The Cryptographic Key Data Set (CKDS)

Cryptographic keys that are protected under the DES or AES master key are stored in a VSAM data set that is called the cryptographic key data set (CKDS). ICSF provides sample CKDS allocation jobs (members CSFCKDS, CSFCKD2, and CSFCKD3) in SYS1.SAMPLIB. An installation is not required to define a CKDS. However, when a CKDS is not defined, secure CCA symmetric key functions are not available and ICSF cannot be used to manage CCA symmetric key tokens. The CKDS contains individual entries for each key that is added to it. You can store all types of operational symmetric keys in the CKDS. Each record in the data set contains the key value encrypted under the master key and other information about the key. ICSF maintains two copies of the CKDS: a disk copy and an in-storage copy.

Callable services use the in-storage copy of the CKDS to perform cryptographic functions. For information on managing and sharing the CKDS in a sysplex environment, see z/OS Cryptographic Services ICSF Administrator's Guide.

Applications can use the dynamic CKDS update callable services to create, write, read, and delete CKDS records.

You should use the most current format, the common record format (KDSR), for all your key data sets because KDSR format supports additional function to manage cryptographic keys. For information on converting your existing CKDS to KDSR format, see Migrating to the common record format (KDSR) key data set.

If variable-length AES and HMAC keys are to be stored in the CKDS, you must use the variable-length or KDSR format of the CKDS. These formats can store all symmetric key tokens, both fixed-length and variable-length tokens. The KDSR format allows ICSF to track key usage if so configured.