Steps for reenciphering the PKDS and performing a local asymmetric master key change

Note:
Before beginning this procedure, you must:
Note:
  1. Enter the key parts of the new master key that you want to replace the current master key. For information about how to do this procedure, see Entering master key parts. The new master key register must be full when you change the master key.
  2. Create a new VSAM data set in which the reenciphered keys will be placed to create the new reenciphered PKDS. This data set must be allocated and empty, and must contain the same data set attributes as the active PKDS. For more information about defining a PKDS, refer to z/OS Cryptographic Services ICSF System Programmer's Guide.
To reencipher the PKDS and change the master key:
  1. Disable the PKA callable services control on the ICSF Administrative Control Functions panel if appropriate. See Steps for enabling and disabling PKA callable services and Dynamic CKDS/PKDS Access.
  2. Select option 2, REENCIPHER PKDS, on the CSFMKM30 — PKDS Management panel, and press ENTER.
    When you perform a local master key change, you must first reencipher the disk copy of the PKDS under the new master key.
    Note: If your system is using multiple coprocessors, they must have the same master key. When you change the master key in one coprocessor, you should change the master key in the other coprocessors. Therefore, to reencipher a PKDS under a new master key, the new master key registers in all coprocessors must contain the same value.
  3. The CSFCMK12 — Reencipher PKDS panel appears.
  4. In the Input PKDS field, enter the name of the PKDS that you want to reencipher. In the Output PKDS field, enter the name of the data set in which you want to place the reenciphered keys.

    Reenciphering the disk copy of the PKDS does not affect the in-storage copy of the PKDS. On this panel, you are working with only a disk copy of the PKDS.

  5. Press ENTER to reencipher the input PKDS entries and place them into the output PKDS.

    The message REENCIPHER SUCCESSFUL appears on the top right of the panel if the reencipher succeeds.

  6. If you have more than one PKDS on disk, specify the information and press ENTER as many times as you need to reencipher all of them. Reencipher all your disk copies at this time. When you have reenciphered all the disk copies of the PKDS, you are ready to change the master key.
  7. Press END to return to the CSFMKM30 — PKDS Management panel.
  8. To change the master key select option 3, CHANGE ASYM MK, on the CSFMKM30 — PKDS Management panel.

    When you press the ENTER key, the CSFCMK22 — Change Asymmetric Master Key panel appears.

  9. In the New PKDS field, enter the name of the disk copy of the PKDS that you want ICSF to place in storage.

    You should have already reenciphered the disk copy of the PKDS under the new master key. The last PKDS name that you specified in the Output PKDS field on the CSFCMK12 — Reencipher PKDS panel automatically appears in this field.

  10. Press ENTER.

    ICSF loads the data set into storage where it becomes operational on the system. ICSF also places the new master key into the master key register so it becomes active.

    When you press ENTER, ICSF attempts to change the master key. It displays a message on the top right of the panel. The message indicates either that the master key was changed successfully or that an error occurred that prevented the successful completion of the change process. For example, if you indicate a data set that is not reenciphered under the new master key, an error message displays, and the master key is not changed.

  11. When performing a local change master key, remember to change the name of the PKDS in the Installation Options Data Set.

You can use a utility program to reencipher the CKDSs and change the master key instead of using the panels. See Asymmetric master keys and the PKDS, for instructions on how to use the utility program to reencipher a disk copy of a CKDS and to change a master key.

Parent topic: Asymmetric master keys and the PKDS