Performing a coordinated change master key

The coordinated change master key function simplifies the procedure for changing the master keys that are used by the CKDS, PKDS, and TKDS. Coordinated change master key may be performed on a single instance of ICSF, on a single-system sysplex, or on a multi-system sysplex.

Coordinated CKDS change master key is available when all systems in the sysplex are at ICSF FMID HCR7790 or later. Coordinated PKDS change master key and coordinated TKDS change master key is available when all systems in the sysplex are at ICSF FMID HCR77A0 or later.

Before using this procedure, make sure that your system meets all the requirements outlined in section Symmetric Master Keys and the CKDS for CKDS, Asymmetric master keys and the PKDS for PKDS, and Changing the Master Key for TKDS.

For CKDS and PKDS, if your system does not meet these requirements, you will be unable to use the coordinated change master key procedure, and will have to use the local change master key procedure instead. Depending on your coprocessor type, see Changing the master keys in Managing CCA Master Keys , for instructions on how to perform a local change master key. For TKDS, there is no local change master key option. The P11 master keys can only be changed using coordinated change master key.

Note:

Coordinated change master key is not supported on the IBM zSeries 900. In a sysplex environment, the master key or keys will be changed for all systems in the sysplex that share the same active KDS (either CKDS, PKDS, or TKDS). None of these systems can be an IBM zSeries 900.
Coordinated change master key offers further advantages in a sysplex environment. Specifically, a master key change initiated from one ICSF instance in the sysplex will change the master key or keys for all ICSF instances in the sysplex that share the same active KDS. The instructions that follow describe how to initiate a coordinated change master key from a single ICSF instance. This can be either a stand alone system or a member of a sysplex cluster. If you are running in sysplex environment, make sure you also understand the information in Coordinated Change Master Key and Coordinated Refresh before proceeding.
Reenciphering a large KDS (millions of records) may cause a temporary internal suspension of KDS update requests running in parallel. If you cannot tolerate a temporary suspension in your CKDS and/or PKDS workload, and would prefer that update requests are failed instead of suspended, you should disallow dynamic CKDS and/or PKDS access prior to performing the coordinated change master key. For information on disabling dynamic CKDS updates, see Steps for disallowing dynamic CKDS updates during CKDS administration updates in Managing Cryptographic Keys Using the Key Generator Utility Program. For information on disabling PKA callable services, see Steps for enabling and disabling PKA callable services and Dynamic CKDS/PKDS Access in Managing CCA Master Keys. There is no option to disable dynamic TKDS update services, so this does not apply to coordinated TKDS change master key.
This procedure is only for reenciphering the active KDS. It is not for reenciphering archived or backup KDS copies that are not currently active.
If you have a combination of cryptographic coprocessors installed in a sysplex environment, the ICSF instance configured with the cryptographic coprocessor containing the highest level of licensed internal code must initiate the coordinated change master key. If the coordinated change master key is not initiated by the ICSF instance containing the highest level of licensed internal code, the operation will fail.
If your system is using multiple coprocessors, they must have the same master key or keys. When you load new master key or keys in one coprocessor, you should load the same new master key or keys in the other coprocessors. Therefore, to reencipher a KDS under a new master key, the new master key registers in all coprocessors must contain the same value.
If the CKDS contains HMAC keys, it must be reenciphered on a system with a CEX3C and the Sept. 2010 or later licensed internal code.
If the CKDS contains variable-length AES keys, it must be reenciphered on a system with a CEX3C and the Sep. 2011 or later licensed internal code.
Note: If you have cryptographic coprocessors that are lower than CEX3C with the Sep. 2011 licensed internal code, you must use TKE to load new RSA master key parts in order to perform a coordinated change master key. The ICSF master key entry panels will automatically set new RSA master keys loaded on coprocessors running lowering then CEX3C with the Sep. 2011 licensed internal code. Coordinated change master key can only be performed when new masters keys are loaded in the new master key register. This requires a TKE when loading new RSA master keys to cryptographic coprocessors lower than CEX3C with the Sep. 2011 licensed internal code.
If there is a problem reenciphering a KDS entry, the CSFC0316 message is generated specifying the label for the KDS problem entry.

Before beginning this procedure, you must:

Enter the key parts of the new master key or keys that you want to replace the current master key or keys. For information about how to load new DES,AES, RSA and ECC master key parts, see Entering master key parts. For information about how to load new P11 master key parts, see Entering master key parts using TKE. The new master key register must be full in order to perform a CKDS or PKDS coordinated change master key. The new master key register must be full and committed in order to perform a coordinated TKDS change master key.
Create a new VSAM data set that will be used by coordinated change master key to place the reenciphered KDS entries. This data set must be allocated and empty, and must contain the same data set attributes as the active KDS you are performing the coordinated change master key on. For more information about defining a CKDS, PKDS or TKDS, see the z/OS Cryptographic Services ICSF System Programmer's Guide.

