ICSF prioritizes changes to the CKDS sequentially, regardless of the source. A KGUP job does not have priority over application calls to the dynamic CKDS update services. Exclusive use of the CKDS by any one application call is minimal, however. For this reason, ICSF allows for a maximum concurrent usage of the CKDS by both KGUP and the dynamic update services.

When you perform any function that affects the current CKDS (such as reenciphering, refreshing, or changing the master key), you should consider temporarily disallowing the dynamic CKDS update services.

If you are planning to use KGUP to make significant changes to the CKDS, you should disallow dynamic CKDS update on every system which shares the CKDS. If you are planning to perform a coordinated CKDS change master key or coordinated CKDS refresh operation on a large CKDS (millions of records), you may experience a temporary suspension of CKDS update requests running in parallel. If you cannot tolerate a temporary suspension in your workload, and would prefer that update requests are failed instead of suspended, you should disallow dynamic CKDS updates on every system which shares the same active CKDS prior to performing the coordinated CKDS administration operation. If an application tries to use the dynamic CKDS update services when they are disallowed, the return code indicates that the CKDS management service has been disabled by the system administrator.

To disallow dynamic CKDS access, perform these tasks:

1. Choose option 4, Administrative Control Functions, on the Primary Menu Panel, as shown in Figure 124.
   Figure 124. Selecting the Adminstrative Control Option on the Primary Menu Panel

    CSF@PRIM ---- Integrated Cryptographic Service Facility ---------
    OPTION ===> 4
   
    Enter the number of the desired option.
   
      1  COPROCESSOR MGMT    -  Management of Cryptographic Coprocessors
      2  MASTER KEY MGMT     -  Master key set or change, CKDS/PKDS processing
      3  OPSTAT              -  Installation options
      4  ADMINCNTL           -  Administrative Control Functions
      5  UTILITY             -  ICSF Utilities
      6  PPINIT              -  Pass Phrase Master Key/KDS Initialization
      7  TKE                 -  TKE Master and Operational key processing
      8  KGUP                -  Key Generator Utility processes
      9  UDX MGMT            -  Management of User Defined Extensions
   
            Licensed Materials - Property of IBM
   
         5694-A01 (C) Copyright IBM Corp. 1990, 2011. All rights reserved.
         US Government Users Restricted Rights - Use, duplication or
         disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
   
   
    Press ENTER to go to the selected option.
    Press END   to exit to the previous menu.
    

   The Administrative Control Functions panel appears. See Figure 125.

2. Enter a 'D' to disallow dynamic CKDS access.
   Figure 125. Selecting to Disallow Dynamic CKDS Access on User Control Functions Panel

    CSFACF00 ------------- ICSF Administrative Control Functions
    COMMAND ===>
             Active CKDS: CRYPTO25.HCRICSF.CKDS
             Active PKDS: CRYPTO25.HCRICSF.PKDS
             Active TKDS: CRYPTO25.HCRICSF.TKDS
   
   To change the status of a control, enter the appropriate character 
   (E - ENABLE, D - DISABLE) and press ENTER.
   
            Function                                 STATUS
            --------                                 ------
   
    D  Dynamic CKDS Access                            ENABLED 
    .  PKA Callable Services                          ENABLED
    .  Dynamic PKDS Access                            DISABLED 
    
    Press ENTER to go to the selected option.
    Press END   to exit to the previous menu.
    

3. Press ENTER.

   The message CKDS UPDATES DISABLED appears in the upper right-hand corner of the panel.

4. Press END to return to the Primary Menu panel.