All instances of a CKDS sysplex cluster (using the same active CKDS) must be IPLed and started in order to perform a coordinated refresh or reencipher operation. The coordinated KDS administration functions will not be queued for processing on inactive sysplex cluster members.

SAF will be invoked to verify the caller is authorized to use this callable service. The CSFCRC resource in the CSFSERV class protects access to this callable service. To access this service, callers will be required to have a UACC of update for the CSFCRC resource.

A coordinated CKDS sysplex cluster wide refresh on the active CKDS requires CKDS updates to be suspended. A refresh of the active CKDS is only required when KGUP or some other utility has altered the CKDS VSAM dataset. Updates must be suspended in this case to allow the in-storage cache of the CKDS VSAM data set to be rebuilt.

This table lists the required cryptographic hardware for each server type and describes restrictions for this callable service.

Table 252. Coordinated CKDS administration required hardware

Server	Required cryptographic hardware	Restrictions
IBM zSeries 900	None	This callable service is not supported.
IBM zSeries 990 IBM zSeries 890	None
IBM System z9 EC IBM System z9 BC	None
IBM System z10 EC IBM System z10 BC	None
z196	None