When using Keys for Encryption/Decryption, is there something like a 'Keystore' in ACF2, to provide controlled access to a 'masterkey' used by a Program to do Encryption/Decryption?
The 'Keystore', in z/OS, usually just refers to where Certificate Private Keys are stored. Is this what you meant please? If 'yes', they can keep the Private keys in the Integrated Cryptographic Services Facility (ICSF) or let the External Security Manager (ESM) keep the Private Keys.
Regarding 'Master Key', this doesn't seem to be a function for ESM Products. But ICSF does have a Master Key, it's mentioned in the IBM manual, 'z/OS Cryptographic Services Integrated Cryptographic Service Facility System Programmer's Guide', Appendix D 'Helpful Hints for ICSF First Time Startup', page 325 'Step 6. Loading Master Keys and Initializing the CKDS through ICSF Panels'.