For security reasons your installation should change the master
keys periodically. In addition, if the master keys have been cleared,
you may also want to change the master keys when you reenter the cleared
master keys.
There are three main steps involved in performing a master key
change:
- Enter the master key parts using the ICSF Master Key Entry or
the TKE workstation.
- Reencipher the key data sets under the new master keys.
- Change the new master keys and activate the reenciphered key data
sets.
Note: - DES and AES master keys can be changed separately or together.
- RSA and ECC master keys can be changed separately or together.
Starting with ICSF FMID HCR7790 for the symmetric master keys and
HCR77A0 for the asymmetric master keys, a new option is available
to provide a simplified procedure for changing the master keys. Tasks
that had once been distinct and spread over multiple panels and manual
steps are now combined in a single panel. Other steps, due to changes
in how ICSF reenciphers the CKDS and PKDS, are no longer necessary.
This new procedure is called a coordinated KDS change master key.
This procedure will combine the CKDS or PKDS reencipher and set master
key steps for both single system environments and sysplex environments.
When in a sysplex environment, the coordinated KDS change master key
procedure additionally coordinates across all sysplex members sharing
the same active CKDS or PKDS. This removes the need to perform manual
steps on each system sharing the same CKDS or PKDS, including bringing
the disk copy of the reenciphered CKDS or PKDS into storage.
For the additional advantages realized by a coordinated change
master key, see Coordinated Change Master Key and Coordinated Refresh.
Use the coordinated change master key procedure only if your system
(and, if applicable, your sysplex) meets the following requirements.
- For symmetric master keys, your system must be running ICSF FMID
HCR7790 for symmetric master keys or later. In a sysplex environment,
all members of the sysplex (including any sysplex members that are
not using the same active CKDS) must be at ICSF FMID HCR7790 or later.
The sysplex communication protocol used by the coordinated change
master key procedure is only understood by ICSF FMID HCR7790 and later.
For this reason, the coordinated change master key procedure can only
be performed when all systems in the sysplex are at ICSF FMID HCR7790
and later. Be aware that this procedure will change the symmetric
(asymmetric) master keys for all systems in the sysplex that share
the same active CKDS as the member who initiates the procedure.
- For asymmetric master keys, your system must be running ICSF FMID
HCR77A0 or later. In a sysplex environment, all members of the sysplex
(including any sysplex members that are not using the same active
PKDS) must be at ICSF FMID HCR77A0 or later. The sysplex communication
protocol used by the coordinated PKDS change master key procedure
is only understood by ICSF FMID HCR77A0 and later. For this reason,
the coordinated PKDS change master key procedure can only be performed
when all systems in the sysplex are at ICSF FMID HCR77A0 and later.
Be aware that this procedure will change the asymmetric master keys
for all systems in the sysplex that share the same active PKDS as
the member who initiates the procedure.
- For the RSA-MK, you need to use a TKE workstation to entry the
new master key if your systems have CEX3C or older coprocessors with
the licensed internal code that is older than September 2011. The
ICSF master key entry panels will automatically set new RSA-MK loaded
on coprocessors running lower than CEX3C with the Sep. 2011 licensed
internal code. Coordinated change master key can only be performed
when new masters keys are loaded in the new master key register.
- None of the systems in the sysplex can be a IBM zSeries 900.
- ICSF on all systems in the sysplex must be running in noncompatibility
mode.
Note: Do not use the coordinated procedure to reencipher archived
or backup copies of the CKDS or PKDS that are not currently active.
Only use it to reencipher the active CKDS or PKDS
If your system (and, if applicable, your sysplex) meets the requirements
in the preceding list, you can use the procedure described in Performing a coordinated change master key to change your master key. If your system
or sysplex does not meet the requirements in the preceding list, follow
the procedures described in Symmetric Master Keys and the CKDS and Asymmetric master keys and the PKDS.