Before beginning this procedure, you may optionally:

Create an additional VSAM data set to serve as a backup of the new, reenciphered, KDS. This data set must be allocated and empty, and must contain the same data set attributes as the active KDS you are performing the coordinated change master key on.
If you are planning to use the archive option, which is described below, determine a VSAM data set name to use for the archived KDS data set. This data set must not be allocated and must not exist on the system.

For more information about defining a CKDS, PKDS, or TKDS, see the z/OS Cryptographic Services ICSF System Programmer's Guide.

To reencipher the KDS and change the master key:

Enter option 2, KDS MANAGEMENT, on the ICSF Primary Menu panel to access the Master key set or change, KDS processing panel.
The CSFMKM10 — Key Data Set Management panel is displayed. Select the KDS type that you would like to perform the coordinated change master key on.
The KDS Master Key Management panel will be displayed for the KDS type you selected. Select Coordinated KDS Change MK for the KDS type you are performing this function on.
The Coordinated KDS change master key panel is displayed.
```
 CSFCRC20 ----------- ICSF - Coordinated KDS change master key ------------------
                                                                               
To perform a coordinated KDS change master key, enter the KDS names below 
and optionally select the rename option.                                       
                                                                               
    KDS Type ===> CKDS                                                         
                                                                               
  Active KDS ===> 'PLEX.TEST.CKDS'                                       
                                                                               
     New KDS ===>                                                              
                                                                               
          Rename Active to Archived and New to Active (Y/N) ===> N             
                                                                               
          Archived KDS ===>                                                    
                                                                               
          Create a backup of the reenciphered KDS (Y/N) ===> N                 
                                                                               
          Backup KDS ===>                                                      
                                                                               
Press ENTER to perform a coordinated KDS change master key.                    
Press END to exit to the previous menu.                                        
```
In this example, CKDS was selected to perform the coordinated change master key. The KDS type is displayed in the KDS Type field. The active KDS is displayed in the Active KDS field.
1. Enter the name of the new KDS in the New KDS field. This must be an empty and allocated VSAM data set containing the same data set attributes as the active KDS. The reenciphered keys will be placed into this new data set to create the new KDS.
2. Decide if you want to have the new KDS renamed to the match the name of the current active KDS. Having the new KDS renamed to match the name of the current active KDS simplifies KDS administration, because you will not need to update the ICSF Options Data Set with the name of the new data set after the coordinated change master key completes.
  - If you would like the have the new KDS renamed to match the name of the current active KDS:
    1. Type Y in the Rename Active to Archived and the New to Active ( Y / N ) field.
    2. Enter the name under which the currently active KDS will be archived in the Archived KDS field. This must be a VSAM data set name that is not allocated and does not exist on the system.
  - If you do not want to have the new KDS renamed to match the name of the current active KDS, type N in the Rename Active to Archived and the New to Active ( Y / N ) field. Remember to change the name of the KDS in the Installation Options Data Set as described in the z/OS Cryptographic Services ICSF System Programmer's Guide. The KDS name must be changed in each cluster member's Installation Options Data Set after the coordinated KDS change master key function completes successfully. If the Installation Options Data Set is updated with a new KDS name and the coordinated change master key function fails, ICSF might be configured with an invalid KDS the next time it is restarted.
3. Decide if you want to also create a backup copy of the newly enciphered KDS. This is an empty and allocated VSAM data set containing the same data set attributes as the active KDS. The reenciphered keys will be placed into this data set to create the backup KDS.
Press ENTER to begin the coordinated change master key. This will reencipher the disk copy of the active KDS under the new master keys to create the new KDS on disk, and will create an in-storage copy of that new KDS.
Note: In a sysplex environment, the in-storage copy of the new KDS will be created for all ICSF instances that share the KDS. See Coordinated Change Master Key and Coordinated Refresh for more information.
A confirmation panel will be displayed, prompting you to verify that you want to continue with the coordinated change master key. Verify that the information on this confirmation panel is correct. If it is, type Y in the confirmation field provided and press ENTER.
The coordinated change master key function will be executed. This function will verify that all ICSF instances sharing the same active KDS are configured with the same New Master Key registers values. Additionally it will verify that the KDS names specified for input are valid and are compatible with each other.
Verify the dialog results, and address any indicated failures or unexpected results.