The Public Key Data Set (PKDS)

RSA, ECC, and DSS public and private keys can be stored in a VSAM data set that is called the public key data set (PKDS). ICSF maintains the PKDS as an external data set. ICSF provides a sample PKDS allocation job (member CSFPKDS) in SYS1.SAMPLIB. ICSF maintains two copies of the PKDS: a disk copy and an in-storage copy.

You can store public key tokens or both external and internal private key tokens. Applications can use the dynamic PKDS update callable services to create, write, read, and delete PKDS records.

Support to reencipher and refresh the PKDS is available by using the Master Key Management Panels or the CSFPUTIL utility to reencipher the PKDS and to refresh the reenciphered PKDS. CSFPUTIL is a utility that performs the same reencipher and refresh functions available using the Master Key Management panels. Other systems with lower levels of ICSF which are sharing the PKDS would disable the dynamic PKDS access control, change the appropriate master key(s), refresh the reenciphered PKDS and enable the dynamic PKDS access control. For information on managing and sharing the PKDS in a sysplex environment, see z/OS Cryptographic Services ICSF Administrator’s Guide.

Notes:

ECC support is available in ICSF HCR7780 and later releases. A PKDS with ECC key tokens can be shared with prior levels of ICSF. A reencipher of the PKDS with ECC tokens can only be done on systems that support ECC. If a prior level system attempts to reencipher a PKDS containing ECC tokens, it will fail with a bad token error (12/36112).
With ICSF release HCR7750 or later, ICSF expects the PKDS to have the longer LRECL before it will start. You can share the larger PKDS with down-level systems by installing the toleration APAR OA21807. Even with toleration APAR OA21807 installed, however, be aware that reencipherment of a larger PKDS must always be performed on an HCR7750 or later system.