ICSF system resource planning for the TKDS and session object memory areas
Like the CKDS and PKDS, ICSF manages a mirror copy of the TKDS data set in protected, private
virtual storage to optimize cryptographic workload access to persistent PKCS #11 objects (keys,
certificates, and so on). Also, like the CKDS and PKDS, the in-storage TKDS copy must be
accommodated with sufficient system central storage and auxiliary paging space resources.
Unfortunately, the variable length nature of PKCS #11 objects makes resource estimating for the TKDS
difficult. The best way to estimate the virtual storage requirement for an existing, stable TKDS
(one that is not experiencing significant dynamic PKCS #11 object creation or deletion activity) is
to determine the actual size of the used DATA portion of the TKDS and multiply this by 3. The
following formula is provided to help you calculate the required system virtual storage backing
resource for an active in-storage TKDS. In this formula HI-A-RBA is the allocated relative byte
address for the data component of a TKDS VSAM data set. The IDCAMS LISTCAT command output for a TKDS
VSAM data set can be consulted to determine the HI-A-RBA value for the data component. The
%Free Space
used in this formula represents the percentage of free space in the
TKDS VSAM data set. The IDCAMS EXAMINE DATATEST command output can be consulted to determine the
percentage of free space. HI-A-RBA x ( ( 100 - %Free Space ) / 100 ) x 3
For
example, if the DATA HI-A-RBA has the value 1622016 with 56% free space, then the virtual storage
requirement estimate would be 1622016 x (44/100) x 6 = 4282122 bytes or 4182 Kilobytes.In addition to the persistent PKCS #11 objects that are stored in the TKDS, applications can also
make use of temporary (session) objects. These too occupy ICSF protected, private virtual storage
and should be accounted for. However, since these objects are not stored in the TKDS, it is
impossible to estimate their virtual storage requirements without having some knowledge of the
applications that are using PKCS #11. Fortunately, most applications that use PKCS #11 use only a
few PKCS #11 session objects and their storage requirements are already factored into the preceding
TKDS estimate. However, some applications, such as TCP/IP’s IPSec, use session objects
exclusively, and can use many of them. Estimating the virtual storage requirements for these is
beyond the scope of this document. Applications that use PKCS #11 session objects have an overall
upper limit of 128 Megabytes per application address space for session objects.
Note: The output
from the preceding formula should be added to the outputs calculated from the formulas in ICSF system resource planning for the CKDS and ICSF system resource planning for the PKDS. This gives you the required system
virtual storage backing resource for all of ICSF’s KDS data sets. This value represents the
required amount of virtual storage for a given instance of ICSF. For a set of KDS data sets shared
across a sysplex environment, every active ICSF in the sysplex has an equivalent resource
requirement.