Steps for reenciphering the CKDS and performing a local symmetric master key change

Note:
  1. If running in a sysplex, see Running in a Sysplex Environment.
  2. Prior to reenciphering a CKDS, consider temporarily disallowing dynamic CKDS update services. For more information, refer to Steps for disallowing dynamic CKDS updates during CKDS administration updates.
  3. A simplified procedure for changing the symmetric master key and reenciphering the CKDS is described in Performing a coordinated change master key. However, only systems that are running ICSF FMID HCR7790 or later and that meet other requirements can use this other procedure. If you are interested in using this simplified procedure, refer to the requirements outlined in Changing the master keys.
Before beginning this procedure, you must:
Note:
  1. Enter the key parts of the new master key that you want to replace the current master key. For information about how to do this procedure, see Entering master key parts. The new master key register must be full when you change the master key.
  2. Create a new VSAM data set in which the reenciphered keys will be placed to create the new reenciphered CKDS. This data set must be allocated and empty, and must contain the same data set attributes as the active CKDS. For more information about defining a CKDS, refer to z/OS Cryptographic Services ICSF System Programmer's Guide.

To reencipher the CKDS and change the master key:

  1. Select option 2, REENCIPHER CKDS, on the CSFMKM20 — CKDS Management panel, and press ENTER.

    When you change the master key, you must first reencipher the disk copy of the CKDS under the new master key.

    Note:
    • To perform this operation your TSO Region Size must be large enough to load the CKDS into memory. The CKDS load operation alone requires #records * Max LRECL bytes. Your TSO region size must be large enough to accommodate this in addition to any other memory required by your TSO user.
    • If your system is using multiple coprocessors, they must have the same master key. When you change the master key in one coprocessor, you should change the master key in the other coprocessors. Therefore, to reencipher a CKDS under a new master key, the new master key registers in all coprocessors must contain the same value.
    • If the CKDS contains HMAC keys, it must be reenciphered on a system with a CEX3C or later and the Sept. 2010 or later licensed internal code.
  2. The CSFCMK10 — Reencipher CKDS panel appears.
  3. In the Input CKDS field, enter the name of the CKDS that you want to reencipher. In the Output CKDS field, enter the name of the data set in which you want to place the reenciphered keys.
    Note:
    1. The output data set should already exist although it must be empty. For more information about defining a CKDS, see z/OS Cryptographic Services ICSF System Programmer's Guide.
    2. The input CKDS and the output CKDS must have the same VSAM attributes.

    Reenciphering the disk copy of the CKDS does not affect the in-storage copy of the CKDS. On this panel, you are working with only a disk copy of the CKDS.

  4. Press ENTER to reencipher the input CKDS entries and place them into the output CKDS.

    The message REENCIPHER SUCCESSFUL appears on the top right of the panel if the reencipher succeeds.

    Note: If the operation fails with a return and reason code, see section Return and reason codes for the CSFEUTIL program or the z/OS Cryptographic Services ICSF Application Programmer's Guide Appendix A for a description of the failing return and reason codes.
  5. If you have more than one CKDS on disk, specify the information and press ENTER as many times as you need to reencipher all of them. Reencipher all your disk copies at this time. When you have reenciphered all the disk copies of the CKDS, you are ready to change the master key.
  6. Press END to return to the Press END to return to the CSFMKM30 — PKDS Management panel.

    Performing a local DES master key change involves refreshing the in-storage copy of the CKDS with a disk copy and activating the new master key.

  7. If you are running in compatibility or co-existence mode, do not select option 3, the Change option. To activate the changed master key when running in compatibility or co-existence mode, you need to re-IPL MVS and start ICSF. When you re-IPL MVS and start ICSF, you activate the changed master key and refresh the in-storage CKDS.
  8. If you are running in noncompatibility mode, to change the master key select option 3, CHANGE MK, on the CSFMKM20 — CKDS Management panel.
  9. In the New CKDS field, enter the name of the disk copy of the CKDS that you want ICSF to place in storage.

    You should have already reenciphered the disk copy of the CKDS under the new master key. The last CKDS name that you specified in the Output CKDS field on the CSFCMK10 — Reencipher CKDS panel automatically appears in this field.

  10. Press ENTER.

    ICSF loads the data set into storage where it becomes operational on the system. ICSF also places the new master key into the master key register so it becomes active.

    When you press ENTER, ICSF attempts to change the master key. It displays a message on the top right of the panel. The message indicates either that the master key was changed successfully or that an error occurred that prevented the successful completion of the change process. For example, if you indicate a data set that is not reenciphered under the new master key, an error message displays, and the master key is not changed.

  11. When changing the master key, remember to change the name of the CKDS in the Installation Options Data Set.

You can use a utility program to reencipher the CKDSs and change the master key instead of using the panels. See Symmetric Master Keys and the CKDS, for instructions on how to use the utility program to reencipher a disk copy of a CKDS and to change a master key.

Parent topic: Symmetric Master Keys and the CKDS