To run KGUP, ICSF must be active, the user must have access to KGUP, and the CKDS must be initialized. On systems with cryptographic coprocessors. master keys must be loaded on the cryptographic coprocessors. On systems without coprocessors, for release HCR77A0 and later, random number can be generated to create clear DES and AES keys.
Use the CSFKGUP profile in the CSFSERV class to permit or deny users access to the utility.
Each key that KGUP generates (except clear DES and AES data-encrypting keys) exists in the CKDS enciphered under your system's master key.
ADD LABEL(KEY1) TYPE(IMPORTER)
When KGUP processes the control statement, the program generates a key value and encrypts the value under a master key variant for an importer key-encrypting key. KGUP places the key in a CKDS entry labelled KEY1. The key type field of the entry specifies IMPORTER. For a description of the fields in a CKDS entry, see Specifying KGUP data sets.
You store the control statements in a data set. You must also specify other data sets that KGUP uses when the program processes control statements. You submit a batch job stream to run KGUP. In the job control statements, you specify the names of the data sets that KGUP uses.
KGUP changes a disk copy of the CKDS according to the functions you specify with the control statements. When KGUP changes the disk copy of the CKDS, you may replace the in-storage copy of the CKDS with the disk copy using the ICSF panels. This operation should be performed on all systems sharing the updated CKDS.
You may also want to refresh the CKDS with the disk copy of the CKDS that KGUP updated. You can use the KGUP panels to help you perform these tasks. However you can also use KGUP without accessing the panels. This topic first describes each of the tasks to run KGUP, and then describes how to use the panels to perform the tasks.