Changing the master key

Change the master key near the end of the current master key's lifetime.

Carefully consider when to change the master key. During the change of the master key, all cluster instances become inactive.

While it is still possible to score transactions, you cannot change the configuration or investigate cases during the change process. The change affects all data that is stored in IBM® Safer Payments, which means such a change process can take several hours to complete.

Changing the master key requires the global privilege to change the master key. This privilege must be granted to the user in advance.
  1. In the user interface, click the Administration tab.
  2. Click User management > Accounts from the navigation menu. Select your user.
  3. Scroll down to the Global Privileges section.
  4. In the Key Management field, select activate and revoke keys and view encryption management, and change master key.
  5. Save your changes.

The process to change the master key is as follows:

  1. Generate a new master key with the keygen program with a new master key ID. See Generating the master key for details.
  2. Generate new private keys from the new master key. See Generating usage key triplets for details.
  3. Copy the new private keys (key_<key_id_n>.iris) into the key folder on all instances.
  4. Do not replace any file of the key folder while copying.
  5. Click the Administration tab.
  6. Select Key management > Encryption keys from the navigation menu.
  7. Click the Reload private keys from disk (Reload private keys from disk) icon to reload private keys from disk.
  8. The new master key is displayed. Log out.
  9. The left key holder must log in and insert the left key.
  10. The right key holder must log in and insert the right key.
  11. Log in. You must have the right to activate a key.
  12. Click the activate keys (Activate key) icon to change the master key.