ICSF will automatically set new master key registers when ICSF
started. When running with COMPAT(NO), the check of the new master
key registers is made every time ICSF is started, When running with
COMPAT(YES), the check is only done when ICSF is started for the first
time after an IPL.
The following conditions must be true:
- The new master key register must be full (final key part loaded)
- The master key verification pattern (MKVP) of the new master key
register must match the MKVP in the header of the CKDS, PKDS or TKDS.
Notes: - Only the DES and RSA master keys are checked for ICSF releases
up to and including HCR7770 and only after an IPL.
- All master keys (AES, DES, ECC, RSA, and P11) are checked starting
with ICSF release HCR7780. If running with COMPAT(NO), the check is
made everytime ICSF is started.
- Initializing ICSF for the first time in a sysplex
- You can use this processing to load the master keys and initialize
your key data sets.
- Start ICSF on all systems in your sysplex. All systems should
be using the same installation options data set.
- Load the new master key registers for the master keys you are
going to use. This can be done by using the ICSF Master Key Entry
panels or the TKE workstation.
- Initialize your data sets on one system: CKDS and PKDS for CCA
usage or TKDS for PKCS 11 usage.
- On all other systems, you can stop and start ICSF or use the Change
Master Key utilities from the ICSF panels. This will set the master
keys and your coprocessors will be active and available for work.