Changing the Master Key

For security reasons your installation should change the master keys periodically. In addition, if the master keys have been cleared, you may also want to change the master keys after you reenter the cleared master keys.
Note:
  1. If running in a Sysplex, all ICSF instances sharing the TKDS must be at HCR77A0 or higher in order to change the P11-MK, even if these systems are not using secure PKCS #11 services.
  2. If your ICSF instance is using multiple coprocessors, they must have the same master key. When you change the master key in one coprocessor, you should change the master key in the other coprocessors. Therefore, to reencipher a TKDS under a new master key, the new master key registers in all Enterprise PKCS #11 coprocessors must contain the same value.
  3. Changing the P11-MK can only be performed by the coordinated change master key function. All ICSF instances sharing the TKDS will have their P11 master keys changed during this process. The P11 new master key registers in each domain for each coprocessor sharing the TKDS must be loaded from TKE with the same value.

To begin, load the new P11 master key using the TKE workstation and P11 master key parts stored on smart cards. Then commit the new P11 master key using the TKE workstation. For more information, see z/OS Cryptographic Services ICSF TKE Workstation User's Guide.

Create a new VSAM data set in which the reenciphered keys will be placed when creating the new reenciphered TKDS. This data set must be allocated and empty, and must contain the same data set attributes as the active TKDS. For more information about defining a TKDS, see z/OS Cryptographic Services ICSF System Programmer's Guide.

From the ICSF Primary Menu:
  1. Select Option 2, MASTER KEY MGMT.
  2. The Master Key Management panel appears. Select Option 3, TKDS MK MANAGEMENT.
  3. The TKDS Master Key Management panel now appears. Select Option 2, COORDINATED TKDS CHANGE MK.
  4. The Coordinated KDS change master key panel is displayed. 
    ------------------- ICSF - Coordinated KDS change master key ------------------
                                                                               
To perform a coordinated KDS change master key, enter the KDS names below 
and optionally select the rename option.                                       
                                                                               
    KDS Type ===>                                                          
                                                                               
  Active KDS ===>                                                     
                                                                               
     New KDS ===>                                                              
                                                                               
          Rename Active to Archived and New to Active (Y/N) ===> N             
                                                                               
          Archived KDS ===>                                                    
                                                                               
          Create a backup of the reenciphered KDS (Y/N) ===> N                 
                                                                               
          Backup KDS ===>                                                      
                                                                               
Press ENTER to perform a coordinated KDS change master key.                    
Press END to exit to the previous menu.
    The KDS type (TKDS) is displayed in the KDS Type field. The active TKDS is displayed in the Active KDS field.
    1. Enter the name of the new TKDS in the New KDS field. This is an empty and allocated VSAM data set containing the same data set attributes as the active TKDS. The reenciphered keys will be placed into this new data set to create the new TKDS.
    2. Decide if you want to have the new TKDS renamed to the match the name of the current active TKDS. Having the new TKDS renamed to match the name of the current active TKDS simplifies TKDS administration, because you will not need to update the ICSF Options Data Set with the name of the new data set after the TKDS is reenciphered.
    If you would like the have the new TKDS renamed to match the name of the current active TKDS:
    1. Type Y in the Rename Active to Archived and the New to Active (Y / N ) field.
    2. Enter the name under which the currently active TKDS will be archived in the Archived KDS field. This must be a VSAM data set name that is not allocated and does not exist on the system.

      If you do not want to have the new TKDS renamed to match the name of the current active TKDS, type N in the Rename Active to Archived and the New to Active ( Y / N ) field. Remember to change the name of the TKDS in the Installation Options Data Set as described in the z/OS Cryptographic Services ICSF System Programmer's Guide.

    3. Decide if you want to also create a backup copy of the newly enciphered TKDS. This is an empty and allocated VSAM data set containing the same data set attributes as the active TKDS. The reenciphered keys will be placed into this data set to create the backup TKDS.
  5. Press ENTER to begin the coordinated change master key. This will reencipher the disk copy of the active TKDS under the new master keys to create the new TKDS on disk. This will also create an in-storage copy of that new TKDS and activate (set) the new P11 master key on the Enterprise PKCS #11 coprocessors.
  6. A confirmation panel will be displayed, prompting you to verify that you want to continue with the coordinated change master key. Verify that the information on this confirmation panel is correct. If it is, type Y in the confirmation field provided and press ENTER.
    The coordinated change master key function will be executed. When ICSF completes, the message CHANGE MK SUCCESSFUL appears.
    Note:
    1. In a sysplex environment, the in-storage copy of the new TKDS will be created (and new P11 master key activated) for all ICSF instances that share the same active TKDS.
    2. For more information about the coordinated change master key function, refer to Coordinated Change Master Key and Coordinated Refresh.
Parent topic: Managing Enterprise PKCS #11 Master Keys