-length data set record.
| Offset (Dec) | Number of Bytes | Field Name | Description |
|---|---|---|---|
| 0 | 64 | Key label | The label or name of this CKDS record. The key label is the first field of the key index. |
| 64 | 8 | Key type | The type of key the record contains. The key type is the second field of the key index. |
| 72 | 8 | Creation date | The initial date the CKDS record was created in the format yyyymmdd. |
| 80 | 8 | Creation time | The initial time the CKDS record was created in the format hhmmssth. |
| 88 | 8 | Last update date | The most recent date the CKDS record was updated in the format yyyymmdd. |
| 96 | 8 | Last update time | The most recent time the CKDS record was updated in the format hhmmssth. |
| 104 | 4 | Record length | Length of the entire record including the key token. |
| 108 | 60 | Reserved. | |
| 168 | 2 | CKDS flag bytes | Flag bytes.
Note: When bit 0 is off, the key within the key token
field (offset 104) is an entire key.
|
| 170 | 26 | Reserved. | |
| 196 | 52 | Installation data | |
| 248 | 20 | Authentication code | The record authentication code. |
| 268 | variable | Key token | The key token. |