Here are the answers from my friends on the ICSF development team. >1. Is it good idea to have millions of keys in PKDS? Would it be a >problem for ICSF? VSAM limits seem to be not a problem, but maybe ICSF >have some bottlenecks or limitations.
There will be no problem for ICSF to store 2 to 3 million public keys in the PKDS. >2. Can I keep the keys out of PKDS, for example in DB2 table? Note, we >talk about public key, so there is no big reason to keep it secret. >For example: tell ICSF to check msg using given key value, instead of >given key label. I remeber such solution is feasible for symmetric keys >(the key was encrypted using Master Key). Yes, you can store the key tokens outside the PKDS. Callable services accept a label or key token. PKA public keys are in the clear, so there is no security issues. To be clear, I would only recommend keeping public keys outside the PKDS. Private keys should be maintained in the PKDS so they are properly reenciphered during a master key change. >3. What about performance? While DB2 table can be buffered, what about >PKDS? Does it require I/O for every key use? During initialization, ICSF copies the PKDS into 64 bit storage. When a label is passed to a callable service, ICSF retrieves the key token from the in-store PKDS. No I/O is performed during the retrieval ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
