z/OS Cryptographic Services ICSF Administrator's Guide
Previous topic | Next topic | Contents | Index | Contact z/OS | Library | PDF


Refreshing the CKDS at any time

z/OS Cryptographic Services ICSF Administrator's Guide
SA22-7521-17

When you initialize a CKDS for the first time, you can copy the disk copy of the CKDS to create other CKDSs for the system. You can use KGUP to add and update any of the disk copies on your system. You can use the dynamic CKDS update callable services to add or update the disk copy of the current in-storage CKDS. For information about using KGUP, see Managing Cryptographic Keys Using the Key Generator Utility Program. For information on using the dynamic CKDS callable services, refer to the z/OS Cryptographic Services ICSF Application Programmer’s Guide.

Steps for refreshing the CKDS

You can refresh the in-storage CKDS with an updated or different disk copy of the CKDS by using these steps. You can refresh the CKDS at any time without disrupting cryptographic functions.

Note:
When you refresh a CKDS, consider temporarily disallowing dynamic CKDS update services. For more information, refer to Steps for disallowing dynamic CKDS updates during CKDS administration updates.
  1. Enter option 2, MASTER KEY, on the ICSF Primary Menu panel to access the Master Key Management Panel.
  2. Enter option 1, INIT/REFRESH CKDS to access the Initialize a CKDS panel, which is shown in Figure 57.
    Figure 57. Selecting the Refresh Option on the ICSF Initialize a CKDS Panel 
     CSFCKD00 ---------------- ICSF - Initialize a CKDS  ----------------
 COMMAND ===>  5


 Enter the number of the desired option.

   1  Initialize an empty CKDS (creates the header and system keys)

   2  NOCVKEYS  -  Create NOCV-Enablement keys (for keys without CVs)
   3  ANSI      -  Create ANSI system keys (for ANSI X9.17 services)
   4  ESYS      -  Create enhanced system keys (for Symmetric services)

   5  REFRESH   -  Activate an updated CKDS

 Enter the name of the CKDS below.

   CKDS ===> 'PIN1.CKDS'
  3. In the CKDS field, specify the name of the disk copy of the CKDS that you want ICSF to read into storage.
  4. Choose option 5, REFRESH, and press ENTER.

    ICSF places the disk copy of the specified CKDS into storage. During a REFRESH, ICSF does not load into storage any partial keys that may exist when you enter keys manually. A REFRESH does not disrupt any applications that are running on ICSF. A message that states that the CKDS was refreshed appears on the right of the top line on the panel.

    When ICSF reads the CKDS into storage, it performs a MAC verification on each record in the CKDS. If a record fails the MAC verification, ICSF sends a message that gives the key label and type to the z/OS system security console. You can then use either KGUP or the dynamic CKDS update services to delete the record from the CKDS. Any other attempts to access a record that has failed MAC verification results in a return code and reason code that indicate that the MAC is not valid.

  5. Press END to return to the Primary Menu panel.
Note:
You can use either a KGUP panel or a utility program, instead of the CKDS panel, to refresh the CKDS. For information about these other methods, see Refreshing the In-Storage CKDS.

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014