2 Chapter 2. System z integrated cryptography: A reminder The System z platform offers standard and optional hardware cryptographic devices along with proper software components in the different operating systems to provide applications with APIs to invoke the system's hardware cryptography and with key repository management facilities. In this chapter, we focus on the support z/OS provides for applications using hardware cryptography. The z/OS base component that provides the cryptographic APIs that eventually invoke the hardware coprocessor is the Integrated Cryptographic Service Facility (ICSF). The ICSF APIs implement the IBM Common Cryptographic Architecture (CCA) and are available for programs written in assembler or high-level languages. Note that the IBM CCA supports a hierarchical structure of keys where keys can be encrypted by other keys (key-encrypting keys, KEKs), the master key being at the top of the hierarchy. ICSF provides cryptographic coprocessors administration facilities for those coprocessors that require a master key to be set. ICSF also provides key repositories in the form of two VSAM data sets were keys can be kept in "key tokens" in clear value or encrypted under a KEK or under the coprocessors master keys. The VSAM data sets are the Cryptographic Key Data Set (CKDS) and the Public Key Data Set (PKDS). The key tokens in the CKDS © Copyright IBM Corp. 2007. All rights reserved. 11