The cryptographic key data set (CKDS) stores operational DES, AES, and HMAC keys of all types. It contains an entry for each key.

If you have no coprocessor, you can initialize the CKDS for use with clear AES and DES data keys. This CKDS can not be used on a system with cryptographic coprocessors.

DES keys that are stored in the CKDS are encrypted under the appropriate variants of the DES master key, except for clear key value data-encrypting keys. AES keys that are stored in the CKDS are encrypted under the AES master key. HMAC keys are encrypted under the AES master key. Encrypted keys in the CKDS cannot be overwritten with a key encrypted under a different master key. (DES replaces DES, AES replaces AES, HMAC replaces HMAC). For clear keys, the same is true, DES can overwrite DES, AES can overwrite AES, and HMAC can overwrite HMAC.

Before you generate keys that you store in the CKDS, you must define a DES or AES master key to your system. You define a master key by entering its value and setting it so it is active on the system. When you enter the master key, you must make it active on the system by setting it when you initialize the CKDS. For information about entering and setting the master key and initializing CKDS , see Managing Master Keys - CCF and PCICC or Managing Master Keys - PCIXCC, CEX2C, or CEX3C.

Once you define a master key, you generate keys and store them in the CKDS. You use KGUP to generate keys and change key values and other information for a key entry in the CKDS. For more information about running KGUP, see Managing Cryptographic Keys Using the Key Generator Utility Program. You can also program applications to use callable services to generate keys and change key information in the CKDS. For more information about how to use callable services to update key entries in the CKDS, see z/OS Cryptographic Services ICSF Application Programmer’s Guide. You can use the optional TKE workstation to load key parts for operational (PIN and transport) keys into a key part queue on the CCF. To load these key parts into the CKDS, you must also use the ICSF Operational Key panel and perform a CKDS refresh. For more information on using the TKE workstation, see z/OS Cryptographic Services ICSF TKE Workstation User’s Guide.

Support for operational keys is available beginning with TKE V4.1. You can load key parts for all operational keys into key part registers on the PCIXCC, CEX2C, or CEX3C. To load the accumulated key into the CKDS, you must use the ICSF Operational Key Load panel. For more information, refer to the z/OS Cryptographic Services ICSF TKE Workstation User’s Guide.

When you initialize ICSF, the system obtains space in storage for the CKDS. For more information about initializing space for the CKDS, see z/OS Cryptographic Services ICSF System Programmer’s Guide.

Besides the in-storage CKDS, there is a copy of the CKDS on disk. Your installation can have many disk copies of CKDSs, backup copies, and different disk copies. For example, an installation may have a separate CKDS with different keys for each shift. When a certain shift is working, you can load the CKDS for that shift into storage. Then only the keys in the CKDS loaded for that shift can be accessed for ICSF functions. However, only one disk copy is read into storage at a time.

A CKDS with encrypted AES or HMAC keys must be managed from a system that has an AES master key.

You use KGUP to make changes to any disk copy of the CKDS. When you use KGUP to generate and maintain keys, or enter keys directly, you change only the disk copy of a CKDS. Therefore, you can change keys in the disk copy of the data set without disturbing ICSF functions that are using the keys in the in-storage copy of the data set. To make the changes to the disk copy of the CKDS active, you need to replace the in-storage CKDS using the refresh utility. When you use the dynamic CKDS update callable services to change entries in the CKDS, you change both the in-storage copy of the CKDS and the disk copy. This allows for the immediate use of the new keys without an intervening refresh of the entire CKDS. Figure 6 shows that ICSF callable services use keys in the in-storage copy of the CKDS.

Figure 6. Updating the In-Storage Copy and the Disk Copy of the CKDS

You just specify the name of the disk copy of the CKDS when you run KGUP. You can also read any disk copy of the CKDS into storage, by specifying the name of the disk copy of the CKDS on a Refresh In-Storage CKDS panel. You can also run a utility program to read a disk copy of the CKDS into storage. However, the disk copy must be enciphered under the correct master key. All the copies of your disk copies of the CKDS should be enciphered under the same master key.

Your installation should periodically change the master key. To change the master key, you enter a new master key value and make that value active. The keys in a CKDS must then be enciphered under the new master key. Therefore, to make the new master key active, the CKDS must be reenciphered from under the current master key to under the new master key.

First, you reencipher the disk copy of the CKDS under the new master key. Then you activate the new master key using the change master key option. This option automatically replaces the old in-storage CKDS with the disk copy that is reenciphered under the new master key. If you have multiple disk copies of CKDSs, reencipher all of them under the new master key before changing the master key.

You can reencipher a CKDS under a new master key by using the master key panels or a utility program. For more information about reenciphering a CKDS, see Steps for changing the DES master key and reenciphering the CKDS.

If running in a sysplex, see Running in a Sysplex Environment.