The coordinated change master key function simplifies the procedure
for changing the master keys that are used by the CKDS, PKDS, and
TKDS. Coordinated change master key may be performed on a single instance
of ICSF, on a single-system sysplex, or on a multi-system sysplex.
Coordinated CKDS change master key is available when all systems
in the sysplex are at ICSF FMID HCR7790 or later. Coordinated PKDS
change master key and coordinated TKDS change master key is available
when all systems in the sysplex are at ICSF FMID HCR77A0 or later.
Before using this procedure, make sure that your system meets all
the requirements outlined in section Symmetric Master Keys and the CKDS for
CKDS, Asymmetric master keys and the PKDS for PKDS, and Changing the Master Key for TKDS.
For CKDS and PKDS, if your system does not meet these requirements,
you will be unable to use the coordinated change master key procedure,
and will have to use the local change master key procedure instead.
Depending on your coprocessor type, see Changing the master keys in Managing CCA Master Keys , for instructions on how to perform a local
change master key. For TKDS, there is no local change master key option.
The P11 master keys can only be changed using coordinated change master
key.
Note: - Coordinated change master key is not supported on the IBM zSeries
900. In a sysplex environment, the master key or keys will be changed
for all systems in the sysplex that share the same active KDS (either
CKDS, PKDS, or TKDS). None of these systems can be an IBM zSeries
900.
- Coordinated change master key offers further advantages in a sysplex
environment. Specifically, a master key change initiated from one
ICSF instance in the sysplex will change the master key or keys for
all ICSF instances in the sysplex that share the same active KDS.
The instructions that follow describe how to initiate a coordinated
change master key from a single ICSF instance. This can be either
a stand alone system or a member of a sysplex cluster. If you are
running in sysplex environment, make sure you also understand the
information in Coordinated Change Master Key and Coordinated Refresh before proceeding.
- Reenciphering a large KDS (millions of records) may cause a temporary
internal suspension of KDS update requests running in parallel. If
you cannot tolerate a temporary suspension in your CKDS and/or PKDS
workload, and would prefer that update requests are failed instead
of suspended, you should disallow dynamic CKDS and/or PKDS access
prior to performing the coordinated change master key. For information
on disabling dynamic CKDS updates, see Steps for disallowing dynamic CKDS updates during CKDS administration updates in Managing Cryptographic Keys Using the Key Generator Utility Program. For information on disabling PKA callable
services, see Steps for enabling and disabling PKA callable services and Dynamic CKDS/PKDS Access in Managing CCA Master Keys. There is no option to disable dynamic TKDS
update services, so this does not apply to coordinated TKDS change
master key.
- This procedure is only for reenciphering the active KDS. It is
not for reenciphering archived or backup KDS copies that are not currently
active.
- If you have a combination of cryptographic coprocessors installed
in a sysplex environment, the ICSF instance configured with the cryptographic
coprocessor containing the highest level of licensed internal code
must initiate the coordinated change master key. If the coordinated
change master key is not initiated by the ICSF instance containing
the highest level of licensed internal code, the operation will fail.
- If your system is using multiple coprocessors, they must have
the same master key or keys. When you load new master key or keys
in one coprocessor, you should load the same new master key or keys
in the other coprocessors. Therefore, to reencipher a KDS under a
new master key, the new master key registers in all coprocessors must
contain the same value.
- If the CKDS contains HMAC keys, it must be reenciphered on a system
with a CEX3C and the Sept. 2010 or later licensed internal code.
- If the CKDS contains variable-length AES keys, it must be reenciphered
on a system with a CEX3C and the Sep. 2011 or later licensed internal
code.
Note: If you have cryptographic coprocessors that are lower than
CEX3C with the Sep. 2011 licensed internal code, you must use TKE
to load new RSA master key parts in order to perform a coordinated
change master key. The ICSF master key entry panels will automatically
set new RSA master keys loaded on coprocessors running lowering then
CEX3C with the Sep. 2011 licensed internal code. Coordinated change
master key can only be performed when new masters keys are loaded
in the new master key register. This requires a TKE when loading new
RSA master keys to cryptographic coprocessors lower than CEX3C with
the Sep. 2011 licensed internal code.
- If there is a problem reenciphering a KDS entry, the CSFC0316
message is generated specifying the label for the KDS problem entry.
Before beginning this procedure, you must:
- Enter the key parts of the new master key or keys that you want
to replace the current master key or keys. For information about how
to load new DES,AES, RSA and ECC master key parts, see Entering master key parts. For information about how to load new
P11 master key parts, see Entering master key parts using TKE. The new
master key register must be full in order to perform a CKDS or PKDS
coordinated change master key. The new master key register must be
full and committed in order to perform a coordinated TKDS change master
key.
