z/OS Cryptographic Services ICSF System Programmer's Guide
Previous topic | Next topic | Contents | Index | Contact z/OS | Library | PDF


The Cryptographic Key Data Set (CKDS)

z/OS Cryptographic Services ICSF System Programmer's Guide
SA22-7520-17

Keys that are protected under the DES or AES master key are stored in a VSAM data set that is called the cryptographic key data set (CKDS). ICSF provides sample CKDS allocation jobs (member CSFCKDS and CSFCKD2) in SYS1.SAMPLIB. The CKDS contains individual entries for each key that is added to it. You can store all types of keys (except master keys and PKA keys) in the CKDS. Each record in the data set contains the key value encrypted under the master key and other information about the key. ICSF maintains two copies of the CKDS: a disk copy and an in-storage copy.

Notes:
  1. There are two formats of the CKDS: a fixed length record (supported by all releases of ICSF) and a new, variable length record (supported by HCR7780 and later releases). The variable length record format is only required if HMAC keys are to be stored in the CKDS. The variable length record format can be used to store all existing symmetric keys and the new HMAC keys.
  2. When a CKDS record is written which contains a key token with a control vector that is not supported by the Cryptographic Coprocessor Feature, a key type of CV will be placed into the CKDS record. During CKDS reencipher processing, for any key containing a control vector which is not supported by the Cryptographic Coprocessor Feature, a key token change request will be sent to the PCI Cryptographic Coprocessor to reencipher the key. In a sysplex with a shared CKDS, the CKDS reencipher process must be invoked on a system which has a PCI Cryptographic Coprocessor installed.

Callable services use the in-storage copy of the CKDS to perform CKDS functions. For information on managing and sharing the CKDS in a sysplex environment, see z/OS Cryptographic Services ICSF Administrator’s Guide. The key generator utility program (KGUP) updates the disk copy rather than the in-storage copy. Therefore, cryptographic functions do not have to stop while KGUP updates the CKDS. The ICSF administrator can use the ICSF panels or a utility program to refresh the in-storage CKDS with the updated disk copy of the CKDS. Applications can also use the dynamic CKDS update callable services to update both the in-storage and DASD copies of the CKDS with no interruption of cryptographic function.

To add operational keys to the CKDS for z900, you can:

  • Use KGUP to generate or enter keys
  • Use the dynamic CKDS update callable services to create and write keys directly to the CKDS
  • Use the Trusted Key Entry (TKE) workstation to load operational PIN and TRANSPORT keys. TKE is not part of the base product. It is an optional feature.

To add operational keys to the CKDS for the z890, z990, z9 EC, z9 BC, z10 EC, z10 BC, and z196 servers, you can:

  • Use KGUP to generate or enter keys or to load keys from the cryptographic coprocessor's key part registers
  • Use the dynamic CKDS update callable services to create and write keys directly to the CKDS
  • Use the Trusted Key Entry workstation to load operational AES or DES keys. DES keys can be loaded with TKE Version 4.1 or higher. AES keys can be loaded with TKE Version 5.3 or higher. TKE is not part of the base product. It is an optional feature.

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014