Previous topic |
Next topic |
Contents |
Index |
Contact z/OS |
Library |
PDF
The Cryptographic Key Data Set (CKDS) z/OS Cryptographic Services ICSF System Programmer's Guide SA22-7520-17 |
|
Keys that are protected under the DES or AES master key are stored in a VSAM data set that is called the cryptographic key data set (CKDS). ICSF provides sample CKDS allocation jobs (member CSFCKDS and CSFCKD2) in SYS1.SAMPLIB. The CKDS contains individual entries for each key that is added to it. You can store all types of keys (except master keys and PKA keys) in the CKDS. Each record in the data set contains the key value encrypted under the master key and other information about the key. ICSF maintains two copies of the CKDS: a disk copy and an in-storage copy. Notes:
Callable services use the in-storage copy of the CKDS to perform CKDS functions. For information on managing and sharing the CKDS in a sysplex environment, see z/OS Cryptographic Services ICSF Administrator’s Guide. The key generator utility program (KGUP) updates the disk copy rather than the in-storage copy. Therefore, cryptographic functions do not have to stop while KGUP updates the CKDS. The ICSF administrator can use the ICSF panels or a utility program to refresh the in-storage CKDS with the updated disk copy of the CKDS. Applications can also use the dynamic CKDS update callable services to update both the in-storage and DASD copies of the CKDS with no interruption of cryptographic function. To add operational keys to the CKDS for z900, you can:
To add operational keys to the CKDS for the z890, z990, z9 EC, z9 BC, z10 EC, z10 BC, and z196 servers, you can:
|
Copyright IBM Corporation 1990, 2014
|