The systems sharing a PKDS may be different LPARs on the same system or different systems across multiple zSeries Processors. The only requirement for sharing the PKDS is that the same PKA Master Keys be installed on all systems sharing that PKDS. It is not required to share the PKDS across a sysplex. Each system may have its own PKA Master Keys and its own PKDS. A sysplex may have a combination of systems that share a PKDS and individual systems with separate PKDSs.

When sharing the PKDS, a few precautions should be observed:

• Dynamic PKDS services update the DASD copy of the PKDS and the in-storage copy on the system where it is run. The SYSPLEXPKDS option in the ICSF installation options data set provides for sysplex-wide consistent updates of the DASD copy of the PKDS and the in-storage copies of the PKDS on all members of the sysplex sharing the same PKDS. (Note that all members of the sysplex sharing the PKDS must be running ICSF HCR7751 or higher in order to participate in the sysplex-wide consistency of PKDS data.) If SYSPLEXPKDS(YES,FAIL(xxx)) is coded in the installation options data set, a sysplex broadcast message will be issued informing sysplex members of the PKDS update and requesting them to update their in-storage PKDS copy. If SYSPLEXPKDS(NO,FAIL(xxx)) is coded in the installation options data set, there is no sysplex broadcast of the update. In order to update the in-storage copy of all images that share the PKDS, you must perform a PKDS REFRESH on each image. This can be done by using either the TSO panels or the CSFPUTIL utility.
• The PKDS must be initialized for PKA callable services to be enabled. Use the TSO panels to initialize a new PKDS.

There is no longer a PKDS cache. ICSF maintains an in-storage copy of the PKDS.

On CCF systems, it is highly recommended that the SMK and KMMK be the same on all systems sharing the PKDS in order to reencipher the PKDS when a PKA master key changes. PKDS reencipher requires a PCICC on your system. PKDS reencipher is not supported on CCF-only systems. For instructions on creating this environment, see Steps for setting the SMK equal to the KMMK.

Restriction: The PKDS can be shared between a z990, z890, z9 EC, z9 BC, z10 EC, z10 BC, and z196 system and CCF systems (z900). However, DSA tokens and RSA tokens encrypted under the KMMK (if KMMK is not equal to the SMK) are not usable on the z990, z890, z9 EC, z9 BC, z10 EC, z10 BC, and z196 system.