There are some general rules for creating labels for CKDS key records.

• Each label can consist of up to 64 characters. The first character must be alphabetic or a national character (#, $, @). The remaining characters can be alphanumeric, a national character (#, $, @), or a period (.).
• Labels must be unique for DATA, DATAXLAT, MAC, MACVER, DATAM, DATAMV, and NULL keys.
• For compatibility with Version 1 Release 1 function, transport and PIN keys can have duplicate labels for different key types. Keys that use the dynamic CKDS update services to create or update, however, must have unique key labels.
• Labels must be unique for any key record, including transport and PIN keys, created or updated using the dynamic CKDS update services.

KGUP and the dynamic CKDS update services, unless they are modified by user-written exits, check for uniqueness according to these rules prior to making any change to the CKDS.

CKDS record level authentication

ICSF may have an optional record level authentication code that is part of each record in the CKDS. The record level authentication code is used to identify when a record in the CKDS is modified by a program other than ICSF. The record level authentication is enabled when the CKDS is initialized and can not be changed after the CKDS is initialized. If the CKDS is properly protected using RACF profiles, then unauthorized modification of the CKDS can be prevented.

KGUP detects when ICSF and the CKDS are enabled for record level authentication and performs the necessary processing. When record level authentication is not enabled, KGUP does not perform record level authentication processing.

KGUP Uniqueness Checking

KGUP first checks to see if the label in the control statement matches a label that already exists in the CKDS.

If KGUP is processing an ADD control statement and there is no matching record, KGUP continues processing. Also, if KGUP is processing a RENAME control statement and there is no match for the new-label parameter, KGUP continues processing the control statement. If KGUP finds a matching label, KGUP then checks whether the key requires a unique label. If the key does not require a unique label, KGUP continues processing the ADD or RENAME control statement. If the key does require a unique label, KGUP stops processing the control statement and issues a message.

If KGUP is processing an UPDATE or DELETE control statement and there is no matching record, KGUP ends processing and issues an error message. Also, if KGUP is processing a RENAME control statement and there is no match for the old-label parameter, KGUP ends processing and issues an error message. If KGUP finds a matching label, KGUP continues processing the UPDATE, DELETE, or RENAME control statement.

Dynamic CKDS Update Services Uniqueness Checking

The dynamic CKDS update services require unique record labels in the CKDS. Each service checks to see if the label in the application call matches a label that already exists in the CKDS. For the Key Record Create service, if there is no matching record in the CKDS, ICSF continues processing the application call. If there is a match, ICSF stops processing and returns a return code and reason code to the application. For the Key Record Write and Key Record Delete services, if there is only one record in the CKDS that matches the label in the application call, ICSF continues processing the application call. If there is more than one matching record in the CKDS, ICSF stops processing and returns a return code and reason code to the application.