A key token could be stored in a key store within multiple key records, and so could be associated with multiple key labels. When the Key Token Authorization Checking control is enabled for the key store, duplicate tokens can cause problems because all labels that are associated with a key token passed to an ICSF callable service will be used to determine user access to that token. Although you may deliberately restrict access to a token by one of the labels associated with it, a user might still have access to the token through another label. You can enable the Duplicate Key Token Checking control for the CKDS or PKDS to prevent applications from storing duplicate tokens in the key store. When enabled, ICSF services that update the key store will check for duplicate tokens. ICSF will not allow a key token to be written to the key store if it matches a token that is already stored. The Duplicate Key Token Checking controls do not rely on SAF authorization checks against CSFKEYS class profiles. Instead, the callable services that update the key store will verify that a duplicate token does not already exist within the key store.

Separate controls are provided for enabling Duplicate Key Token Checking for a CKDS or a PKDS. To enable either of the Duplicate Key Token Checking controls, create the appropriate profile in the XFACILIT class.

For example, to ensure that duplicate tokens are not stored in either the CKDS or PKDS, you would enter the following commands:

RDEFINE XFACILIT CSF.CKDS.TOKEN.NODUPLICATES
RDEFINE XFACILIT CSF.PKDS.TOKEN.NODUPLICATES
SETROPTS RACLIST(XFACILIT) REFRESH