Integrated Cryptographic Service Facility (ICSF) is a software element of z/OS that provides the application programming interfaces to the cryptographic hardware. ICSF provides hardware protection for the storage of the private keys associated with digital certificates and is a more secure solution than non-ICSF private key management. ICSF ensures that the private keys are encrypted under the ICSF master key and stored in the ICSF PKA key data set (PKDS). ICSF controls access to the private keys through the use of RACF® general resources in the CSFKEYS and CSFSERV classes. In addition, operational performance is improved because ICSF utilizes a hardware cryptographic coprocessor.

If ICSF is implemented at your installation, you can use it to store private keys by specifying the PKDS, PCICC, or ICSF option of the ADD, GENCERT and REKEY functions of the RACDCERT command. You can also use ICSF to generate private keys using the same options. ICSF supports generation and storage of RSA and ECC key types.

You can migrate a non-ICSF private key to the ICSF PKDS by issuing the RACDCERT ADD command function with certain options and specifying the name of the data set that contains the existing certificate. If the certificate data set is no longer available, you can recreate it using the RACDCERT EXPORT command.

For details about using the RACDCERT command, see z/OS Security Server RACF Command Language Reference.