PKCS #11 key objects may be in either clear or secure (encrypted) format depending on your business needs. Secure keys require an active Enterprise PKCS #11 (EP11) Cryptographic Coprocessor. The coprocessor's master key (the P11 master key) is used to protect the sensitive key material. Clear keys are not protected by a master key.
The first time you start ICSF on your system, you may enter master keys and initialize the token data set (TKDS). You can then generate and enter the keys you use to perform cryptographic functions. The master keys you enter protect the secure keys stored in the TKDS.
The TKE workstation must be used to enter P11 master keys on the EP11 cryptographic coprocessors. The TKE workstation is an optional hardware feature. The TKE workstation uses a variety of public key cryptographic techniques to ensure both the integrity and privacy of the logically secure master key transfer channel. You can use a single TKE workstation to set up master keys in all EP11 coprocessors within a server complex.
For more information on using the TKE workstation, see z/OS Cryptographic Services ICSF TKE Workstation User's Guide.