ICSF and TKE accept a 16-byte key value for the DES master key. CEX3C and later CCA coprocessors with the October, 2012 licensed internal code (LIC) will support both a 16- and 24-byte key value. ICSF and TKE will support loading both key value lengths.
To load a 24-byte DES master key, the DES master key – 24-byte key access control point must be enabled in the ICSF role in all CCA coprocessors for the domain where you wish to use a 24-byte DES master key. If the DES master key – 24-byte key access control point is not enabled consistently for all coprocessors available to a instance of ICSF, the DES new master key register cannot be loaded. The master key entry utility will fail. A TKE workstation is required to enable the access control point.
It is not possible to share a CKDS between systems with both 16-byte and 24-byte DES master keys. The master key verification pattern algorithm for the 24-byte DES master key is different from the algorithm for the 16-byte DES master key. The algorithms are described in Supporting Algorithms and Calculations.
The CKDS Reencipher and Symmetric Change Master Key utilities support both length key values. The coordinated CKDS administration functions support both length key values. The Passphrase KDS Initialization utility will load a 24-byte DES master key if the DES master key – 24-byte key access control point is enabled.
Warning: Due to the CEX3 and CEX4 control block changes required to support the 24-byte DES master key, after a 24-byte DES master key has been loaded, the LIC cannot be changed to an earlier version that does not support the 24-byte DES master key. If a change to an earlier LIC is required, all DES master keys must be changed back to 16-byte keys. This can be done using either local CKDS change master key or coordinated CKDS changes master key.