To begin, load the new P11 master key using the TKE workstation and P11 master key parts stored on smart cards. Then commit the new P11 master key using the TKE workstation. For more information, see z/OS Cryptographic Services ICSF TKE Workstation User's Guide.
Create a new VSAM data set in which the reenciphered keys will be placed when creating the new reenciphered TKDS. This data set must be allocated and empty, and must contain the same data set attributes as the active TKDS. For more information about defining a TKDS, see z/OS Cryptographic Services ICSF System Programmer's Guide.
------------------- ICSF - Coordinated KDS change master key ------------------
To perform a coordinated KDS change master key, enter the KDS names below
and optionally select the rename option.
KDS Type ===>
Active KDS ===>
New KDS ===>
Rename Active to Archived and New to Active (Y/N) ===> N
Archived KDS ===>
Create a backup of the reenciphered KDS (Y/N) ===> N
Backup KDS ===>
Press ENTER to perform a coordinated KDS change master key.
Press END to exit to the previous menu.
The KDS
type (TKDS) is displayed in the KDS Type field. The active TKDS
is displayed in the Active KDS field.If you do not want to have the new TKDS renamed to match the name of the current active TKDS, type N in the Rename Active to Archived and the New to Active ( Y / N ) field. Remember to change the name of the TKDS in the Installation Options Data Set as described in the z/OS Cryptographic Services ICSF System Programmer's Guide.