- Create a new VSAM data set that will be used by coordinated change
master key to place the reenciphered KDS entries. This data set must
be allocated and empty, and must contain the same data set attributes
as the active KDS you are performing the coordinated change master
key on. For more information about defining a CKDS, PKDS or TKDS,
see the z/OS Cryptographic Services ICSF System Programmer's Guide.
Before beginning this procedure, you may optionally:
- Create an additional VSAM data set to serve as a backup of the
new, reenciphered, KDS. This data set must be allocated and empty,
and must contain the same data set attributes as the active KDS you
are performing the coordinated change master key on.
- If you are planning to use the archive option, which is described
below, determine a VSAM data set name to use for the archived KDS
data set. This data set must not be allocated and must not exist on
the system.
For more information about defining a CKDS, PKDS, or TKDS, see
the
z/OS Cryptographic Services ICSF System Programmer's Guide.
To reencipher the KDS and change the master key:
- Enter option 2, KDS MANAGEMENT, on the ICSF Primary Menu panel to
access the Master key set or change, KDS processing panel.
- The CSFMKM10 — Key Data Set Management panel is displayed. Select the KDS type that you would
like to perform the coordinated change master key on.
- The KDS Master Key Management panel will be displayed for the
KDS type you selected. Select Coordinated KDS Change MK for the KDS
type you are performing this function on.
- The Coordinated KDS change master key panel is displayed.
CSFCRC20 ----------- ICSF - Coordinated KDS change master key ------------------
To perform a coordinated KDS change master key, enter the KDS names below
and optionally select the rename option.
KDS Type ===> CKDS
Active KDS ===> 'PLEX.TEST.CKDS'
New KDS ===>
Rename Active to Archived and New to Active (Y/N) ===> N
Archived KDS ===>
Create a backup of the reenciphered KDS (Y/N) ===> N
Backup KDS ===>
Press ENTER to perform a coordinated KDS change master key.
Press END to exit to the previous menu.
In
this example, CKDS was selected to perform the coordinated change
master key. The KDS type is displayed in the KDS Type field.
The active KDS is displayed in the Active KDS field. - Enter the name of the new KDS in the New KDS field. This
must be an empty and allocated VSAM data set containing the same data
set attributes as the active KDS. The reenciphered keys will be placed
into this new data set to create the new KDS.
- Decide if you want to have the new KDS renamed to the match the
name of the current active KDS. Having the new KDS renamed to match
the name of the current active KDS simplifies KDS administration,
because you will not need to update the ICSF Options Data Set with
the name of the new data set after the coordinated change master key
completes.
- If you would like the have the new KDS renamed to match the name
of the current active KDS:
- Type Y in the Rename Active to Archived and the New to Active
( Y / N ) field.
- Enter the name under which the currently active KDS will be archived
in the Archived KDS field. This must be a VSAM data set name
that is not allocated and does not exist on the system.
- If you do not want to have the new KDS renamed to match the name
of the current active KDS, type N in the Rename Active to Archived
and the New to Active ( Y / N ) field. Remember to change the
name of the KDS in the Installation Options Data Set as described
in the z/OS Cryptographic Services ICSF System Programmer's Guide.
The KDS name must be changed in each cluster member's Installation
Options Data Set after the coordinated KDS change master key function
completes successfully. If the Installation Options Data Set is updated
with a new KDS name and the coordinated change master key function
fails, ICSF might be configured with an invalid KDS the next time
it is restarted.
- Decide if you want to also create a backup copy of the newly enciphered
KDS. This is an empty and allocated VSAM data set containing the same
data set attributes as the active KDS. The reenciphered keys will
be placed into this data set to create the backup KDS.
- Press ENTER to begin the coordinated change master key. This will
reencipher the disk copy of the active KDS under the new master keys
to create the new KDS on disk, and will create an in-storage copy
of that new KDS.
- A confirmation panel will be displayed, prompting you to verify
that you want to continue with the coordinated change master key.
Verify that the information on this confirmation panel is correct.
If it is, type Y in the confirmation field provided and press ENTER.
The
coordinated change master key function will be executed. This function
will verify that all ICSF instances sharing the same active KDS are
configured with the same New Master Key registers values. Additionally
it will verify that the KDS names specified for input are valid and
are compatible with each other.
- Verify the dialog results, and address any indicated failures
or unexpected results.