Changing the master keys

For security reasons your installation should change the master keys periodically. In addition, if the master keys have been cleared, you may also want to change the master keys when you reenter the cleared master keys.

There are three main steps involved in performing a master key change:

Enter the master key parts using the ICSF Master Key Entry or the TKE workstation.
Reencipher the key data sets under the new master keys.
Change the new master keys and activate the reenciphered key data sets.

Note:

DES and AES master keys can be changed separately or together.
RSA and ECC master keys can be changed separately or together.

Starting with ICSF FMID HCR7790 for the symmetric master keys and HCR77A0 for the asymmetric master keys, a new option is available to provide a simplified procedure for changing the master keys. Tasks that had once been distinct and spread over multiple panels and manual steps are now combined in a single panel. Other steps, due to changes in how ICSF reenciphers the CKDS and PKDS, are no longer necessary.

This new procedure is called a coordinated KDS change master key. This procedure will combine the CKDS or PKDS reencipher and set master key steps for both single system environments and sysplex environments. When in a sysplex environment, the coordinated KDS change master key procedure additionally coordinates across all sysplex members sharing the same active CKDS or PKDS. This removes the need to perform manual steps on each system sharing the same CKDS or PKDS, including bringing the disk copy of the reenciphered CKDS or PKDS into storage.

For the additional advantages realized by a coordinated change master key, see Coordinated Change Master Key and Coordinated Refresh.

Use the coordinated change master key procedure only if your system (and, if applicable, your sysplex) meets the following requirements.

For symmetric master keys, your system must be running ICSF FMID HCR7790 for symmetric master keys or later. In a sysplex environment, all members of the sysplex (including any sysplex members that are not using the same active CKDS) must be at ICSF FMID HCR7790 or later. The sysplex communication protocol used by the coordinated change master key procedure is only understood by ICSF FMID HCR7790 and later. For this reason, the coordinated change master key procedure can only be performed when all systems in the sysplex are at ICSF FMID HCR7790 and later. Be aware that this procedure will change the symmetric (asymmetric) master keys for all systems in the sysplex that share the same active CKDS as the member who initiates the procedure.
For asymmetric master keys, your system must be running ICSF FMID HCR77A0 or later. In a sysplex environment, all members of the sysplex (including any sysplex members that are not using the same active PKDS) must be at ICSF FMID HCR77A0 or later. The sysplex communication protocol used by the coordinated PKDS change master key procedure is only understood by ICSF FMID HCR77A0 and later. For this reason, the coordinated PKDS change master key procedure can only be performed when all systems in the sysplex are at ICSF FMID HCR77A0 and later. Be aware that this procedure will change the asymmetric master keys for all systems in the sysplex that share the same active PKDS as the member who initiates the procedure.
For the RSA-MK, you need to use a TKE workstation to entry the new master key if your systems have CEX3C or older coprocessors with the licensed internal code that is older than September 2011. The ICSF master key entry panels will automatically set new RSA-MK loaded on coprocessors running lower than CEX3C with the Sep. 2011 licensed internal code. Coordinated change master key can only be performed when new masters keys are loaded in the new master key register.
None of the systems in the sysplex can be a IBM zSeries 900.
ICSF on all systems in the sysplex must be running in noncompatibility mode.

Note: Do not use the coordinated procedure to reencipher archived or backup copies of the CKDS or PKDS that are not currently active. Only use it to reencipher the active CKDS or PKDS

If your system (and, if applicable, your sysplex) meets the requirements in the preceding list, you can use the procedure described in Performing a coordinated change master key to change your master key. If your system or sysplex does not meet the requirements in the preceding list, follow the procedures described in Symmetric Master Keys and the CKDS and Asymmetric master keys and the PKDS.