Reentering master keys when they have been cleared

In these situations, the cryptographic feature clears the master key registers so that the master key values are not disclosed.

If the cryptographic feature detects tampering (the intrusion latch is tripped), ALL installation data is cleared: master keys, retained keys for all domains, as well as roles and profiles.
If the cryptographic feature detects tampering (the secure boundary of the card is compromised), the card is rendered inoperable.
If you issue a command from the TKE workstation to zeroize a domain.
This command zeroizes the master key data specific to the domain.
If you issue a command from the Support Element panels to zeroize all domains.
This command zeroizes ALL installation data: master keys, retained keys and access control roles and profiles.

Although the values of the master keys are cleared, the secure keys in the CKDS and PKDS are still enciphered under the cleared master keys. Therefore, to recover the keys in the CKDS and PKDS, you must reenter the same master keys and set the master key. For security reasons, you may then want to change all the master keys.

PR/SM Considerations: If you are running in PR/SM logical partition (LPAR) mode, there are several situations (listed previously) that can cause loss of master keys and other data. In these cases, you must first ensure that key entry is enabled for each LP on the Change LPAR Cryptographic Controls panel of the SE. You must then reenter the master keys in each LPAR. If you zeroize a domain using the TKE workstation, however, the master keys are cleared only in that domain. Master keys in other domains are not affected and do not need to be reentered. For more information about reentering master keys in LPAR mode, see PR/SM Considerations during Key Entry.

Note: If PPINIT was used initially, you must rerun the utility with the same pass phrase.

When the cryptographic feature clears the master keys, reenter the same master keys by using these steps:

Check the status of the PKA callable services control if applicable. If it is enabled, use the Administrative Control Functions to disable it. See Steps for enabling and disabling PKA callable services and Dynamic CKDS/PKDS Access for details.
Retrieve the key parts, checksums, verification patterns, and hash patterns you used when you entered the master keys originally.
These values should be stored in a secure place as specified in your enterprises security process.
Access the Master Key Entry panels and enter the master keys as described in Steps for entering the first master key part.
After you have entered the master keys, select option 2, MASTER KEY MGMT, from the primary menu. The Master Key Management panel appears. See Figure 1.
To activate the master keys you just entered, you need to set them.
To set any master key, choose option 4 on the panel and press ENTER.
Figure 1. Selecting the Set Host Master Key Option on the ICSF Master Key Management Panel
```
 CSFMKM10 ---------------- ICSF - Master Key Management  ----------------
 OPTION ===>  4
 
 Enter the number of the desired option.                                       
                                                                              
   1  CKDS MK MANAGEMENT - Perform Cryptographic Key Data Set (CKDS)
                           master key management functions      
   2  PKDS MK MANAGEMENT-  Perform Public Key Data Set (PKDS)
                           master key management functions 
   3  TKDS MK MANAGEMENT-  Perform PKCS #11 Token Data Set TKDS)
                           master key management functions  
   4  SET MK            -  Set master keys
 
 Press ENTER to go to the selected option. 
Press END to exit to the previous menu.


OPTION ===> 
```
When you select option 4, ICSF checks that the values in the new master key registers match the active CKDS and PKDS. ICSF then transfers the master key from the new master key register to the master key register. This process sets the master keys that match the active CKDS and PKDS.

When ICSF attempts to set the master keys, it displays a message on the top right of the Master Key Management panel. The message indicates either that the master key was successfully set, or that an error prevented the completion of the set process.

When you set the reentered master keys, the master keys that encipher the active CKDS and PKDS now exist. There is no need to refresh the CKDS or PKDS.
You can now change the master keys, if you choose to, for security reasons. Continue with Changing the master keys and Steps for reenciphering the PKDS and performing a local asymmetric master key change.