The key generator utility program (KGUP) is an APF-authorized program that runs as a batch job. It requires certain JCL statements to run. Submit the JCL to run KGUP when you create the KGUP control statements and data sets.

The JCL to run KGUP should be in this format:

//KGUPPROC EXEC PGM=CSFKGUP,PARM=('SSM')
//CSFCKDS  DD   DSN=PROD.CKDS,DISP=OLD
//CSFIN    DD   DSN=PROD.KGUPIN.GLOBAL,DISP=OLD
//CSFDIAG  DD   DSN=PROD.DIAG.GLOBAL,DISP=OLD
//CSFKEYS  DD   DSN=PROD.KEYS.GLOBAL,DISP=OLD
//CSFSTMNT DD   DSN=PROD.STMT.GLOBAL,DISP=OLD
//

The EXEC statement specifies the load module name for KGUP. The PARM keyword on the EXEC statement passes information to KGUP. The keyword specifies either:

• NOSSM to indicate that special secure mode must be disabled
• SSM to indicate that special secure mode must be enabled

You must pass the SSM parameter if any KGUP control statements for the KGUP run contain the CLEAR keyword. NOSSM is the default.

If special secure mode is not enabled and you pass the SSM parameter to KGUP, the program ends immediately without processing any KGUP control statements. If you pass the NOSSM parameter and KGUP encounters a control statement with the CLEAR keyword, the job ends immediately.

In the JCL example, the PARM keyword specifies SSM to indicate that special secure mode should be enabled. You specify SSM if any control statement in the control statement input data set, PROD.KGUPIN.GLOBAL, contains the CLEAR keyword.

In the JCL, the data definition (DD) statements name the data sets necessary to input information to KGUP and output information from the program. See Specifying KGUP data sets for a detailed description of these data sets.

For a description of the KGUP return codes, see the explanation of message CSFG0002, which is in z/OS Cryptographic Services ICSF Messages.