Public Key Algorithm (DSS, ECC, and RSA) public and private keys and trusted block can be stored in the PKA key data set (PKDS), a VSAM data set. Applications can use the dynamic PKDS callable services to create, write, read and delete PKDS records.

The PKDS may be initialized at ICSF setup. There are internal and external tokens in the PKDS. External tokens may be used irrespective of the PKA master keys. Internal tokens, however, can only be used if they are encrypted under the appropriate PKA master key.

Your installation should periodically change the PKA/asymmetric master key. To change the master key, you enter a new master key value and make that value active. After the master key has been set, the PKDS must be reenciphered under the new master key. You can reencipher a PKDS under a new master key by using the master key panels or a utility program. For more information about reenciphering a PKDS, see Steps for reenciphering and refreshing the PKDS. If you have multiple disk copies of PKDSs, reencipher all of them under the new master key after changing the master key.

You can program applications to use the PKDS callable services to create entries, change entries and delete entries in the PKDS. For more information about how to use callable services to update key entries in the PKDS, see z/OS Cryptographic Services ICSF Application Programmer’s Guide.

PKDS Key management panels support:

• Generating an RSA key pair PKDS record
• Deleting an existing PKDS record
• Exporting an existing public key to an X.509 certificate stored in an MVS physically sequential data set
• Importing a public key from an X.509 certificate stored in an MVS physically sequential data set.

If running in a sysplex, see Running in a Sysplex Environment.