You can store DSS, ECC, and RSA public and private keys in the PKA key data set (PKDS). Trusted block tokens can also be stored in the PKA key data set through the use of the same ICSF callable services. ICSF provides a set of callable services that allow applications to update the PKDS. Applications can use some of these services to create, write, and delete records from the PKDS. ICSF maintains an in-storage copy of the PKDS similar to the in-storage copy of the CKDS. It's purpose is to improve performance and eliminate I/O.

Restriction: DSS keys are only supported on the IBM zSeries 900.

For more information on using the PKDS update services, refer to the z/OS Cryptographic Services ICSF Application Programmer’s Guide.

When you initialize ICSF, the system obtains space in storage for the PKDS. For more information about initializing space for the PKDS, see z/OS Cryptographic Services ICSF System Programmer’s Guide.

Besides the in-storage PKDS, there is a copy of the PKDS on disk. Your installation can have many disk copies of PKDSs, backup copies, and different disk copies. For example, an installation may have a separate PKDS with different keys for each shift. When a certain shift is working, you can load the PKDS for that shift into storage. Then only the keys in the PKDS loaded for that shift can be accessed for ICSF functions. However, only one disk copy is read into storage at a time.

RSA and ECC private keys can also be stored in the PKDS from TKE. For more information, see z/OS Cryptographic Services ICSF TKE Workstation User’s Guide.