TKDS

There are two formats of the TKDS: original and KDSR. Both formats use the same LRECL. The KDSR format provides support for metadata for each record including tracking usage of the record. To convert the original format TKDS to common record (KDSR) format, see Migrating to the common record format (KDSR) key data set.

For secure PKCS #11 support (either Enterprise PKCS #11 or regional cryptographic services), the TKDS must be initialized with the appropriate master key. This is the PKCS #11 master key (P11-MK) for Enterprise PKCS #11 services or the regional cryptographic services master key (RCS-MK) for regional cryptographic services. For P11-MK, support to INITIALIZE TKDS and UPDATE TKDS is available in the Master Key Management Panels. For RCS-MK, TKDS initialization implicitly happens the first time a regional cryptographic server is connected.

For information on managing and sharing the TKDS in a sysplex environment, see z/OS Cryptographic Services ICSF Administrator's Guide.

Access authorization of the new callable services will be determined via SAF calls. No support will be provided for invocation of an installation security exit for these new services. The CSFSERV class controls access to the ICSF PKCS #11 callable services.