You specify installation options in the installation options data set. Three installation options, CHECKAUTH, KEYAUTH, and CKTAUTH provide additional security checking, but affect performance.

In ICSF, the Security Server (RACF) always checks non-Supervisor State callers. The CHECKAUTH option allows you to specify whether CSF performs access control checking of Supervisor State and System Key callers. Specify CHECKAUTH(NO) if you do not want CSF to check Supervisor State and System Key callers. Specify CHECKAUTH(YES) if you want CSF to check Supervisor State callers. Checking Supervisor State and System Key callers significantly affects performance.

The KEYAUTH option allows you to specify whether ICSF should authenticate an entry in the CKDS whenever ICSF accesses the entry. ICSF creates a message authentication code (MAC) for each entry in the CKDS and stores the MAC with the entry. Whenever ICSF retrieves an entry from the CKDS, ICSF uses the MAC to authenticate the entry. When ICSF authenticates the entry, ICSF verifies that the entry was not inadvertently changed or damaged. If the authentication fails, ICSF returns either a return code with a reason code or message.

You specify KEYAUTH(NO) for ICSF not to authenticate an entry or KEYAUTH(YES) for ICSF to authenticate an entry. The authentication can have a significant impact on performance when using the Crypto Express2 or Crypto Express3 feature. The chance of an error occurring in the in-storage CKDS is minimal. However, the authentication might be useful for diagnostic purposes if an error occurs.

The CKTAUTH option allows you to specify whether ICSF should authenticate an entry in the CKDS whenever ICSF reads the record from DASD. Customers with a large CKDS may experience a performance impact as each authentication requires a request to the PCIXCC, CEX2C, or CEX3C. CKTAUTH has no effect on the KEYAUTH option.

The SYSPLEXCKDS, SYSPLEXPKDS and SYSPLEXTKDS options specify whether sysplex-wide data consistency for the CKDS, PKDS, and TKDS is desired. For a description of the subkeywords, see Parameters in the installation options data set.