ICSF and TKE accept a 16-byte key value for the DES master key. CCA coprocessors with the September 2012 licensed internal code (LIC) or later installed on a CEX3C or later will support both a 16- and 24-byte key value. ICSF and TKE will support loading both key value lengths.
To load a 24-byte DES master key, the DES master key – 24-byte key access control point must be enabled in the ICSF role in all CCA coprocessors for the domain where you wish to use a 24-byte DES master key. If the DES master key – 24-byte key access control point is not enabled consistently for all coprocessors available to a instance of ICSF, the DES new master key register cannot be loaded. The master key entry utility will fail. A TKE workstation is required to enable the access control point.
It is not possible to share a CKDS between systems with both 16- and 24-byte DES master keys. The master key verification pattern algorithm for the 24-byte DES master key is different from the algorithm for the 16-byte master key. The algorithms are described in the z/OS Cryptographic Services ICSF Administrator's Guide.
The CKDS Reencipher and Symmetric Change Master Key utilities support both length key values. The coordinated CKDS administration functions support both length key values. The Passphrase KDS Initialization utility will load a 24-byte DES master key if the DES master key – 24-byte key access control point is enabled.