ICSF instances may share the same active CKDS across multiple LPARs on the same system, or across LPARs on different zSeries Processors. All ICSF instances sharing the same active CKDS must have the same DES and, if applicable, AES master key installed.

It is not required that all ICSF instances share their active CKDS across a sysplex. It is also not required that all ICSF instances in a sysplex be configured with the same active CKDS. Each system may have its own Master Key(s) and its own active CKDS. A sysplex may have a combination of ICSF instances that share their active CKDS and ICSF instances that do not share their active CKDS.

In a sysplex environment, a set of ICSF instances all sharing the same active CKDS can be described as a CKDS sysplex cluster. Other ICSF instances configured with different active CKDSs can join the same sysplex group to create multiple CKDS sysplex clusters.

It is not required for each ICSF instances sharing the same active CKDS to be configured with the same DOMAIN. Cryptographic Coprocessor DOMAINs may be split up across LPARs all sharing the same active CKDS.

When sharing the CKDS, a few precautions should be observed:

• Dynamic CKDS services update the DASD copy of the active CKDS and the in-storage copy on the system where it is run. The SYSPLEXCKDS option in the ICSF installation options data set provides consistent sysplex-wide update of the DASD copy of the active CKDS and the in-storage copies of the active CKDS for all members of the sysplex sharing the same active CKDS. If SYSPLEXCKDS(YES,FAIL(xxx)) is specified in the installation options data set, sysplex messages will be issued to sysplex members configured with the same active CKDS. The messages will inform them of the CKDS update and request them to update their in-storage CKDS copy. If SYSPLEXCKDS(NO,FAIL(xxx)) is specified in the installation options data set, sysplex messages will not be sent to sysplex members for CKDS updates. When configured this way, either a coordinated refresh or a single-system refresh must be performed to load the updates into ICSFs in-storage copy of the CKDS. To perform a coordinated CKDS refresh, refer to Performing a coordinated CKDS refresh. To perform a single-system CKDS refresh on each ICSF instance configured with the affected CKDS, refer to Performing a single system CKDS refresh or Using the ICSF Utility Program CSFEUTIL.
• If multiple sysplexes share a CKDS, or if a sysplex and other non-sysplex systems share a CKDS, there is no provision for automatic update of the in-storage copies of the CKDS on the systems that are not in the same sysplex as the system initiating the CKDS update. When configured this way, either a coordinated CKDS refresh or a single-system CKDS refresh will be required on the systems that are sharing the same active CKDS but are not in the same sysplex as the initiating system in order to update the in-storage copy on each system. To perform a coordinated CKDS refresh, refer to Performing a coordinated CKDS refresh. To perform a single-system CKDS refresh on each ICSF instance configured with the affected CKDS, refer to Performing a coordinated CKDS refresh or Using the ICSF Utility Program CSFEUTIL.
• If KGUP is used to update the active CKDS, the update is only made to the DASD copy of the CKDS. Either a coordinated CKDS refresh or a single-system CKDS refresh must be performed to load the updates into ICSFs in-storage copy of the CKDS. To perform a coordinated CKDS refresh, refer to Performing a coordinated CKDS refresh. To perform a single-system CKDS refresh on each ICSF instance configured with the effected CKDS, refer to the Performing a single system CKDS refresh or Using the ICSF Utility Program CSFEUTIL.
• Starting with release HCR7780, there are two formats of the CKDS: a fixed-length record (supported by all releases of ICSF) and a new, variable-length record (supported by HCR7780 and later releases). The variable-length record format can be shared only by systems running ICSF HCR7780 or later.

Restriction: If you initialized your CKDS on a z990, z890, z9 EC, z9 BC, z10 EC, z10 BC, or z196 the CKDS cannot be shared with other CCF systems.