Note: - Prior to reenciphering a PKDS, consider temporarily disallowing
dynamic PKDS update services. For more information, see Steps for enabling and disabling PKA callable services and Dynamic CKDS/PKDS Access.
- The procedure for changing the RSA-MK depends on the cryptographic
coprocessors online on your system. When your system has CEX3C or
later coprocessors that are online and have the RSA-MK loaded, the
steps involving the PKA callable services control should be ignored.
The control will not be active.
- When the PKDS is shared by multiple images in a sysplex environment,
the asymmetric key master keys must also be changed on all the sharing
systems. See Performing a coordinated change master key.
Before beginning this procedure, you must:
Note: - Enter the key parts of the new master key that you want to replace
the current master key. For information about how to do this procedure,
see Entering master key parts. The new master key register
must be full when you change the master key.
- Create a new VSAM data set in which the reenciphered keys will
be placed to create the new reenciphered PKDS. This data set must
be allocated and empty, and must contain the same data set attributes
as the active PKDS. For more information about defining a PKDS, refer
to z/OS Cryptographic Services ICSF System Programmer's Guide.
To reencipher the PKDS and change the master key:
- Disable the PKA callable services control on the ICSF Administrative
Control Functions panel if appropriate. See Steps for enabling and disabling PKA callable services and Dynamic CKDS/PKDS Access.
- Select option 2, REENCIPHER PKDS, on the CSFMKM30 — PKDS Management panel, and press ENTER.
When you perform
a local master key change, you must first reencipher the disk copy
of the PKDS under the new master key.
Note: If your system is using
multiple coprocessors, they must have the same master key. When you
change the master key in one coprocessor, you should change the master
key in the other coprocessors. Therefore, to reencipher a PKDS under
a new master key, the new master key registers in all coprocessors
must contain the same value.
- The CSFCMK12 — Reencipher PKDS panel appears.
- In the Input PKDS field, enter the name of the PKDS that you want
to reencipher. In the Output PKDS field, enter the name of the data
set in which you want to place the reenciphered keys.
Reenciphering
the disk copy of the PKDS does not affect the in-storage copy of the
PKDS. On this panel, you are working with only a disk copy of the
PKDS.
- Press ENTER to reencipher the input PKDS entries and place them
into the output PKDS.
The message REENCIPHER SUCCESSFUL appears
on the top right of the panel if the reencipher succeeds.
- If you have more than one PKDS on disk, specify the information
and press ENTER as many times as you need to reencipher all of them.
Reencipher all your disk copies at this time. When you have reenciphered
all the disk copies of the PKDS, you are ready to change the master
key.
- Press END to return to the CSFMKM30 — PKDS Management panel.
- To change the master key select option 3, CHANGE ASYM MK, on the CSFMKM30 — PKDS Management panel.
When you press the ENTER key,
the CSFCMK22 — Change Asymmetric Master Key panel appears.
- In the New PKDS field, enter the name of the disk copy of the
PKDS that you want ICSF to place in storage.
You should have already
reenciphered the disk copy of the PKDS under the new master key. The
last PKDS name that you specified in the Output PKDS field on the CSFCMK12 — Reencipher PKDS panel automatically appears in this field.
- Press ENTER.
ICSF loads
the data set into storage where it becomes operational on the system. ICSF also places
the new master key into the master key register so it becomes active.
When
you press ENTER, ICSF attempts
to change the master key. It displays a message on the top right of
the panel. The message indicates either that the master key was changed
successfully or that an error occurred that prevented the successful
completion of the change process. For example, if you indicate a data
set that is not reenciphered under the new master key, an error message
displays, and the master key is not changed.
- When performing a local change master key, remember to change
the name of the PKDS in the Installation Options Data Set.
You can use a utility program to reencipher the CKDSs and change
the master key instead of using the panels. See Asymmetric master keys and the PKDS, for instructions on how to use the utility
program to reencipher a disk copy of a CKDS and to change a master
key.