ICSF uses these ICSF callable services to create or delete PKDS records and export or import RSA keys to X.509 certificates:

CSNDKRR

Ensures that the specified PKDS label does not already exist.

CSNDPKB

Builds the skeleton key token.

CSNDKRC

Creates the PKDS record.

CSNKRD

Deletes the PKDS record.

CSNDKRR

Reads the record from the PKDS.

CSNDPKX

Extracts only the public key from the record.

CSNBOWH

Hashes the to-be-signed portion of the generated certificate.

CSNDDSG

Signs the hash.

If you are using RACF or a similar security product, ensure that the security administrator authorizes ICSF to use these services and any cryptographic keys that are input. For information about ICSF callable services, see Introducing Symmetric Key Cryptography and Using Symmetric Key Callable Services in z/OS Cryptographic Services ICSF Application Programmer’s Guide.

Follow these steps to manage keys in the PKDS.

Select option 6, PKDSKEYS, on the ICSF Utilities panel as shown in Figure 212.

 CSFUTL00 ---------------- ICSF - Utilities --------------------------
 OPTION ===> 6


 Enter the number of the desired option.

   1  ENCODE        -  Encode data
   2  DECODE        -  Decode data
   3  RANDOM        -  Generate a random number
   4  CHECKSUM      -  Generate a checksum and verification and
                       hash pattern
   5  PPKEYS        -  Generate master key values from a pass phrase
   6  PKDSKEYS      -  Manage keys in the PKDS
   7  PKCS11 TOKEN  -  Manage PKCS11 tokens





Press ENTER to go to the selected option.
Press END to exit to the previous menu.

If option 6 is selected on the utilities panel, the ICSF - PKDS Keys is presented:

 CSFPKY00 ---------------- ICSF - PKDS Keys --------------------------

 COMMAND ===>

     Enter the RSA record's label for the actions below
      ==>


     Select one of the following actions then press ENTER to process:

     -  Generate a new RSA key pair record
        Enter the key length  ===>          512, 1024, 2048, 3072 or 4096
        Enter Private Key Name (optional)
         ==>

     -  Delete the existing public key or key pair RSA record

     -  Export the RSA record's public key to a certificate data set
        Enter the DSN  ===>
        Enter desired subject's common name (optional)
         CN=

     -  Create a RSA public key record from an input certificate.
        Enter the DSN  ===>

From this panel you can manage RSA key entries in the PKDS. To create a new record or manage an existing PKDS record, supply the PKDS key label and then select an action.

Supported actions:

• Generate a new RSA public/private PKDS key pair record
• Delete an existing key record
• Export a public key to an X.509 certificate for importation elsewhere
• Import a public key from an X.509 certificate received from elsewhere