Previous topic |
Next topic |
Contents |
Index |
Contact z/OS |
Library |
PDF
PKDS management in a sysplex z/OS Cryptographic Services ICSF Administrator's Guide SA22-7521-17 |
|
The systems sharing a PKDS may be different LPARs on the same system or different systems across multiple zSeries Processors. The only requirement for sharing the PKDS is that the same PKA Master Keys be installed on all systems sharing that PKDS. It is not required to share the PKDS across a sysplex. Each system may have its own PKA Master Keys and its own PKDS. A sysplex may have a combination of systems that share a PKDS and individual systems with separate PKDSs. When sharing the PKDS, a few precautions should be observed:
There is no longer a PKDS cache. ICSF maintains an in-storage copy of the PKDS. On CCF systems, it is highly recommended that the SMK and KMMK be the same on all systems sharing the PKDS in order to reencipher the PKDS when a PKA master key changes. PKDS reencipher requires a PCICC on your system. PKDS reencipher is not supported on CCF-only systems. For instructions on creating this environment, see Steps for setting the SMK equal to the KMMK. Restriction: The PKDS can be shared between a z990, z890, z9 EC, z9 BC, z10 EC, z10 BC, and z196 system and CCF systems (z900). However, DSA tokens and RSA tokens encrypted under the KMMK (if KMMK is not equal to the SMK) are not usable on the z990, z890, z9 EC, z9 BC, z10 EC, z10 BC, and z196 system. |
Copyright IBM Corporation 1990, 2014
|