The ICSF CKDS has several sets of system keys. These are the keys with labelname of X'00' and are installed during CKDS initialization. The system keys are required in the CKDS. Other keys are optional; however, their absence will affect functions in many services.

If the system keys are not in the CKDS, an 18F abnormal end with reason code X'A1' can occur. If the ANSI, NOCV enablement, or the ESYS keys are not in the CKDS, an 18F abnormal end with reason code X'A3' can occur.

This is a summarization of where the keys are used:

• Required System Keys

  These keys are used to validate CKDS entries and used in many services. These keys are required.

• NOCV-enablement Keys
  • These keys are needed for all services where NOCV key-encrypting keys are required. See z/OS Cryptographic Services ICSF Application Programmer’s Guide for more information.
  • These keys are needed in CSNBKGN and KGUP where replicated keys are generated, that is, where key length of SINGLE is specified for double-length keys.
  • These keys are used during verification pattern generation on a CDMF-only system.
  • These keys are used by CSNBSBC on a CDMF-only system.
  • These keys are used during CKDS conversion.
  • These keys are required to export and import double-length DATAM and DATAMV keys.
• ANSI System Keys
  • These keys are used by CSNBSBD on a CDMF-only system.
  • These keys are used when installing the extended system keys (ESYS) on the CKDS initialization panel.
  • These keys are needed for key part import services.
  • These keys are required for key test service CSNBKYT if there are no PCICCs active.
  • These keys are required to generate double-length DATAM and DATAMV keys in the importable form.
• Extended System Keys

  These keys are required for symmetric key export if there are no PCICCs active.