You can use either KGUP or the dynamic CKDS update services to generate and enter keys into the cryptographic key data set (CKDS), or to maintain keys already existing in the CKDS. The keys are stored in records. A record exists for each key that is stored in the CKDS.

A record in the CKDS is called a key entry and has a label associated with it. When you call some ICSF callable services, you specify a key label as a parameter to identify the key for the callable service to use.

Use KGUP to change the key value of an entry, rename entry labels, and delete entries in the CKDS. For more information about how to use KGUP to update key entries in the CKDS, see Managing Cryptographic Keys Using the Key Generator Utility Program.

Use the dynamic CKDS update services in applications to create entries, change the key value of an entry, and delete entries in the CKDS.

You can use RACF to control which applications can use specific keys and services. For more information, see Using RACF to Protect Keys and Services.